State AI Chatbot Laws: What Businesses Need to Know
May 28, 2026
Last Updated: May 28, 2026
By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity
Chatbot regulation has become the fastest-moving front in state AI law. As of May 2026, at least a dozen states have enacted laws governing how AI systems that simulate human conversation must behave, with nearly 100 chatbot-specific bills tracked across 34 states and Congress. What began as a narrow concern about companion apps and mental health has expanded into a broad compliance question for any business that deploys a customer-facing AI system capable of sustained, personalized interaction.
The laws share a common skeleton: disclose that users are talking to AI, protect minors, and respond appropriately when someone expresses a mental health crisis. Beyond that framework, the details diverge in ways that matter for compliance. Some laws cover only "companion" chatbots; others reach any commercially deployed conversational AI. Some rely on attorney general enforcement; others give users the right to sue directly. Effective dates range from laws already in force to provisions that don't kick in until 2027. This page covers every enacted state chatbot law, what it requires, and what Michigan businesses need to know.
Artificial Intelligence Readiness Evaluation (AIRE)
STACK Cybersecurity developed a custom evaluation tool for businesses of all sizes to gauge their AI readiness. Our comprehensive assessment offers a custom score. Select the button below to start your evaluation.
Quick Navigation
Enacted Laws: California • Utah • Maine • Washington • Oregon • Idaho • Nebraska • Iowa • Georgia • Connecticut • Tennessee
Topics: Compliance Dates • What Triggers Coverage • Common Requirements • Enforcement • Michigan • What Businesses Should Do
Why This Wave Happening Now
The legislative surge traces directly to a handful of high-profile incidents involving AI companion apps and minors. In 2024, a Florida teenager died by suicide after extended conversations with a chatbot on the Character.AI platform. The case, which spawned federal litigation and congressional hearings, crystallized a concern that had been building among mental health advocates: AI systems optimized for engagement were creating emotional dependence, particularly in adolescents, without adequate safeguards. Lawmakers who might otherwise have deferred to federal action concluded they could not wait.
The policy response has been unusually bipartisan. Bills have advanced with near-unanimous votes in red and blue states alike, driven by a shared concern about children rather than by the ideological debates that have stalled broader AI governance legislation. That consensus has also shaped the content of the laws: most focus on transparency and crisis response rather than on regulating AI systems more broadly, making them easier to pass and harder to challenge on First Amendment or preemption grounds.
The Future of Privacy Forum, which tracks chatbot legislation, counted 98 chatbot-specific bills across 34 states as of spring 2026, with three additional federal proposals. The pace suggests that any business deploying conversational AI at scale is now operating in a regulated environment, whether it has mapped that environment or not.
Chatbot Law Compliance Dates
| Effective Date | Law | State | Key Focus |
|---|---|---|---|
| Jan. 1, 2026 | SB 243 | California | Companion chatbot disclosure, minor protections, crisis protocols |
| Sept. 24, 2025 | LD 1727 | Maine | Disclosure when user can't reasonably detect AI |
| July 1, 2026 | SF 2417 | Iowa | Disclosure, minor protections, ban on impersonating mental health professionals |
| Jan. 1, 2027 | HB 2225 | Washington | Companion chatbot disclosure, minor protections |
| Jan. 1, 2027 | SB 1546 | Oregon | Companion chatbot disclosure, crisis referrals, private right of action ($1,000/violation) |
| Jan. 1, 2027 | S 1297 | Idaho | Conversational AI disclosure, minor protections |
| Jan. 1, 2027 (chatbot provisions) | SB 5 (AIRT Act) | Connecticut | Companion chatbot disclosure, recurring reminders, strict minor protections |
| July 1, 2027 | LB 525 | Nebraska | Disclosure, minor protections, ban on impersonating mental health professionals |
| July 1, 2027 | SB 540 | Georgia | Disclosure, minor protections, crisis protocols; no platform exemptions |
Note: Utah's AI Policy Act (SB 149/SB 226) and New York's S 3008C contain chatbot-related disclosure requirements but are not exclusively chatbot laws. Tennessee SB 1580 (effective July 1, 2026) addresses AI in mental health contexts specifically. All dates subject to change pending attorney general rulemaking where applicable.
What Triggers Coverage
The single most consequential compliance question under most chatbot laws is whether a given AI deployment qualifies as a "companion chatbot" or "conversational AI service" under the relevant state's definition. The answer is not always obvious, and the definitions diverge in ways that can determine whether a law applies at all.
California, Washington, and Connecticut take a capability-based approach: if the system is capable of forming an ongoing relationship with a user, it is likely covered, regardless of how it is marketed. Oregon and Nebraska use a narrower, behavior-based definition that focuses on whether the system actually simulates a sustained human-like relationship and retains context across interactions. Idaho's definition closely follows Nebraska's model.
Most laws carve out standard customer service chatbots that handle narrow, transactional queries. A support bot that answers order status questions or IT helpdesk tickets is generally outside scope. A consumer-facing AI that remembers past conversations, asks follow-up questions about a user's day, and sustains an open-ended dialogue is almost certainly covered, even if it is marketed as a productivity tool rather than a companion. The line between those two categories is where most compliance uncertainty lives.
Georgia's SB 540 is the outlier on scope: it contains no carve-out for chatbots embedded within larger platforms, meaning major technology companies including Meta, Google, and Apple must comply with its requirements if their products fall within the definition.
Common Requirements Across State Laws
Despite definitional differences, the laws converge on a core set of obligations. Nearly every enacted chatbot law requires operators to clearly identify the system as AI at the start of a session and any time a user directly asks whether they are speaking to a human. The disclosure must be conspicuous, not buried in terms of service or surfaced only on initial account creation.
Minor-specific protections are the second universal element. States are not taking a uniform approach: some require age verification, others impose content restrictions for anyone under 18, and others require parental consent or monitoring tools. None of the enacted laws as of mid-2026 establish a robust standalone age verification system; most rely on operators to implement "reasonable" measures to determine whether a user is a minor and apply heightened protections accordingly.
Crisis response protocols are required by every law that goes beyond pure disclosure. When a user expresses suicidal ideation or intent to self-harm, covered systems must interrupt the conversation and refer the user to appropriate crisis resources. California's SB 243 and Georgia's SB 540 are among the most detailed on this point, specifying both detection obligations and response protocols.
A ban on impersonating licensed mental health professionals is present in several laws and reflects the same concern that drove the legislative wave in the first place: that AI systems designed to simulate therapeutic relationships were being offered to vulnerable users, including minors, without adequate guardrails. Nebraska, Iowa, and Tennessee all include explicit prohibitions. California's law takes a related approach, requiring that systems not mislead users into believing they are interacting with a human in contexts involving mental health support.
Enforcement: Attorney General vs. Private Right of Action
How a law is enforced matters as much as what it requires. Most enacted chatbot laws vest enforcement exclusively in the state attorney general, who can seek civil penalties for violations. That structure gives businesses some predictability: enforcement is discretionary, complaints must be filed and investigated, and a single determined user cannot trigger litigation on their own.
Oregon's SB 1546 breaks from that model by creating a private right of action with statutory damages of $1,000 per violation. That provision is, in the words of one legal analysis, "the structural shift": when any user can sue for statutory damages without proving actual harm, the economics of compliance change entirely. A pattern of non-disclosure across thousands of interactions is no longer a regulatory risk to be managed; it is a class action waiting to be certified.
Connecticut's SB 5 also creates exposure beyond AG enforcement. While the companion chatbot provisions primarily route through the attorney general as unfair or deceptive trade practices, the broader law's private rights in other provisions and the cure-notice structure create compliance pressure that extends beyond regulatory discretion.
The Oregon model is being watched closely. If it produces significant litigation activity, it is likely to be replicated in subsequent state laws. Businesses operating at scale should treat Oregon's $1,000-per-violation statutory damages as a preview of what multi-state exposure could look like within a few legislative cycles.
Enacted Laws by State
California: SB 243
California's companion chatbot law (SB 243) took effect Jan. 1, 2026, making it the first comprehensive state law specifically targeting this category of AI. The law applies to AI systems "capable of meeting a user's social needs" and requires that a reasonable person would not be misled into believing they are interacting with a human. Customer service chatbots used only for transactional purposes are exempted.
Operators must disclose non-human status at the outset of any interaction and implement protocols to prevent production of self-harm content. Minor-specific protections include blocking sexually explicit content, enforcing session limits, and implementing crisis response protocols. The law is enforced through California's existing consumer protection framework by the attorney general. Penalties are $5,000 per violation per day for noncompliance.
SB 243 is serving as a legislative template in other states, and California is already advancing amendments. AB 1988, which adds crisis interruption pause requirements, and AB 1609, which extends disclosure obligations to customer service chatbots, both advanced out of committee in spring 2026 and could expand the law's scope before year end.
Utah: AI Policy Act Chatbot Provisions
Utah's AI Policy Act (SB 149, as amended by SB 226) was the first state law to impose disclosure requirements on generative AI in commercial interactions, taking effect May 1, 2024. The law does not use the term "chatbot" but applies to any entity using generative AI to interact with consumers. After SB 226 narrowed the scope in 2025, disclosure is required only when a user directly asks whether they are interacting with AI or during high-risk interactions involving health, financial, or biometric data.
HB 452, also enacted in 2025, added specific requirements for AI-supported mental health chatbots: bans on advertising during user sessions, prohibitions on sharing personal information, and mandatory disclosures at the start of each interaction, after seven days of inactivity, and whenever a user asks. The Utah law runs through July 1, 2027, when SB 332's extension expires. It is enforced by the Division of Consumer Protection, not by a private right of action.
Maine: LD 1727 and LD 2082
Maine enacted the Chatbot Disclosure Act (LD 1727) in June 2025, effective Sept. 24, 2025. The law requires businesses that use AI chatbots to communicate with consumers to notify users they are not interacting with a human in cases where a reasonable consumer could not tell the difference. It is enforced under the Maine Unfair Trade Practices Act, which allows both AG enforcement and private suits.
In 2026, Maine went further with a separate bill (LD 2082) prohibiting any person from providing, advertising, or offering therapy or psychotherapy services using AI unless those services are delivered by a licensed professional. The two laws together give Maine one of the broader chatbot regulatory footprints among early-adopting states, covering both general disclosure and the specific mental health context that drove the national legislative wave.
Washington: HB 2225
Washington Gov. Bob Ferguson signed HB 2225 in March 2026, with an effective date of Jan. 1, 2027. The law takes a capability-based approach similar to California's: if a system is capable of forming an ongoing relationship with a user, it is likely covered. Operators must disclose AI status and implement safety protections for minors. The law is part of a three-bill package Washington enacted in 2026; HB 1170 (AI-generated content disclosure) and SSB 5886 (digital-likeness rights) address related but distinct issues.
Washington's HB 2225 and Oregon's SB 1546 are frequently compared because they took effect within weeks of each other and govern similar conduct. A key structural difference: Washington's law creates a private right of action with statutory damages (similar to Oregon), while the enforcement mechanism in the final enrolled text is an important compliance planning consideration for businesses operating in both states.
Oregon: SB 1546
Oregon Gov. Tina Kotek signed SB 1546 on April 1, 2026. The law is effective Jan. 1, 2027, and has attracted national attention primarily because of its private right of action with statutory damages of $1,000 per violation, the first such provision in any enacted chatbot law.
SB 1546 uses a narrower, behavior-based definition than California's law: it covers AI companions that simulate a sustained human-like relationship and retain contextual information across interactions to personalize engagement. Standard customer service chatbots that handle narrow and discrete topics are excluded. Operators of covered systems must disclose AI status, implement suicide ideation detection and crisis referral protocols, file annual reports with the Oregon Health Authority, and take additional measures when a user is a minor.
The private right of action is the provision most likely to drive compliance behavior. Any user who can demonstrate a violation can seek $1,000 in statutory damages without proving actual harm. For businesses with large user bases, that creates potential aggregate liability that dwarfs any regulatory fine. Legal analysts advise reviewing vendor contracts (which almost certainly do not address mandatory crisis referral obligations predating the law), confirming indemnification coverage, and checking tech E&O and cyber policies for chatbot-related statutory damages exposure.
Idaho: S 1297
Idaho enacted S 1297 in early April 2026, with an effective date of July 1, 2027. The law closely follows Nebraska's model for conversational AI safety and transparency, requiring disclosure that users are interacting with AI and implementing specific safeguards for minors. Idaho Gov. Brad Little signed the bill after it passed both chambers with broad bipartisan support. S 1297 is enforced by the attorney general with no private right of action.
Nebraska: LB 525
Nebraska Gov. Jim Pillen signed LB 525, the Conversational AI Safety Act, on April 14, 2026. The chatbot provisions take effect July 1, 2027. The law requires operators of conversational AI services to disclose their AI nature to all users, apply additional safeguards for minors, and refrain from representing themselves as designed to provide professional mental or behavioral health care. Enforcement rests exclusively with the attorney general; there is no private right of action.
Nebraska's law is structured to exclude applications "primarily designed and marketed for commercial use by business entities" and those designed for "narrow and discrete" topics. A standard customer service bot is likely outside scope. A consumer-facing AI that engages in broad, open-ended social conversation is almost certainly covered. The law was paired with the Agricultural Data Privacy Act in the same bill, reflecting Nebraska's legislative approach of bundling related consumer protection measures.
Iowa: SF 2417
Iowa Gov. Kim Reynolds signed SF 2417 on May 2, 2026, with an effective date of July 1, 2027. The law passed both chambers unanimously, 48-0 in the Senate and 95-0 in the House, reflecting the bipartisan child-protection framing that has driven the chatbot legislative wave.
SF 2417 requires conversational AI services to clearly disclose to users, particularly minors, that they are interacting with AI and not a human or a licensed mental health professional. Operators must prohibit chatbots from encouraging users to commit suicide or engage in acts of violence, and the law requires frequent in-session reminders of AI status. Research tools and internal enterprise AI are excluded from coverage. The Iowa attorney general handles enforcement with civil penalties; no private right of action is created.
Georgia: SB 540
Georgia Gov. Brian Kemp signed SB 540 on May 15, 2026, making Georgia the first Republican-led state to enact a chatbot law in 2026. The law takes effect July 1, 2027. Its most notable structural feature is the absence of any carve-out for chatbots embedded within larger platforms, meaning major technology companies including Meta, Google, and X must comply with its requirements the same as any standalone chatbot operator.
SB 540 requires operators to notify users they are interacting with AI, implement restrictions on certain interactions with minors, and follow crisis response protocols when users express suicidal ideation or intent to self-harm. The law also requires age verification measures and parental controls for minor users. Enforcement is by the attorney general. Kemp's decision to sign was closely watched as a signal of how Republican governors would navigate White House pressure to stand down on state AI regulation.
Connecticut: SB 5 Chatbot Provisions
Connecticut's SB 5, the AIRT Act, is an omnibus AI law with a dedicated companion chatbot section effective Jan. 1, 2027. The chatbot provisions are among the strictest in the country. Operators must notify users they are interacting with AI at the start of every session and include recurring reminders every three hours during sustained interactions.
Requirements specific to minors are particularly stringent. The law prohibits romantic or sexual interactions, encouraging self-harm or substance use, offering unsupervised mental health services, and using manipulative techniques to foster emotional dependence. Legal analysts have noted that the minor-specific rules may function as a practical bar on offering consumer chatbots to users under 18 in Connecticut without substantial product modification. Enforcement runs through the attorney general as unfair or deceptive trade practices, with a cure-notice provision available through the end of 2027.
Tennessee: SB 1580
Tennessee's SB 1580, effective July 1, 2026, takes a narrower but significant approach: it prohibits marketing AI as a qualified mental health professional and includes a private right of action. Unlike the companion chatbot laws, SB 1580 is not focused on disclosure or ongoing relationship dynamics but specifically on the representation of AI as a credentialed therapeutic provider. Violations carry civil liability, and the private right of action creates direct user-level enforcement pressure similar to Oregon's model.
Michigan: SB 760 Pending
Michigan Senate Bill 760 passed the Michigan Senate 20-17 in May 2026 and has been transmitted to the House, where it faces a Republican majority in a split legislature. The bill joins a national wave of chatbot legislation that has produced enacted laws in at least a dozen states in the current legislative cycle.
The bill's path through the House is uncertain. Republican skepticism of state AI regulation has been amplified by the Trump administration's vocal opposition to state-level AI laws, and the House majority has shown less appetite for the kind of bipartisan child-safety framing that has driven chatbot bills to near-unanimous passage in other states. Michigan businesses should monitor the bill's progress but do not face a compliance deadline under Michigan law in the near term.
Michigan firms operating in states with enacted chatbot laws do face current or upcoming obligations regardless of what happens at home. California's SB 243 has been in effect since Jan. 1, 2026. Iowa's SF 2417 takes effect July 1, 2026. Washington, Oregon, Idaho, Nebraska, Connecticut, and Georgia all have laws taking effect Jan. 1, 2027, or July 1, 2027. Any Michigan-headquartered company with users in those states needs to assess whether its AI-facing products trigger coverage.
Missouri: SB 1019 Awaiting Governor
Missouri's legislature passed SB 1019, an omnibus health care bill that includes a prohibition on offering AI therapy chatbots, before adjourning May 15, 2026. The bill now awaits the governor's signature. If signed, Missouri would join Maine, Tennessee, Nebraska, Iowa, and Georgia in restricting AI systems from offering or representing themselves as therapeutic or mental health services.
What Businesses Should Do Now
The patchwork of chatbot laws is manageable if addressed systematically. The following steps apply broadly to any business deploying customer-facing conversational AI.
Start with an inventory. Map every AI-powered system your business deploys that interacts directly with end users through text, audio, or visual conversation. Include third-party tools deployed under license, not just systems built in-house. Vendors whose contracts predate 2026 almost certainly do not address mandatory crisis referral obligations or disclosure requirements; those gaps need to be identified and allocated before the relevant effective dates.
Assess coverage state by state. The definitions matter. A system that clearly falls outside Oregon's behavior-based companion chatbot definition might trigger California's capability-based standard. Run each deployed system against the definition in each state where you have users, and document the analysis. If coverage is ambiguous, the conservative assumption is that the law applies.
Build the core compliance layer. Across every enacted law, three obligations are universal: disclose AI status at session start (and when asked), implement age-aware safeguards for minor users, and route crisis expressions to appropriate resources. Building these into product architecture as defaults simplifies multi-state compliance and reduces the risk of gaps as new laws take effect.
Treat Oregon as the floor for litigation risk. The $1,000-per-violation private right of action means that at scale, non-disclosure is not a compliance miss; it is a liability event. Review your tech E&O and cyber insurance policies to confirm whether chatbot-related statutory damages claims are covered. They may not be under policies written before 2026.
Watch for federal preemption. The Trump administration has been openly hostile to state AI regulation, and a bipartisan federal bill that would supersede state chatbot laws has been discussed in Congress. New York lawmakers have already lobbied their federal counterparts to oppose such preemption. If federal legislation advances, it could either create a uniform national standard or eliminate state protections; either outcome would require a compliance recalibration. Monitor developments and avoid building compliance programs that assume the current state-law patchwork is permanent.
Need Help Assessing Your AI Exposure?
STACK Cybersecurity works with Michigan businesses to evaluate AI governance risks, map regulatory exposure, and build compliance programs aligned with NIST, CMMC, and emerging state AI requirements. Email info@stackcyber.com or call (734) 744-5300.