AI Laws in Virginia (VA)

What HB 2094 requires

Virginia has enacted HB 2094 — High-Risk AI Developer and Deployer Act (vetoed 2025-03-24). HB 2094 would have required high-risk AI developers to implement safeguards against algorithmic discrimination. Governor Youngkin vetoed the bill on March 24, 2025; no dedicated AI law currently in effect. This page explains what the law requires in plain language, who is in scope, the penalty for non-compliance, and what your business needs to do before the N/A (vetoed) deadline.

Who is in scope

The law covers developers who build AI systems classified as high-risk — typically systems that influence consequential decisions in credit, employment, healthcare, education, housing, or government services — and the companies that deploy them, and any operator deploying AI systems that interact with consumers, influence decision-making, or could produce discriminatory outcomes in housing, credit, employment, or public accommodations. Company size does not determine whether you are in scope — a startup with ten employees using an off-the-shelf AI hiring tool has the same disclosure obligations as an enterprise running a custom-built model. What matters is whether the AI system makes or substantially informs a decision that affects a Virginia resident in a consequential way. Notably, the obligation extends to vendors: if your company deploys an AI tool built by a third party, you — as the deployer — are responsible for ensuring it meets Virginia's requirements, even if you did not build it.

Key compliance requirements

Virginia's risk-assessment framework requires that developers and deployers of high-impact AI systems conduct formal impact assessments before deployment and re-evaluate them when the system changes materially. An impact assessment must document the intended purpose of the system, the data it uses, the populations it affects, known accuracy limitations, and what bias-testing was performed. Deployers must also publish a summary of the assessment that is accessible to consumers and regulators — internal documentation alone is insufficient. Critically, the assessment is not a one-time exercise: Virginia's law contemplates ongoing monitoring, with a duty to update documentation when performance data or demographic outputs shift.

Virginia's law specifically targets AI systems designed to manipulate human behavior or produce discriminatory outcomes. A system is considered manipulative if it exploits psychological biases, creates false urgency, or targets vulnerable populations in ways that undermine informed consent. The anti-discrimination provisions extend existing civil-rights frameworks into AI: companies cannot deploy AI that produces disparate outcomes in protected categories even if no discriminatory intent existed. This requires testing AI outputs across demographic groups before deployment and building ongoing monitoring into the operational pipeline.

Penalties for non-compliance

The financial consequences of non-compliance under HB 2094 are real and enforceable now. Virginia sets a maximum civil penalty of N/A (vetoed). Penalties accumulate per violation — meaning a company that has deployed an AI tool to thousands of consumers without required disclosures faces compounding exposure, not a single capped fine. Consumer AI violations in Virginia may also attract federal coordination: the FTC's Operation AI Comply sweep (September 2024) demonstrated that state and federal enforcers share intelligence on companies with widespread AI disclosure failures.

What to do now

Build your AI inventory first. You cannot comply with Virginia's requirements if you do not know which systems are in scope. Map every AI or automated decision system your company uses that touches Virginia residents — including third-party vendor tools integrated into your product.

Draft accurate disclosure language. Work with legal counsel to produce disclosure statements that accurately describe what your AI does, what data it uses, and what the consumer can do if they want human review. Vague or boilerplate disclosures will not satisfy Virginia's requirements.

Build the opt-out pathway. Implement a functioning process for consumers to request human review or opt out of AI-assisted processing. Test it before the deadline — regulators will look for live, working mechanisms, not documented promises.

Complete impact assessments for high-risk systems. Follow the framework in HB 2094 to produce a written assessment covering intended use, training data, affected populations, accuracy benchmarks, and bias mitigation. Retain the documentation for at least the period specified in the law's record-keeping provisions.

Assign a compliance owner. Designate someone — legal counsel, a privacy officer, or a dedicated AI governance lead — to track regulatory developments, own the audit documentation, and respond if an enforcement inquiry arrives. The compliance deadline is N/A (vetoed). Don't wait until the deadline to start.

Virginia AI law in the broader regulatory landscape

Virginia's law does not exist in isolation. The trend across the United States is toward more regulation, not less: at least 20 states enacted or proposed AI-specific legislation in 2025 alone, and federal enforcement agencies — the FTC, EEOC, CFPB, and HHS — have all issued guidance making clear that existing laws apply to AI systems even where no AI-specific statute exists. Companies doing business across state lines must track each state's requirements independently — there is no federal preemption that would allow a company to satisfy Virginia's law and automatically comply with requirements in Illinois, Colorado, or New York.

The EU AI Act applies to any company serving EU customers, even if you're based in Virginia. Penalties reach €35M or 7% of global revenue. Deadline: August 2, 2026.