State Chatbot Laws Are Moving From Transparency to Risk Management
State chatbot laws are shifting from baseline transparency requirements to a more targeted, risk-based approach, with requirements that vary depending on how chatbots are used. In particular, states are beginning to distinguish among chatbot use cases and to tailor deployer obligations based on how a chatbot interacts with users. As these laws often place compliance obligations on the chatbot deployer, not just the developer, they present shifting compliance obligations on companies that may use chatbots in a range of circumstances.
For companies deploying consumer-facing chatbots, obligations vary depending on whether the chatbot serves basic customer-service functions, engages with users on health-related matters, or supports more immersive, companion-style interactions. The growing patchwork of obligations requires attention to varied state laws and can create risks if companies do not have the proper disclosures or consent in place.
Below, we explore the state patchwork in further detail and highlight practical steps deployers can take to develop compliance strategies and minimize risks.
Key Chatbot Compliance Obligations
Although states may each have their own definitions, in general, a “chatbot” is a software application, web interface, or automated system that uses artificial intelligence (AI) to simulate human conversation, typically through text or audio, and can range from narrow, task-oriented tools to systems that sustain ongoing, personalized interactions.
General Consumer-Facing Chatbot Laws
Across current state laws, one common baseline rule is that when a chatbot’s design or behavior could reasonably lead a user to believe they are interacting with a human, the chatbot must clearly disclose that it is not human. However, states differ on the specifics of the AI disclosure, such as the mechanism, timing, and frequency. For example:
Maine illustrates the baseline transparency model. Its statute, the “Act to Ensure Transparency in Consumer Transactions Involving Artificial Intelligence,” which took effect in September 2025, requires an AI disclosure when the chatbot could cause a reasonable consumer to think a person is on the other side of the interaction, without specifying at which point in the interaction and how often thereafter the disclosure must be made.
Utah (SB 226) takes a more tailored, but still relatively light-touch, approach. As amended effective May 7, 2025, for ordinary consumer interactions, a deployer must make an AI disclosure if a consumer makes a “clear and unambiguous request” to know whether the interaction is with a human or AI. Utah also created an important safe harbor in some cases: A deployer may avoid penalties for not disclosing in response to such a request, if the generative AI clearly discloses “at the outset of and throughout the interaction” that it is AI and not a human. In higher-risk interactions related to regulated occupations, such as interactions involving sensitive personal information or financial, health, or legal services, Utah requires a “prominent” disclosure regardless of whether the consumer affirmatively requests the disclosure.
Chatbot Laws That Apply in Specific Use Cases
New state laws are beginning to sort different kinds of chatbots into categories and applying different, more detailed requirements based on how those systems are designed to interact with users. For example, there has been a wave of new laws targeting chatbots designed to simulate companionship or sustain relationships, as well as chatbots that interact in mental-health-related contexts.
Companion Chatbot Laws
Washington (HB 2225, effective January 1, 2027), Connecticut (SB 5, effective October 1, 2026), and New York (“Artificial Intelligence Companion Models Law,” effective November 5, 2025) demonstrate how some states are layering in additional requirements for certain AI chatbot use cases. All three of those laws require deployers of “companion chatbots” to make a disclosure at the beginning of each interaction, and again every three hours, during a continuing interaction (though New York does not require the disclosure “to exceed once per day”). For interactions between companion chatbots and minors, Washington and Connecticut require the disclosure every hour for continuing use.
In these emerging companion-chatbot laws, the operative definition of a companion chatbot varies. For example, Washington’s HB 2225 covers systems with a natural language interface that provide “adaptive, human-like responses” and can “sustain a relationship across multiple interactions or elicit an emotional response,” and New York’s law regulates “AI companion[s],” defined as systems designed to simulate a sustained human or human-like relationship by retaining information from prior interactions to personalize engagement, asking “unprompted or unsolicited emotion-based questions,” and sustaining ongoing dialogue about matters personal to the user. Similarly, California’s SB 243, which took effect January 1, 2026, focuses on “companion chatbots” that provide adaptive, human-like responses and are capable of meeting a user’s social needs, “including by exhibiting anthropomorphic features and being able to sustain a relationship across multiple interactions.”
Many of these laws impose obligations designed to prevent harm to the user or to others, including safety protocol requirements that are targeted towards how the chatbot actually behaves, particularly around user suicidal ideation and self-harm. New York’s and Washington’s laws require deployers to ensure the chatbot contains a protocol to take reasonable measures to detect and address a user’s expression of “suicidal ideation or self-harm” and, at a minimum, to refer the user to a crisis service provider or crisis text line. Oregon’s law (SB 1546, effective January 1, 2027), imposes similar safety protocol requirements. California’s law requires an operator to maintain a protocol for “preventing the production of suicidal ideation, suicide, or self-harm content” and to publish details of that protocol on its website. Beginning July 1, 2027, California operators must also submit annual reports to the Office of Suicide Prevention regarding those protocols and related incidents.
In some states, these laws place additional obligations on a deployer if they have reason to believe a user is a minor. Such obligations include requiring the chatbot to make clarifying disclosures as needed so as not to simulate a human relationship (OR, WA, and CA), restricting the chatbot from generating age-inappropriate content (WA, OR, CT, and CA), and requiring the chatbot to provide “take a break” reminders during ongoing interactions (OR and CA).
Washington’s HB 2225 also imposes additional behavioral constraints on the chatbot itself, requiring deployers to prevent “manipulative engagement techniques,” where there is reason to believe the user is a minor. In practice, this can mean disabling features that foster emotional reliance, use reinforcement or praise to prolong conversations, simulate personal or romantic relationships, encourage harmful behavior, or otherwise discourage users from disengaging or seeking support elsewhere. Connecticut’s SB 5 takes this a step further by prohibiting deployers from making available for use any chatbot that does not meet or exceed industry standards for preventing such techniques.
While many companion chatbot laws carve out exceptions for chatbots deployed solely for business operational purposes, such as customer service or technical assistance, deployers should carefully assess classification criteria for these more heavily regulated categories that carry heightened compliance obligations and significant enforcement risks, including private rights of action.
Mental Health Chatbot Laws
Another specific chatbot use case regulated by an increasing number of states is mental health-related services. For example, in Tennessee (SB 1580, effective July 1, 2026), the law prohibits deployers of an artificial intelligence system from “advertis[ing] or represent[ing] to the public that such system is or is able to act as a qualified mental health professional.” Illinois’ law (HB1806, effective August 1, 2025) includes a similar prohibition for provision of therapy or psychotherapy services. In contrast, California’s AB 489 (effective January 1, 2026) prohibits chatbots from implying “possession of a license or certificate to practice a health care profession, without at that time having the appropriate license or certificate required for that practice or profession.” Nevada’s AB 406 (effective July 1, 2025) goes further, prohibiting chatbot providers from making such claims themselves or from knowingly causing or programming a chatbot to suggest, explicitly or implicitly, that it can provide – or is itself a provider of – professional mental or behavioral health care. For companies in health care and health care-adjacent spaces, this is an area where product naming, onboarding language, and promotional claims should be reviewed as carefully as the model outputs themselves.
Enforcement Risk Is Expanding Beyond Attorney General Scrutiny
These laws also highlight how the enforcement landscape is changing. Many of the state chatbot laws are tied to consumer-protection statutes, allowing state Attorneys General to treat noncompliance as an unfair or deceptive practice. Maine, for example, states expressly that a violation of its chatbot disclosure rule is a violation of the Maine Unfair Trade Practices Act, and New York’s law authorizes enforcement by the Attorney General, including civil penalties of up to $15,000 per day.
At the same time, some states are moving beyond regulator-only enforcement. California’s SB 243 Section 22605 authorizes a private right of action by a person who suffers “injury in fact” as a result of noncompliance. Oregon’s SB 1546 Section 2 similarly allows a user who suffers “ascertainable loss” to bring an action for damages and injunctive relief. Washington’s HB 2225 is enforceable through the Washington Consumer Protection Act and likewise creates private litigation exposure in addition to regulatory scrutiny.
Practical Takeaways for Companies Deploying Chatbots
In this evolving landscape, there is not a one-size-fits-all compliance strategy for companies deploying chatbots. Instead, they must take a more nuanced, risk-based approach by mapping chatbot functionality to applicable state requirements, tailoring disclosures to the nature of the interaction, and implementing governance structures that address heightened obligations in sensitive contexts, including but not limited to companionship or mental health. Even if a chatbot is intended to have only business operational applications – for example, use in customer service – companies should review whether specific state laws still apply. As the patchwork of state laws continues to expand and diverge, proactive compliance will be essential to mitigate regulatory and litigation risk.
***
Wiley’s Artificial Intelligence Practice counsels clients on AI compliance, risk management, and regulatory and policy approaches, and we engage with key government stakeholders in this quickly moving area. Please reach out to the authors with any questions.




