Do I Need an AI Disclosure Policy? A Practical Guide for Business Owners

The Short Answer

If your business uses any AI tools — ChatGPT, AI-powered customer service, automated recommendations, AI-enhanced analytics, or similar technologies — and you serve customers in the United States, you almost certainly need some form of AI disclosure policy.

The longer answer depends on which states your customers are in, what industry you operate in, and how you use AI. But the trend is unmistakable: AI disclosure is quickly becoming a baseline business requirement, not a nice-to-have. If you are unsure what an AI disclosure policy actually is, start there first.

Why AI Disclosure Policies Exist

AI disclosure laws exist because consumers have a right to know when artificial intelligence is being used in ways that affect them. This is not a theoretical concern. AI systems can and do produce biased outcomes, make errors, and influence decisions in ways that are not transparent to the people affected.

When a loan application is evaluated by an AI model, the applicant deserves to know. When a customer service interaction is handled by a chatbot, the customer deserves to know. When employee performance is assessed using AI-powered tools, the employee deserves to know.

AI disclosure policies serve three purposes:

1. Transparency: They tell people that AI is being used and explain how
2. Accountability: They create a paper trail that demonstrates your business takes AI governance seriously
3. Compliance: They satisfy the legal requirements that an increasing number of states are imposing

Which States Require AI Disclosure?

As of early 2026, several states have enacted AI-specific legislation that includes disclosure requirements. Here is a summary of the major ones:

Colorado

Colorado's AI Act (SB 24-205) is the most comprehensive state-level AI regulation in the US. It requires deployers of high-risk AI systems to notify consumers, conduct impact assessments, and implement risk management programs. It takes effect June 30, 2026. For a full breakdown of deadlines, read our Colorado AI Act deadline guide.

California

California has taken a multi-pronged approach with several bills addressing AI transparency. SB-942 requires generative AI systems to include disclosures about AI-generated content. The state's existing consumer protection framework also applies to AI-powered business practices.

Illinois

The Illinois AI Video Interview Act already requires employers to notify job candidates when AI is used to analyze video interviews. The state's Artificial Intelligence Accountability Act broadens disclosure requirements for high-risk AI systems used in employment and consumer-facing contexts.

Texas

Texas HB 1709 establishes requirements for businesses using AI systems in certain decision-making contexts. The law focuses on transparency and documentation requirements for automated systems that affect consumers.

Utah

The Utah AI Policy Act (UAIPA) requires businesses to disclose when consumers are interacting with generative AI in certain contexts. It also establishes a regulatory sandbox for AI innovation.

New York

New York City's Local Law 144 requires employers to audit automated employment decision tools for bias and to notify candidates when such tools are used. The state legislature is considering broader AI regulation.

Connecticut and Virginia

Both states have enacted consumer data privacy laws that include provisions relevant to AI and automated decision-making. These laws give consumers rights to opt out of automated profiling and require businesses to disclose when automated processing occurs.

When You Definitely Need an AI Disclosure Policy

There are certain situations where the need for an AI disclosure policy is clear-cut:

You Make Decisions About People Using AI

If you use AI to help with hiring, loan approvals, insurance pricing, tenant screening, or any other decision that materially affects an individual, you need disclosure. This is the strongest category of obligation across all state laws.

You Serve Customers in Regulated States

If any of your customers are in Colorado, California, Illinois, Texas, Utah, New York, Connecticut, or Virginia, you should have an AI disclosure policy. You do not need to be physically located in these states — you just need to have customers there.

You Use AI in Client-Facing Services

If you are a professional services firm (consulting, marketing, accounting, legal, etc.) and you use AI tools in delivering work to clients, your clients increasingly expect — and in some cases legally require — disclosure about your AI usage. We have a dedicated guide on how to write a client AI disclosure letter with templates for different industries.

You Use AI-Powered Customer Interactions

Chatbots, AI-generated emails, automated recommendations, and similar tools that interact directly with your customers trigger disclosure requirements in multiple states.

When the Answer Is Less Clear

There are gray areas where the requirement is not absolute but where having a policy is still smart:

Internal-Only AI Use

If you use AI solely for internal purposes — writing internal memos, analyzing internal data, generating code — the disclosure requirements are lighter. However, having an internal AI use policy is still a best practice, and some states' laws extend to internal uses that affect employees. See our employee AI policy template for a practical starting point.

Minimal AI Usage

If you use a single AI tool occasionally, you might question whether a formal policy is worth the effort. It is. A basic disclosure policy takes very little time to create, and it protects you from claims that you were not transparent about your practices.

B2B Companies

If your customers are other businesses rather than individual consumers, some consumer protection-oriented AI laws may not apply directly. However, many B2B contracts now include provisions requiring disclosure of AI use, and enterprise clients increasingly require vendors to have AI governance documentation.

What a Good AI Disclosure Policy Covers

An effective AI disclosure policy should include the following elements:

Scope of AI use — A clear description of which AI tools and systems your business uses. You do not need to reveal proprietary details, but you should identify the general categories of AI in use (e.g., natural language processing for customer support, machine learning for product recommendations).

Purpose and functionality — An explanation of why you use AI and what function it serves. Consumers and clients should understand what the AI does in the context of your business.

Data handling — A description of what data the AI systems process, how that data is stored, and what protections are in place. This is especially important if the AI processes personal information.

Human oversight — A statement about the role of human review in AI-assisted decisions. Consumers want to know that a human being is involved, especially for consequential decisions.

Consumer rights — Information about how consumers can ask questions, request human review of an AI-assisted decision, or opt out of AI-processed interactions where applicable.

Contact information — A straightforward way for consumers to reach someone at your business with questions about AI use.

The Cost of Not Having a Policy

The risks of operating without an AI disclosure policy are growing:

Legal penalties — States like Colorado can impose fines of up to $20,000 per violation. If you have many customers in regulated states, the exposure adds up quickly.

Contract risk — Enterprise clients and partners are increasingly requiring AI governance documentation from vendors. Not having a policy could cost you business opportunities.

Reputation risk — Consumers are becoming more aware of AI use. A news story or social media post about undisclosed AI use can damage your brand far more than the cost of creating a policy.

Regulatory trend — More states are passing AI legislation every year. If you create a policy now, you are ahead of the curve. If you wait, you will be scrambling to catch up under pressure.

How to Get Started

Creating an AI disclosure policy does not require a lawyer, although legal review is always a good idea for any compliance document. Here is a practical path:

1. Inventory your AI tools: Make a list of every AI-powered tool your business uses. Include obvious ones like ChatGPT and less obvious ones like AI features built into your CRM, email marketing platform, or analytics tools.

2. Map your data flows: For each AI tool, document what data goes in, what the tool does with it, and what comes out. This is the foundation of your disclosure.

3. Identify your states: Determine which states your customers are in. This tells you which laws apply and what specific requirements you need to address.

4. Generate your documents: Use a tool like Attestly to generate customized disclosure documents based on your specific business situation. This is faster and more accurate than starting from scratch or using a generic template.

5. Publish and communicate: Post your AI disclosure policy where customers can find it (your website is the obvious place). If you have specific notification requirements (like for employees or job candidates), make sure those are handled separately.

6. Review annually: AI laws are changing rapidly. Set a reminder to review your policy at least once a year, or whenever you adopt new AI tools or enter new markets.

Frequently Asked Questions

Attestly Makes This Simple

Attestly's questionnaire takes about 90 seconds and generates customized AI compliance documents based on your business type, the states where you operate, and the AI tools you use. The AI Disclosure Policy and Client AI Notice are free. You can get started without creating an account.