I’ve argued that today’s AI panic feels eerily similar to the early days of the commercial internet — overflowing with potential, anxiety and major policy blind spots. And now we’re replaying that script. In late 2025, President Trump issued an executive order intended to stop U.S. states from passing their own AI regulations, instructing federal agencies to push back on state rules in favor of some future, unified national standard. But here’s the problem: no such federal statute exists yet. An executive order is not a law passed by Congress. It can steer agency behavior, but it cannot override state statutes. So even with this show of federal action, AI governance is still fragmented, and states remain free to forge ahead. If that sounds familiar, it should. This is almost exactly how email marketing law evolved 20 years ago: a messy state-by-state landscape, followed by slow, incomplete federal intervention. The key difference is that email ultimately got CAN-SPAM and a single national framework. Privacy never did. That’s why privacy compliance today — and AI compliance in the near future — can’t sit around waiting for federal certainty. The most prudent strategy is to build compliance programs on the assumption that a patchwork of rules will persist. CAN-SPAM and the emergence of federal email rules Before 2003, email marketing lived in a murky legal environment. States such as California, Washington and Virginia enacted their own anti-spam statutes, each with unique obligations and enforcement mechanisms. National email marketers had to contend with an increasingly complex mosaic of state laws. Industry lobbying eventually produced the CAN-SPAM Act of 2003, which created a uniform federal baseline for commercial email — and, crucially,…