If your SaaS product includes a customer support bot, a sales assistant, or any AI-powered chat interface, you are now operating in regulated territory in at least 12 US states. The rules are not uniform, and the consequences for ignoring them range from AG enforcement actions to class action lawsuits filed directly by your users.
California SB 243 took effect January 1, 2026, and it introduced something most state AI laws do not have: a private right of action. That means individual users can sue your company without waiting for a regulator to act. If your chatbot is configured to deny being AI when a user sincerely asks, each such denial is a potential lawsuit. For a SaaS product with thousands of California users, the class action math gets uncomfortable fast.
The compliance picture is further complicated because different states define "disclosure" differently. Some require proactive disclosure at the start of every session. Others only require it when the user asks. A few prohibit deceptive denial without mandating any affirmative statement at all. This guide breaks down what each major state requires, how the most common chatbot platforms handle it, and what your team needs to do before your next deployment.
What Chatbot Disclosure Laws Actually Require
Before reviewing the state-by-state breakdown, it helps to understand the two distinct legal obligations that these laws create. They are not the same thing, and many compliance guides conflate them.
The first obligation is proactive disclosure: the requirement to affirmatively tell users they are interacting with an AI before the conversation progresses. Utah's AI Policy Act is the clearest example. It requires any company deploying an AI to interact with Utah consumers to identify the AI as artificial at the outset of the interaction. You cannot wait for the user to ask.
The second obligation is truthful response on direct inquiry: the requirement to answer honestly if a user sincerely asks whether they are communicating with a human. California SB 243 is the main example. The law does not require you to open every chat session with "Hi, I'm a bot." It requires that when a user directly asks whether they are talking to a human or an AI, the system must not deny being AI. The California text specifically targets deceptive denial, not mere silence.
These two obligations overlap but are not identical. A chatbot that opens with "Hi, I'm Aria, your support assistant!" without disclosing it is AI satisfies neither obligation in Utah (because it dodges the proactive requirement) but may satisfy California (because it has not denied being AI). A chatbot that opens with "Hi, I'm Aria! I'm an AI assistant here to help." satisfies both.
The practical compliance floor for multi-state SaaS companies is proactive disclosure. If your chatbot states clearly that it is an AI at the start of every session, you satisfy the proactive states, and you make it structurally impossible to violate the deny-on-inquiry states.
One more threshold question: what counts as a "chatbot" covered by these laws? The statutes generally reach any automated system that communicates with consumers via text, voice, or interactive interface in a way that could be mistaken for human communication. If your product has a live chat widget powered by an LLM, it is covered. If it has a phone IVR that uses AI-generated voice responses, it is likely covered. A static FAQ page with no interactive element is not. A basic rules-based decision tree that routes tickets without generating natural language responses likely sits in a gray zone, but the safe answer is to disclose anyway.
State-by-State Requirements
The following table covers the eight states with the most active chatbot disclosure requirements as of mid-2026. Several additional states have bills pending.
| State | Law | Effective | Proactive Disclosure? | Deny-on-Inquiry Prohibited? | Enforcement |
|---|---|---|---|---|---|
| California | SB 243 | Jan 1, 2026 | No (only required on request) | Yes | Private right of action + AG |
| Utah | AI Policy Act (SB 149) | May 1, 2024 | Yes (start of interaction) | Yes | AG civil penalties |
| Texas | TRAIGA | Jan 1, 2026 | Yes (government agencies, healthcare) | Yes (limited scope) | AG, up to $10,000-$200,000/violation |
| New York | AI Companion Models Law + A3411B | Nov 2025 / pending | Yes (AI companions; broader bill pending) | Yes | AG enforcement |
| Washington | HB 1058 | Jan 1, 2026 | Yes (synthetic media, limited scope) | Yes (AI-generated communications) | AG civil penalties |
| Illinois | Chatbot provisions (AIADA) | Ongoing | Yes (consumer chatbot context) | Yes | AG enforcement |
| Georgia | SB 540 | Jul 1, 2027 | Yes (AI companion chatbots) | Yes | AG civil penalties |
| Colorado | SB 26-189 | Jan 1, 2027 | Yes (consequential decision ADMT) | Yes | AG enforcement |
A few notes on the states in the table that warrant additional explanation.
California SB 243 has the widest practical impact because of the private right of action. The law defines a violation as using an automated account or AI system to communicate with another person in a manner designed to mislead the recipient into believing they are communicating with a human being, or denying being AI when sincerely asked. Note the "designed to mislead" standard: a chatbot named "Alex" with a generic greeting is not automatically non-compliant, but a chatbot that uses first-person human language, declines to confirm it is AI, and builds rapport to simulate a human relationship is in significant jeopardy.
Texas TRAIGA applies narrowly compared to California. It covers government agencies, healthcare providers, and certain other regulated entities, not private SaaS companies generally. For entities it does cover, disclosure is required before or at the start of any AI-driven interaction. Penalties range from $10,000 for curable violations to $200,000 for uncurable ones, plus up to $40,000 per day for continuing violations. If your company falls into TRAIGA's scope, the exposure is serious; if you are a typical private SaaS company outside regulated industries, TRAIGA's chatbot provisions likely do not reach you directly.
Georgia SB 540, signed May 11, 2026 and effective July 1, 2027, applies specifically to AI companion chatbots rather than all chatbot interactions. If you are building compliance infrastructure now, you should build it to handle disclosure for companion-style AI products before the Georgia deadline. Enforcement is through the AG.
Utah's AI Policy Act is the most mature of these statutes, having been in effect since May 2024. Utah has already issued informal guidance clarifying that a simple disclosure at session start satisfies the requirement, and that the law does not require chatbots to proactively explain their technical architecture, only to identify themselves as AI.
New York enacted the AI Companion Models Law, effective November 5, 2025, requiring clear disclosure that users are interacting with AI rather than a human. The state legislature also passed a broader generative AI disclosure bill (A3411B) in March 2026, which awaits the governor's signature as of mid-2026. Even before these laws, the state AG has treated AI chatbot impersonation as a deceptive practice under existing consumer protection statutes. New York's regulatory posture toward chatbot disclosure is aggressive relative to most states.
Colorado's AI law was substantially rewritten in May 2026. SB 24-205 was replaced by SB 26-189, signed May 14, 2026, which eliminated the high-risk AI systems framework in favor of narrower rules around automated decision-making that affects consequential decisions. The new law takes effect January 1, 2027. For chatbot disclosure specifically, SB 26-189's requirements apply when the AI is involved in consequential decisions about a person, not to all customer-facing chatbot interactions. A support bot answering FAQs is lower risk than an AI system that determines loan eligibility or insurance coverage.
Which Platforms Handle Disclosure and Which Leave It to You
The chatbot platform you use matters, but not in the way most teams assume. None of the major platforms provide automatic legal compliance out of the box. They provide the tools to achieve compliance; your team has to configure those tools.
Intercom is the most widely used platform among SaaS companies in this audience. Intercom's Fin AI Agent does not automatically identify itself as AI in its greeting. The platform provides an option to customize the bot's introductory message, which is where you insert the disclosure. If you have deployed Fin without modifying the default greeting, you are likely not compliant in Utah, Texas, or Georgia. Intercom also allows you to configure a fallback response if the user asks whether they are talking to a human. That configuration is your responsibility.
Drift (now part of Salesloft) similarly does not require AI disclosure in its default configuration. The platform's bot builder lets you set an opening message and define responses to specific question patterns. You can configure a response to "Are you a bot?" that confirms AI status, but that routing rule must be explicitly built. There is no default compliance behavior.
Zendesk AI (formerly Answer Bot) operates within the Zendesk Support ecosystem and surfaces as an AI suggestion layer or a standalone bot depending on your configuration. Zendesk does not inject any disclosure into default bot flows. The platform's bot builder, now branded as Zendesk AI agents, allows custom introductory messages. Compliance requires a manual change to the greeting template.
Crisp is common among smaller SaaS teams and bootstrapped companies. Its bot feature, Crisp Bot, is a rules-based system that can be extended with AI. The platform provides no default AI disclosure, and its documentation does not reference state chatbot disclosure requirements. If you are using Crisp with an AI integration, you need to add a disclosure to the conversation opener manually.
HubSpot's chatbot builder, part of HubSpot Service Hub, gives you a customizable welcome message in the bot flow builder. By default it does not include an AI disclosure. HubSpot has published general guidance about AI transparency but does not configure disclosure for you. The compliance gap is in the setup, not the platform's capability.
Tidio is used by e-commerce and small SaaS teams. Its Lyro AI agent does not include a default AI disclosure. Tidio's setup flow does not prompt you to configure one. The gap is the same as the others: the tool supports compliance but does not enforce it.
The pattern is consistent across all six platforms: disclosure settings exist, but none are enabled by default, and the legal responsibility remains with you regardless of what the platform does or does not do. Platform terms of service explicitly place compliance obligations on the deploying company, not the platform vendor.
The one partial exception is if you are using a platform that has obtained specific legal certification or contractual representation that its default configuration is compliant in named jurisdictions. As of mid-2026, none of the major platforms have done this. If a vendor tells you their default setup is "compliant," ask them to put that in writing in the contract with indemnification. You will likely find the representation disappears.
6-Step Compliance Checklist
Work through these steps before your next deployment. Each step is discrete and can be assigned to a specific team member.
Step 1: Identify every AI-powered chat interface in your product. This includes customer support bots, sales qualification flows, in-app help assistants, onboarding wizards that use LLM responses, and voice AI if applicable. Create a simple inventory: interface name, platform used, geographic reach, and whether it currently discloses AI status. If you do not have this list, you cannot run a gap analysis.
Step 2: Map your user geography. If your product serves US users without geographic restriction, assume you have California, Texas, Utah, and Colorado users. You do not need to geo-fence for compliance purposes; the simpler path is to apply the strictest requirements to all users. If you have hard data showing you have no users in certain states, you can take a narrower approach, but user geography tends to shift faster than compliance configurations.
Step 3: Add a proactive AI disclosure to every chatbot greeting. The disclosure does not need to be prominent or lengthy. "I'm an AI assistant" in the first message satisfies proactive disclosure requirements in Utah, Texas, Georgia (when effective), and Colorado. It does not need to name the model, the vendor, or the training data. It needs to clearly communicate that the user is interacting with an AI, not a human.
Step 4: Configure a deny-on-inquiry prevention rule. In your chatbot platform, add a routing rule that catches direct inquiry about AI status ("Are you a bot?", "Am I talking to a real person?", "Are you human?", "Is this automated?") and responds with a confirmation of AI status. Do not route these questions to a fallback that says "I didn't understand that" or escalates to a human without answering the question first. The California standard is that denial in response to a sincere inquiry is the violation. Silence or deflection may also be treated as deceptive depending on context.
Step 5: Review your bot's persona configuration for deceptive signals. A bot named "Alex" is not inherently non-compliant. A bot named "Alex" that claims to be a human customer success manager, uses "I've been with the company for three years" language, or is configured to deny its nature when asked is a compliance problem. Audit the bot's configured responses, persona instructions, and any LLM system prompt to confirm that nothing instructs the system to claim human status or deny AI status.
Step 6: Document your configuration and date-stamp it. If a California user files a complaint, your ability to show you had a compliant disclosure configuration in place at the time of the alleged interaction is your primary defense. Screenshot or export your bot configuration, store it in your compliance documentation, and note the effective date. Do this after every material configuration change.
Sample Disclosure Language
These three variants cover the most common deployment contexts. Copy and adapt them to your product's voice.
Brief variant (recommended for most SaaS support bots):
"Hi! I'm an AI assistant. I can help with account questions, billing, and troubleshooting. Type your question to get started."
This variant satisfies proactive disclosure requirements in all active states and does not require the user to do anything to trigger the disclosure. It is suitable for any customer support or in-app help context.
Detailed variant (recommended for high-stakes interactions involving payments, account changes, or eligibility decisions):
"Hi! I'm an automated AI assistant, not a human support agent. I can help you with [specific use cases]. For anything outside those topics, or if you prefer to speak with a person, type 'human' at any time and I'll connect you."
This variant is appropriate where Colorado SB 26-189's consequential-decision rules may apply, or where your product touches decisions that have significant consequences for users. The explicit "not a human support agent" language is more protective than a general AI disclosure.
EU-friendly variant (for products with EU users, covering EU AI Act Article 50 obligations alongside US state requirements):
"I'm an AI chatbot. This conversation is handled by an automated system, not a human. You can ask to be transferred to a person at any time by typing 'connect me to a human.' Your conversation may be used to improve the service in accordance with our privacy policy."
This variant satisfies both US state proactive disclosure requirements and the EU AI Act Article 50 transparency obligation for AI systems interacting with natural persons. The privacy policy reference is required for GDPR compliance if conversation data is processed.
Before Your Next Chatbot Deployment
If you are shipping a new chatbot feature or upgrading an existing one, the compliance review should happen before the feature goes to production, not after. The checklist above takes two to four hours to complete for a single-platform deployment. The cost of a California class action is orders of magnitude higher.
The three things that create the most risk right now are: chatbots configured with a human persona that are not disclosing AI status proactively, chatbots that route "are you a bot?" questions to a deflection or escalation flow without answering, and teams that assume their chatbot vendor handles compliance.
None of the major platforms handle it for you. The disclosure configuration is always your responsibility. Run through the six steps above, add the disclosure language to your opening message, configure the deny-on-inquiry rule, and document what you did. That covers the minimum viable compliance posture for multi-state operations in 2026.
For the EU AI Act Article 50 chatbot and deepfake disclosure requirements, the obligations are parallel but technically distinct from the US state framework. If your product serves EU users, both frameworks apply and the EU requirements layer on top of the US ones. The EU-friendly disclosure variant above satisfies both.
Georgia SB 540 takes effect July 1, 2027 and applies specifically to AI companion chatbots. If your compliance configuration is solid now, adding Georgia to your covered states before that deadline is a five-minute configuration check, not a rebuild. Build once, cover all states.
For a broader view of the multi-state AI compliance strategy that goes beyond chatbot disclosure to cover data governance, model documentation, and consumer rights, that guide covers the full 2026 regulatory stack for SaaS companies operating across multiple US jurisdictions.
