Perspectives
AI Regulation: Where Are We Now?
Last year, Bond published a two‑part series on artificial intelligence (AI) regulation, exploring how emerging laws were shaping the loyalty industry and outlining best practices for navigating them. At the time, the regulatory landscape was a patchwork of approaches—from the EU’s sweeping AI Act to the lighter, sector‑specific guidance favored in the US and UK—creating both clarity and complexity for loyalty players.
Eighteen months later, the pace of change has not slowed. Since our last update, some jurisdictions have moved decisively toward enforcement, others have shifted to a market‑driven approach, and political changes have upended earlier plans. This post revisits the key regions we covered before, highlights significant developments since our last analysis, and offers perspective on what these changes mean for loyalty programs today.
What Has Changed Region by Region?
EU: The passage of the EU’s Artificial Intelligence Act (EU AI Act) may be the high-water mark for AI regulation to date. Following the passage of the EU AI Act, the EU finalized a voluntary code of practice which aims to provide certainty on how to comply. Some companies, including Meta, have declined to sign the code of practice, believing it to stifle innovation. The EU has committed to not delay in the implementation of the act, despite earlier reports to the contrary. In summary, industry dissent and possible delays have slowed the initial momentum of the act.
United States of America: The EU’s road to implementation is played against the backdrop of the United States of America, pursuing a free-market approach to AI regulation. In January 2025, the Biden administration’s executive orders on AI (reported on in our previous blog) were revoked to develop an action plan with the objective “… to promote human flourishing, economic competitiveness, and national security.” A subsequent Presidential Executive Order as of July 2025 aimed to prevent “woke AI” in federal agencies.
Canada: Newly elected Prime Minister Mark Carney appointed Canada’s first ever Minister of Artificial Intelligence and Digital Innovation, Evan Solomon, in April 2025. It is unknown if Minister Solomon will re-introduce Canada’s AI Act, the proposed Artificial Intelligence and Data Act (AIDA), or a variation of AIDA, as AIDA died at the bill stage in January 2025. Canada’s reform of its privacy act also died at bill which would have modernized Canada’s approach to privacy and regulated AI directly and indirectly, even without AIDA being passed.
United Kingdom: The Artificial Intelligence (Regulation) Bill [HL] (2025) was reintroduced into the House of Commons in March 2025. The act aims to create an AI Authority to regulate the use of AI. The bill was a private members bill which would have meant a slower passage than a government sponsored one. In the interim, the UK government has been delayed by a year on any AI law as the UK government wishes to align its AI compliance with the US’ approach.
Where Are We Now?
Some may describe AI regulation as having swung from a compliance-based to free-market-based approach in 2025. Privacy law practitioners would reiterate that AI regulations are built upon the foundations of privacy law. With that in mind, even as the approaches to AI are changing, there are several things to keep in mind:1.
Continue to follow privacy law fundamentals when using AI.
Non-exhaustive questions to continue asking:
Does the data collector (aka the loyalty program) have consent?
Is the loyalty program using personal information consistent with the purposes for which consent was obtained?
Are sufficient safeguards in play to protect the privacy of those for whom you obtained consent?
Who is the loyalty program sharing information with, and do they have the same safeguards?
2. Human intervention is required. An industry built on building stronger bonds with its members would innately understand the human factor. Ensure a pair of human eyes and human judgement is involved in any AI generated product
3. Understand your consumer is as powerful as the government. A “private right of action” is a legal concept in which private citizens can sue companies for violations of laws rather than the government enforcing those laws. Many privacy statutes now allow for a private right of action for privacy breaches. As governments move to a more market-based approach to AI regulation, the consumer, aided by class action lawyers, may use privacy laws to enforce their rights under privacy law. However, the absence of AI regulation per se does not mean a wild west approach. It points more to understanding and repeating privacy law fundamentals.