AI Laws & Compliance for Small Business: State-by-State FAQ
Which states have AI laws, what they require, and what your small business needs to do before the deadlines.
Updated April 2026 · By The Useful Daily Editors · Not legal advice
⚠️ Colorado AI Act deadline: July 1, 2026
Businesses using high-risk AI for Colorado residents must be compliant by July 1, 2026. See questions below for details on who is affected and what to do.
Which states currently have AI laws that affect small businesses?
As of 2026, the states with the most significant AI-related laws for businesses are: Colorado (AI Act, SB 24-205, effective July 1, 2026), California (multiple AI bills including AB 2013 and SB 1047-related legislation), Illinois (AI Video Interview Act and pending HB 3773), New York City (Local Law 144 on automated employment decisions), Virginia (Consumer Protection Act AI amendments), and Texas (Responsible AI Governance Act, pending). More states are actively moving AI bills through their legislatures in 2026.
Does my small business need to worry about AI laws?
It depends on what you use AI for and where you are located or do business. If you use AI to make or assist decisions about employees, job applicants, or customers — especially in hiring, lending, housing, or healthcare — you are more likely to face compliance obligations. Businesses that only use AI for internal productivity (writing drafts, summarizing notes) face lower regulatory risk. The key triggers are: using AI in hiring, using AI for customer-facing decisions, and processing personal data through AI systems.
What is the Colorado AI Act and when does it take effect?
Colorado SB 24-205, the Colorado Artificial Intelligence Act, is the most comprehensive state AI law in the US and takes effect July 1, 2026. It applies to "developers" and "deployers" of high-risk AI systems that make consequential decisions about Colorado residents in areas like employment, education, financial services, healthcare, and housing. Small businesses that use AI for these decisions must conduct risk assessments, provide transparency disclosures, and allow consumers to appeal AI decisions.
Does the Colorado AI Act apply to small businesses?
The Colorado AI Act has a small business exemption. Businesses with fewer than 50 employees and revenues under $5 million are subject to lighter requirements — primarily disclosure obligations rather than full risk assessment requirements. However, if your small business deploys high-risk AI systems (making consequential decisions about people), you must still disclose that AI is being used and provide an appeal mechanism. Review the exemption criteria carefully as the thresholds may affect your specific situation.
What is the June 30, 2026 deadline for Colorado AI compliance?
July 1, 2026 is when the Colorado AI Act takes full legal effect. Businesses using high-risk AI systems in Colorado that do not qualify for the small business exemption should have their risk assessments, transparency policies, and consumer appeal processes in place by this date. The Colorado Attorney General has enforcement authority. Penalties are not explicitly defined in the statute but violations can be enforced as unfair trade practices.
What is California AB 2013 and what does it require?
California AB 2013 (signed in 2024) requires developers of AI systems trained on datasets of 1 million or more data points to post documentation about their training data on their public websites by January 1, 2026. This primarily affects AI developers and large technology companies, not small businesses that are simply using AI tools built by others. If your small business is building your own AI system trained on large datasets, consult an attorney. If you are just using off-the-shelf AI tools, AB 2013 does not directly apply to you.
What other California AI laws should small businesses know about?
California has passed multiple AI transparency and safety bills. Key ones for small businesses: AB 2839 restricts AI-generated election content; SB 942 requires AI content watermarking for large AI developers; AB 3211 requires labeling of AI-generated content in advertising. California also has broad data privacy law (CCPA/CPRA) that covers AI-processed personal data. If you market to California consumers, the CCPA requires disclosure when personal data is used in automated decision-making that has legal or significant effects.
What is NYC Local Law 144 and does it affect my business?
NYC Local Law 144 (effective July 2023) requires employers in New York City to conduct annual bias audits of AI tools used to screen job candidates or employees, and to notify candidates and employees that AI is being used. It applies to any employer that uses "automated employment decision tools" for NYC-based positions. If you have employees or hire workers in New York City and use AI-assisted hiring tools (resume screening, video interview analysis, etc.), you must conduct a bias audit and post a public summary.
What is Illinois HB 3773 and what does it require?
Illinois HB 3773 (the Artificial Intelligence Video Interview Act, passed 2019, expanded in subsequent legislation) restricts how Illinois employers can use AI in video interviews. If you use video interview tools with AI analysis (like HireVue), you must: notify candidates before the interview that AI will be used, explain how the AI works at a high level, get the candidate's consent, and limit who sees the AI analysis. You also cannot use the AI analysis as the sole basis for a hiring decision.
Does the Illinois AI Video Interview Act apply to small businesses?
Yes, the Illinois AI Video Interview Act applies to any employer that has an Illinois-based position and uses AI to analyze video interviews, regardless of company size. There is no small business exemption. If you use HireVue, Spark Hire with AI analysis, or any other video interview platform that uses AI to assess candidates, review your compliance with Illinois law before using it for Illinois candidates.
What states are considering AI laws that will pass in 2026?
As of early 2026, states with significant AI legislation advancing include: Texas (Responsible AI Governance Act, similar to Colorado's), Virginia (AI Developer and Deployer Act), New Jersey (AI disclosure bills), Washington State (multiple AI bills), Connecticut (AI accountability legislation), and Minnesota (AI transparency requirements). The trend is accelerating — expect 10-15 states to have meaningful AI laws in effect by end of 2026.
What is a "high-risk AI system" under state AI laws?
Under Colorado's framework (which others are following), a high-risk AI system is one that makes "consequential decisions" affecting individuals in areas including: employment or employment opportunity, education and vocational training, financial services (loans, insurance), essential government services, healthcare, housing, and legal services. The key distinction is whether AI is making or substantially influencing decisions that have real consequences for specific people — not just AI used for general productivity or internal tools.
What is a "consequential decision" in AI law?
A consequential decision is one that has a material impact on an individual's life — being hired or fired, getting a loan, being approved for housing, receiving healthcare, or being accepted to an educational program. Using AI to draft a marketing email is not a consequential decision. Using AI to screen which job applicants advance to interviews is a consequential decision. The concept matters because laws like Colorado's AI Act specifically regulate high-risk AI systems making consequential decisions.
What are "algorithmic hiring" laws and do they affect small businesses?
Algorithmic hiring laws restrict or regulate the use of AI and automated tools in employment decisions — particularly screening resumes, analyzing video interviews, and scoring candidates. NYC Local Law 144, Illinois HB 3773, and Maryland's AI in Hiring law are the main examples currently in effect. If you use any AI-powered hiring tool for positions in covered jurisdictions, you likely have notice, audit, and transparency obligations. Check the specific law for the jurisdiction where your open positions are located.
What are the penalties for violating state AI laws?
Penalties vary by state. NYC Local Law 144 has civil penalties of $375-$1,500 per violation per day. Colorado's AI Act will be enforced by the Attorney General as unfair trade practices (penalties up to $20,000 per violation under Colorado consumer protection law). Illinois' AI Video Interview Act allows employees to sue for violations and recover attorneys' fees. California CCPA violations carry $100-$750 per consumer per incident for data-related AI violations. For most small businesses, the bigger risk is consumer lawsuits and reputational damage rather than regulatory fines.
Does using ChatGPT for business create any legal compliance issues?
Using ChatGPT as a productivity tool (writing, research, summarizing) does not create direct legal compliance issues for most small businesses. The compliance risks arise when you: (1) input personal data about customers or employees into ChatGPT, which may implicate privacy laws; (2) use AI to make automated decisions about individuals in employment, lending, or other regulated areas; or (3) use AI to generate content that contains false statements about real people (defamation risk) or that infringes on copyright.
Does GDPR apply to US small businesses using AI?
GDPR applies to any business that processes personal data of EU residents, regardless of where the business is located. If your small business has EU customers or website visitors whose data you process (including via AI tools), GDPR applies. Key AI-related GDPR requirements: you may not make solely automated decisions with significant effects on individuals without consent; you must disclose when AI processes personal data; and individuals have rights to explanation of automated decisions.
What is the FTC's position on AI for small businesses?
The FTC has issued guidance warning businesses against: using AI to make false or misleading claims about products (including AI-generated fake reviews), using discriminatory AI systems that violate existing anti-discrimination laws, deploying AI in deceptive ways that harm consumers. The FTC's key principle is that existing laws (against deception, discrimination, unfair practices) apply to AI-driven conduct. For small businesses, the most relevant risk is using AI to generate fake reviews or testimonials, which the FTC actively pursues.
Are there federal AI laws that small businesses need to follow?
As of 2026, there is no comprehensive federal AI law in the US. However, sector-specific federal agencies have issued AI guidance and enforcement guidance: the EEOC on AI in employment (existing anti-discrimination laws apply), the CFPB on AI in lending (Equal Credit Opportunity Act applies), HHS on AI in healthcare (HIPAA and non-discrimination rules apply), and the FTC broadly (consumer protection laws apply). Federal regulation is expected but the timeline is uncertain.
What should a small business do to prepare for AI compliance?
A practical four-step approach: (1) Inventory all AI tools you use and categorize them by risk (productivity tools = low risk; hiring/lending/customer decisions = high risk); (2) For high-risk AI, document what decisions they influence and who is affected; (3) Check the laws in every state where you have employees or customers; (4) Add AI disclosures to your website privacy policy and any AI-assisted customer communications. This foundation addresses 80% of compliance risk for most small businesses.
Do I need to disclose to customers that I use AI?
For most general AI use (writing emails, drafting content, internal analysis), there is no legal requirement to disclose AI use to customers — though transparency builds trust. Disclosure is legally required or strongly advisable when: AI is making decisions that directly affect the customer (AI-driven pricing, automated loan decisions, AI-scored applications); when you are impersonating a human in real-time customer service; and when you are in states or industries with specific disclosure laws. NYC and some other jurisdictions require AI disclosure in employment contexts.
What is a "bias audit" for AI and does my business need one?
A bias audit analyzes an AI hiring tool's outputs to determine if it produces disparate results across demographic groups (race, gender, age). NYC Local Law 144 requires annual bias audits for any AI hiring tool used for NYC positions, conducted by an independent auditor, with results publicly posted. If you use AI hiring tools for NYC positions, you need a bias audit. For other jurisdictions, bias audits are best practice but not currently legally required — though this is changing.
Does my small business need an AI policy?
If you have employees using AI tools, yes — an AI use policy is a practical necessity. A basic policy should cover: which AI tools are approved; what data employees may not input into AI (client personal information, trade secrets, financial data); requirement for human review of AI-generated external communications; how to handle AI errors; and basic transparency guidelines. A one-to-two page policy is sufficient for most small businesses and protects you from data leaks and quality failures.
What data protection requirements apply to AI processing of customer data?
If your AI tools process personal data about US customers, CCPA (California) applies if you have California customers and meet threshold criteria. If you process EU customer data, GDPR applies. Generally: disclose AI use in your privacy policy; do not input sensitive personal data into AI tools that train on user conversations; use business/team plans of AI tools rather than consumer plans; and consider data processing agreements with AI vendors for compliance documentation.
Are there AI laws specifically for restaurants or food businesses?
There are no AI laws that specifically target restaurants, but general AI employment laws apply when restaurants use AI in hiring. The most relevant concern for restaurants is using AI to screen job applications — if you use hiring platforms with AI screening for NY or IL positions, the applicable state laws apply. Some restaurants using AI for customer-facing pricing (dynamic pricing, AI-driven promotions) may face scrutiny under consumer protection laws if pricing is not transparent.
What AI compliance issues affect healthcare small businesses most?
Healthcare small businesses (medical practices, dental offices, physical therapy, etc.) face overlapping AI regulations. HIPAA prohibits sharing protected health information (PHI) with AI tools that do not have a signed Business Associate Agreement (BAA). Most general AI tools (ChatGPT, Claude) do not offer BAAs for their standard plans — check Enterprise plans or healthcare-specific AI tools. Additionally, the FDA regulates AI/ML as medical devices when used for clinical decision support that influences diagnosis or treatment.
Do AI-generated advertisements need to be labeled?
Labeling requirements for AI-generated ads vary by jurisdiction. California's SB 942 requires large AI companies to build watermarking into AI-generated content, which may eventually flow through to advertising. The FTC has issued guidance that material connections and endorsements must be disclosed, which extends to AI-generated content that could mislead consumers. As a best practice, label AI-generated advertising content, particularly in political advertising (where multiple states have strict laws) and in contexts where authenticity is material to the consumer's decision.
What is the safest approach for a small business that wants to use AI without legal risk?
The lowest-risk AI use for small businesses: use AI exclusively for internal productivity (writing drafts, research, summarizing), never for decisions about individual people; never input personal data about customers, employees, or applicants into AI tools; use paid/business plans rather than free plans (better data protection); disclose AI use in your privacy policy; and keep a human in the loop on all external communications. This approach captures most of the productivity benefits while minimizing regulatory and legal exposure.
Where can I get reliable updates on state AI laws for my business?
The most reliable sources for state AI law updates: the National Conference of State Legislatures (NCSL) tracks all state AI bills at ncsl.org; the Future of Privacy Forum publishes AI governance trackers; your state's Attorney General website for enforcement guidance; and the International Association of Privacy Professionals (IAPP) for in-depth analysis. For small businesses, signing up for The Useful Daily newsletter is the fastest way to get plain-English summaries of new AI laws as they pass.
Stay ahead of AI laws
We track new AI legislation weekly and translate it into plain English for small business owners.
Subscribe freeThis FAQ is for informational purposes only and is not legal advice. Consult a licensed attorney for guidance specific to your business situation.