Este artigo está disponível apenas em inglês no momento.
AI Governance for US Small Businesses: FTC, State Privacy Laws, and What You Need to Do
US small businesses face FTC enforcement on deceptive AI practices, growing state consumer privacy laws, and sector-specific obligations in healthcare, finance, and education.
Key Takeaways
The FTC has active enforcement authority over deceptive or unfair AI practices under Section 5 of the FTC Act — small businesses are not exempt.
Fourteen states have comprehensive consumer privacy laws in force as of 2026. California's CCPA/CPRA applies to businesses meeting certain thresholds with automated decision-making rights operative in 2026.
Healthcare businesses must comply with HIPAA restrictions on AI tools — most general-purpose AI tools are not HIPAA compliant without a Business Associate Agreement.
Financial services businesses face CFPB and OCC scrutiny of AI in credit decisions — 'the algorithm decided' is not a compliant adverse action reason.
Real estate (Fair Housing Act) and education (FERPA, COPPA) have specific AI-related obligations.
Check whether AI tools you use have Terms of Service that train on your customer data — this is the most common unaddressed risk for US SMEs.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
Does US AI law apply to small businesses?
At the federal level, there is no single comprehensive US AI law. Federal AI governance relies on agency enforcement under existing laws (FTC Act, Equal Credit Opportunity Act, Fair Housing Act, HIPAA, and others), voluntary guidelines such as the NIST AI Risk Management Framework, and executive orders. The December 2025 Executive Order signed by President Trump signals federal intent to consolidate AI oversight and counter state-level regulation — but it does not preempt existing state laws and no federal AI law is expected to pass in the near term.
At the state level, several significant AI laws came into effect in 2026 that small businesses operating in those states must understand. The practical reality for US small businesses in 2026: AI compliance obligations are predominantly state-driven, sector-driven, and use-case-specific — not size-driven. A small business using AI for hiring, credit decisions, or customer-facing services in Colorado, California, Texas, or Illinois has real legal obligations right now.
The four most significant state AI laws for small businesses
Colorado AI Act (SB 24-205) — effective 1 February 2026 (delayed from earlier). Colorado's law is the most comprehensive state AI regulation in the US, closely modelled on the EU AI Act's risk-based approach. It applies to developers and deployers of "high-risk AI systems" — systems that make or substantially influence consequential decisions in areas including employment, credit, housing, education, healthcare, and access to essential services. Deployers must: conduct annual impact assessments for each high-risk system; implement a risk management policy; notify consumers when a high-risk AI system is used to make a consequential decision about them; provide a means for consumers to appeal and have the decision reviewed by a human; and disclose the types of high-risk AI systems used in their Privacy Notices. Businesses with fewer than 25 employees have reduced obligations but are not fully exempt.
Texas TRAIGA (HB 149) — effective 1 January 2026. Texas took a different and lighter-touch approach. TRAIGA focuses primarily on state agency AI use and prohibits intentional discrimination using AI. For private-sector businesses, TRAIGA's strongest provisions are the prohibitions — AI systems must not be used to intentionally discriminate or to incite self-harm. Unlike Colorado, Texas does not require impact assessments or consumer notices for most private-sector deployers. Disclosure obligations apply specifically to healthcare providers and government agencies, not to most small businesses.
California SB 53 (AI transparency for frontier models) — effective 1 January 2026. California's SB 53 requires developers of frontier AI models (those trained above certain compute thresholds) to publish safety frameworks and conduct annual assessments. This applies to a very small number of large AI companies and generally does not affect small business deployers. California also has the Automated Decision Systems (ADS) Accountability Act (AB 2930) moving through the legislative process, which if enacted would impose impact assessment requirements on deployers — worth monitoring.
Illinois AI Video Interview Act and Illinois Human Rights Act (HB 3773, effective 1 January 2026). Illinois prohibits employers from using AI that results in discrimination against applicants or employees on the basis of protected characteristics. The Illinois AI Video Interview Act (in force since 2020) requires employer consent before using AI to analyse facial expressions or voice patterns in video interviews. For any Illinois employer using AI in hiring — regardless of size — these obligations apply.
Federal enforcement through existing law — what small businesses are already exposed to
Even without a federal AI law, federal agencies are actively enforcing AI-related harms under existing legal frameworks. Small businesses using AI in regulated areas face the following:
FTC enforcement. The Federal Trade Commission has issued guidance that using AI to make false claims, produce deceptive outputs, or engage in unfair practices violates the FTC Act. Businesses that use AI to generate marketing content, customer communications, or product claims must ensure those outputs are accurate and not deceptive.
Equal Credit Opportunity Act and Fair Housing Act. Using AI in credit decisions or housing allocation must comply with existing non-discrimination law. If an AI model produces disparate impact outcomes for protected classes, the business deploying it faces liability regardless of whether the discrimination was intentional. The CFPB has confirmed that ECOA's explanation requirements apply to AI-generated credit decisions — lenders must be able to explain adverse action in a way humans can understand.
HIPAA. Healthcare businesses using AI that processes protected health information (PHI) must ensure AI vendors and tools comply with HIPAA's security and privacy requirements, including appropriate Business Associate Agreements.
What US small businesses should do now
Given the fragmented landscape, small businesses should focus compliance efforts on the areas of highest actual risk rather than attempting to track every state bill. The priority actions are:
Map AI use to potential harms. Where is your business using AI to make or influence decisions about people — hiring, credit, customer service, pricing, content moderation? These are the areas where legal exposure concentrates, regardless of which state you operate in.
Check state applicability. If you operate in Colorado, the AI Act applies to you if you use high-risk AI systems affecting Colorado consumers. Confirm whether your AI tools fall into the high-risk categories under Colorado SB 24-205 and begin impact assessment planning for the February 2026 compliance deadline.
Review hiring tools. Any AI-assisted hiring tool — resume screening, interview scoring, candidate ranking — is in the highest-risk category across multiple state laws. Ensure vendors can provide bias testing documentation, that humans review AI hiring recommendations before final decisions, and that you can provide explanations to applicants on request in applicable states.
Check vendor agreements. State laws increasingly hold deployers — not just developers — accountable for AI harms. Your contracts with AI vendors should require bias testing documentation, notification of significant incidents, and confirmation of the vendor's own regulatory compliance.
Further reading: NIST AI RMF