zkRune
zkRuneFor US Privacy & Sectoral Compliance
6 state comprehensive laws active · Colorado AI Act binding 1 Feb 2026 · 12+ more states 2026

One privacy architecture for the US state patchwork.

Six state comprehensive privacy laws are active. Twelve more states pass or amend laws every 2026 session. Colorado just opened the AI-decision regulation front. The federal sectoral baseline — HIPAA, COPPA, GLBA, FCRA — is layered on top. zkRune is the cryptographic primitive set that lets you satisfy all of them with the same architecture: prove what is required, retain what is not.

Book a 30-minute sessionSee the state + sectoral map

Building AI agents under Colorado AI Act? Proof of Agent covers the agent-attestation layer. For age-specific obligations (TX HB 1181, LA HB 142, UT, MS, VA), age-gating is the right entry point.

The opportunity

The US is not converging on a federal privacy law. It is fragmenting state-by-state — and every state regulator wants proof you complied.

The standard pattern is to maintain a state-by-state decision tree of what data to collect and when. That pattern ages poorly: each new state law adds a column to the matrix, each amendment moves the cells, and every retained dataset is a future enforcement exposure for an attorney general or the FTC. zkRune replaces the matrix with one cryptographic architecture that proves the requirement was met without retaining what the requirement was about.

What US regulators want to see
  • • Data-minimisation evidence (every comprehensive state law)
  • • Sensitive-data consent records (TDPSA, CPA, VCDPA, CTDPA)
  • • Impact assessments for high-risk AI (Colorado AI Act)
  • • Verifiable parental consent (COPPA)
  • • Minimum-necessary use of PHI (HIPAA)
  • • Permissible-purpose access logs (FCRA)
What zkRune contributes
  • • ZK-attested data minimisation (proof not data)
  • • Signed consent commitments without PII attached
  • • Cryptographic impact-assessment chains (AI decisions)
  • • Verifiable parental authorisation tokens (COPPA)
  • • Minimum-necessary as architectural guarantee
  • • Permissible-purpose attestation proofs (FCRA)

We are not a US privacy compliance platform. OneTrust, TrustArc, Osano handle DSAR routing, consent orchestration, and policy management. zkRune is the cryptographic primitive underneath — the bit that turns a compliance assertion into a proof a state regulator or sectoral examiner can independently re-verify.

Who we serve

Three categories with the most acute US privacy exposure right now.

Multi-state SaaS & consumer platforms

Direct-to-consumer SaaS, e-commerce, social platforms, fitness / wellness apps, dating, gaming, streaming, gig-economy marketplaces with users across California, Texas, Colorado, Virginia, Utah, Connecticut

One privacy architecture that satisfies six (and rising) state comprehensive privacy laws simultaneously. The same ZK proof that satisfies California CPRA's data-minimisation expectation also satisfies Colorado CPA and Texas TDPSA. No state-by-state collection-and-storage decision tree to maintain.

AI / ML vendors deploying in US

AI tooling vendors, model providers, AI-powered SaaS, automated decisioning platforms, RPA vendors, agent platforms (cross-link to Proof of Agent)

Colorado AI Act becomes binding 1 February 2026 for high-risk AI systems. New York, Texas, Illinois, and California are advancing parallel AI rules. zkRune handles the consequential-decision logging and impact-assessment evidence path that satisfies the auditability requirement without retaining the personal data the decision was made on.

Sectoral compliance — health · finance · child-facing

HIPAA-regulated providers and business associates, GLBA-regulated financial institutions, COPPA-regulated children's online services, FCRA-regulated credit-reporting bureaus and resellers

Sectoral US regimes have lived with the privacy paradox the longest. ZK-attested compliance turns indefinite retention of sensitive records into compact proofs that an OCR auditor, FTC investigator, or state attorney general can independently re-verify. Especially relevant where states layer additional rules on top (CCPA exemptions for HIPAA scope are narrow and shifting).

State + sectoral map

Eight regimes, one ZK primitive set.

Mapping is informational; sensitive-data definitions, thresholds, and enforcement priorities vary by state and sector. Consult counsel and the relevant attorney general, OCR, FTC, or CFPB guidance before claiming certification.

Regime

California — CPRA (CCPA as amended)

Limit collection to what is reasonably necessary and proportionate; offer purpose-limited data use; honour consumer rights including right to deletion and right to limit sensitive PI use. CPPA actively enforcing.

zkRune circuit

age-verification · range-proof · membership-proof

Notes

Verify thresholds (age, residency, eligibility) without ingesting the underlying personal data. Right-to-delete becomes structurally trivial: there is nothing to delete because nothing was collected server-side.

Regime

Colorado — CPA + AI Act (SB 24-205)

Comprehensive privacy law (binding July 2023) and the first US state AI Act (binding 1 February 2026) requiring impact assessments and consumer notification for high-risk AI decisions.

zkRune circuit

hash-preimage · signature-verification · membership-proof

Notes

Cryptographic commitment to each consequential AI decision; the impact assessment becomes a proof an attorney general can re-verify. Cleanly composable with the /enterprise/ai-agents Proof of Agent framework.

Regime

Texas — TDPSA (Data Privacy & Security Act)

Binding 1 July 2024. Applies to any business processing personal data of Texas residents above defined thresholds; includes sensitive-data consent requirement and data-minimisation principle.

zkRune circuit

age-verification · credential-proof · range-proof

Notes

Sensitive-data thresholds (health, biometric, precise geolocation) become provable without raw retention. TDPSA's sensitive-data consent record can be a signed Merkle commitment rather than a retained consent log with PII attached.

Regime

Virginia · Connecticut · Utah — VCDPA / CTDPA / UCPA

Comprehensive privacy laws binding in 2023 across three states with overlapping but non-identical sensitive-data, consent, and DPIA expectations.

zkRune circuit

membership-proof · hash-preimage

Notes

One ZK primitive set, three legal regimes. The DPIA expectations align with the cryptographic-commitment pattern: the assessment exists, the inputs are provable, the outputs are auditable — none of the underlying data is retained.

Regime

HIPAA (45 CFR Parts 160 + 164)

Covered entities and business associates must implement safeguards for PHI, including minimum-necessary use, accounting of disclosures, and risk analysis. OCR audits aggressive; breach exposure compounds annually.

zkRune circuit

membership-proof · signature-verification · patience-proof

Notes

Minimum-necessary becomes literal: the verifier sees only the proof of eligibility / qualification / threshold, not the underlying record. Accounting of disclosures becomes a chain of signed proofs rather than a retained query log.

Regime

COPPA (15 USC §§ 6501-06)

Operators of children's online services must obtain verifiable parental consent before collecting personal information from children under 13. FTC actively enforcing; penalties scaled to user counts.

zkRune circuit

age-verification · signature-verification

Notes

Verifiable parental consent via parent-signed authorisation token plus age-verification proof that the child is under 13 (or selectively that they are over 13 and out of COPPA scope). No DOB collected, no consent ledger holding child PII.

Regime

GLBA (15 USC §§ 6801-09) + Safeguards Rule

Financial institutions must safeguard customer non-public personal information; FTC's updated Safeguards Rule requires enumerated technical controls and timely breach notification (binding May 2024 amendment).

zkRune circuit

balance-proof · range-proof · signature-verification

Notes

Solvency, eligibility, and risk-threshold proofs that satisfy KYC / underwriting / fraud rules without indefinite NPI retention. Safeguards Rule's risk-assessment obligation gets a cryptographic chain-of-evidence backbone.

Regime

FCRA (15 USC § 1681 et seq.)

Consumer-reporting agencies and furnishers must ensure maximum-possible accuracy, provide consumer access and dispute rights, and limit permissible-purpose access. CFPB and FTC joint enforcement.

zkRune circuit

credential-proof · range-proof · membership-proof

Notes

Permissible-purpose access becomes a cryptographic attestation: the requestor proved their purpose category (employment, credit, insurance underwriting) without revealing the requesting entity to the consumer report. Accuracy disputes resolved against signed commitments rather than mutable retained records.

Readiness

The same primitive set that satisfies the EU regulatory matrix satisfies the US patchwork.

Audited circuits

14 production Groth16 circuits

Same primitive set that satisfies the EU regulatory matrix also satisfies the US state and sectoral patchwork. One audit, many regimes.

Multi-state coverage

6+ state comprehensive laws

CA · CO · CT · TX · UT · VA today, with Oregon, Iowa, Indiana, Tennessee, Montana, New Jersey, Delaware, New Hampshire, Maryland, Minnesota, Kentucky, Rhode Island all in 2025–2026 staggered effective dates.

Proof generation

0.4–5 seconds in-browser

Suitable for high-frequency consumer flows. Critical for state-AG-facing audit: every proof is dated and re-verifiable independently.

Mainnet anchors

Solana · Base · Sui

State attorneys general, OCR, FTC, CFPB investigators can independently re-verify any proof against on-chain keys. No dependency on the regulated entity or zkRune as a vendor for evidence integrity.

Licence

MIT / Apache-2.0

Open source by default. Auditable by your internal security team, state regulators, and sectoral examiners. No vendor lock-in.

Audit

Q3–Q4 2026 (planned)

Third-party security audit scheduled. SOC 2 / ISO 27001 / HITRUST roadmap follows. Honest disclosure of current posture at /trust — including what we have not yet proved.

What zkRune deliberately does not do

The list below is what your existing legal, GRC, and sectoral tooling stack already handles. zkRune slots underneath as the cryptographic-evidence primitive — not as a replacement for counsel, privacy management platforms, or industry-specific systems.

  • ×State-level legal advisory or compliance consulting (counsel at Davis Wright Tremaine, Hogan Lovells, OneTrust handle that)
  • ×Privacy management platforms — DSAR routing, consent orchestration, cookie tooling (OneTrust, TrustArc, Osano handle that)
  • ×Healthcare-grade EHR / EMR systems (Epic, Cerner, athenahealth handle that)
  • ×Credit-reporting bureau infrastructure (Equifax, Experian, TransUnion are the bureaus)
  • ×Federal Trade Commission / state AG enforcement workflow tooling (we are the evidence layer underneath)
Mainnet anchors

Verification keys on three independent chains.

State attorneys general, OCR, FTC, CFPB investigators, and your own internal audit can independently re-verify any proof against the on-chain key — no dependency on the regulated entity or zkRune as a vendor for evidence integrity.

Base

0xa03A353d890033aC9b3044776440C2a4c9E849EA

View on explorer ↗

Solana

9apA5U8YywgTHXQqpbvUMHJej7yorHcN56cewKfkX7ad

View on explorer ↗

Sui

0x278301424c954dcfdb6e46407728964271fbfff3dc1d4fae5b799c7e977bd4c5

View on explorer ↗

Evaluating zkRune for a US privacy obligation?

We work directly with privacy counsel, DPOs, compliance leads, and engineering teams at US-operating businesses in scope of state comprehensive laws and the federal sectoral baseline. The fastest path is a 30-minute technical session with the OpenAPI spec and trust documentation ready to forward to your privacy and security team.

Email compliance@Download OpenAPI spec

zkruneprotocol@gmail.com · @rune_zk on X · github.com/louisstein94/zkrune