AI Compliance Requirements in Washington: What Small Businesses Need to Know in 2026

Understanding Washington's AI Compliance Landscape

If your Washington business uses AI tools—whether that's ChatGPT for customer service, AI-powered scheduling software, or predictive analytics in your CRM—you need to understand Senate Bill 5838. Washington has positioned itself as a leader in AI regulation, and compliance isn't optional for businesses operating in the state.

Washington's AI legislation represents one of the most comprehensive state-level approaches to algorithmic accountability in the United States. Unlike some states that have taken narrow approaches focusing only on specific AI applications, Washington's framework applies broadly to any business deploying automated decision systems that affect consumers. To understand how Washington compares to the national landscape, our complete AI compliance guide for small businesses provides helpful context.

This guide breaks down exactly what Washington small businesses need to know, what they need to do, and how to stay compliant without hiring a legal team.

Who Needs to Comply with Washington's AI Laws

The short answer: if you use AI tools that make or influence decisions about Washington residents, you likely need to comply with SB 5838.

Washington's AI legislation applies to "deployers" of automated decision systems—essentially any business entity that uses AI to make consequential decisions affecting consumers. This includes:

Businesses clearly covered:

• Companies using AI for hiring decisions or employee management
• Retailers using AI for pricing, credit decisions, or customer profiling
• Healthcare providers using diagnostic or treatment recommendation AI
• Lenders using automated underwriting or risk assessment
• Marketing agencies using AI for ad targeting
• Property managers using tenant screening AI

You might think you're not covered, but you probably are if you:

• Use AI chatbots that determine customer service responses or route inquiries
• Deploy predictive analytics that influence which customers see which offers
• Use AI-powered scheduling systems that make decisions about appointment availability
• Rely on AI recruiting tools to screen resumes or schedule interviews
• Use dynamic pricing algorithms in your e-commerce platform

The law focuses on "consequential decisions"—those that have legal, material, or similarly significant effects on consumers. This includes decisions about employment, credit, education, healthcare, housing, insurance, and legal services.

Small business threshold: Washington's law doesn't have a specific employee count or revenue threshold exemption. If you're using AI in consequential decision-making, you need to pay attention regardless of your company size. However, the specific requirements scale based on the risk level of your AI deployment.

Core Compliance Requirements Under SB 5838

Washington's AI framework creates several mandatory obligations for businesses deploying automated decision systems. Here's what you actually need to do:

Algorithmic Impact Assessments

Before deploying any high-risk AI system, you must conduct and document an algorithmic impact assessment (AIA). This isn't a casual review—it's a structured evaluation that must include:

• Purpose documentation: Clearly state what decision the AI system makes and why you're using it
• Data inventory: Document what data the system uses, where it comes from, and how it's processed
• Bias and fairness analysis: Test whether the system produces discriminatory outcomes across protected classes
• Accuracy metrics: Measure and document the system's error rates and performance
• Human oversight procedures: Explain how humans review or can override AI decisions
• Risk mitigation measures: Identify potential harms and how you're reducing them

The assessment must be updated annually or whenever you make significant changes to the system.

Transparency and Disclosure Requirements

Washington requires businesses to be upfront with consumers about AI usage:

Consumer notifications: You must inform consumers when an automated decision system is being used to make consequential decisions about them. This notice must be "clear and conspicuous" and provided before the system is used.

Right to explanation: Consumers have the right to receive a meaningful explanation of decisions made by AI systems. This explanation must include:

• The principal factors used in the decision
• The data sources considered
• The logic or methodology behind the decision

You can't just say "our AI decided"—you need to provide substantive information that helps consumers understand the decision.

Data Governance Standards

The law mandates specific data practices:

• Data minimization: Only collect and use data that's necessary for the AI's stated purpose
• Purpose limitation: Don't repurpose AI-collected data for unrelated business objectives
• Quality assurance: Implement processes to ensure data accuracy and completeness
• Retention limits: Establish and follow data deletion schedules

Human Review and Override Rights

For high-risk decisions, you must maintain meaningful human oversight. This means:

• A qualified person must be able to review AI-generated decisions
• Humans must have authority to override automated decisions
• The human reviewer must have access to the reasoning behind AI recommendations
• You must document when human overrides occur and why

Common AI Tools and Their Compliance Implications

Let's get practical. Here's how popular business AI tools map to Washington's requirements:

ChatGPT and AI Chatbots

Compliance trigger: If your chatbot makes consequential decisions (routing customer service requests that affect service quality, determining eligibility for services, providing legal or medical advice), you need compliance measures.

What to do:

• Disclose AI usage in your chat interface
• Maintain human escalation options
• Log conversations where consequential decisions occur
• Document the chatbot's training and decision parameters

AI-Powered CRM Systems (Salesforce Einstein, HubSpot AI, etc.)

Compliance trigger: When AI features score leads, predict customer lifetime value to determine service levels, or automate consequential customer interactions.

What to do:

• Conduct an AIA for predictive scoring features
• Document your data sources and model training
• Ensure sales teams can override AI recommendations
• Provide transparency about how customer data influences AI decisions

Marketing and Ad Targeting Tools

Compliance trigger: AI that determines who sees offers, pricing, or promotional content—especially if it affects access to housing, credit, employment, or other protected categories.

What to do:

• Test for discriminatory patterns in ad delivery
• Document targeting parameters and their business justification
• Maintain records of how AI affects different demographic groups
• Provide opt-out mechanisms for automated profiling

Hiring and HR Software (LinkedIn Recruiter, screening tools)

Compliance trigger: Any AI involvement in resume screening, interview scheduling, candidate evaluation, or hiring recommendations.

What to do:

• Conduct bias testing across protected characteristics
• Ensure human recruiters make final decisions
• Notify applicants about AI use in hiring
• Maintain detailed AIAs for all HR AI tools

Pricing and Inventory Software

Compliance trigger: Dynamic pricing AI, especially if it considers customer characteristics or could result in discriminatory pricing.

What to do:

• Test pricing algorithms for disparate impact
• Document pricing methodology and factors
• Ensure pricing rules comply with fair lending and housing laws
• Maintain human oversight of pricing changes

Step-by-Step Compliance Checklist for Washington Businesses

Here's your practical roadmap to AI compliance:

Step 1: AI System Inventory (Week 1)

Create a spreadsheet listing every AI tool your business uses:

• Tool name and vendor
• What decisions it makes or influences
• What data it uses
• Whether decisions affect consumers
• Risk level (high, medium, low)

Include everything: chatbots, analytics tools, scheduling software, marketing platforms, and HR systems.

Step 2: Risk Assessment (Week 2)

For each AI system, determine if it makes "consequential decisions":

• Does it affect employment, credit, housing, healthcare, education, legal services, or essential utilities?
• Does it determine access to products or services?
• Does it influence pricing or terms offered to consumers?
• Could a wrong decision materially harm someone?

High-risk systems require full compliance. Lower-risk systems need basic transparency.

Step 3: Conduct Algorithmic Impact Assessments (Weeks 3-6)

For each high-risk system:

Document the basics:

• Purpose and intended use
• Data inputs and sources
• Decision-making methodology
• Performance metrics

Test for bias:

• Run the system on test data across protected characteristics
• Measure outcome disparities
• Document findings and mitigation steps

Establish oversight:

• Identify who reviews AI decisions
• Create override procedures
• Set up audit trails

Step 4: Implement Transparency Measures (Week 7)

Update consumer-facing materials:

• Add AI disclosure language to relevant web pages
• Update privacy policies to describe AI data use
• Create explanation processes for AI decisions
• Develop consumer request response procedures

Train your team:

• Ensure customer-facing staff know when AI is used
• Teach them how to explain AI decisions
• Establish escalation procedures for AI-related complaints

Step 5: Document Data Governance (Week 8)

Create written policies for:

• What data you collect for AI systems
• How long you retain it
• When and how you delete it
• Data quality assurance processes
• Limitations on secondary use

Implement technical controls:

• Data access restrictions
• Automated retention/deletion schedules
• Data quality monitoring

Step 6: Establish Ongoing Compliance (Ongoing)

Set calendar reminders for:

• Annual AIA reviews and updates
• Quarterly bias testing
• Regular accuracy audits
• Policy and procedure updates

Assign ownership:

• Designate someone responsible for AI compliance
• Create reporting structure for AI-related issues
• Establish vendor management for third-party AI tools

Penalties and Enforcement

Washington's AI legislation gives the Attorney General's office enforcement authority, and the potential penalties are significant enough to hurt.

Civil Penalties

Violations of SB 5838 can result in civil penalties up to $7,500 per violation. Here's what makes this serious: each affected consumer can constitute a separate violation. If your AI system improperly processes decisions for 100 customers, you're potentially looking at $750,000 in penalties.

What Triggers Enforcement

The Attorney General can investigate and bring action based on:

• Consumer complaints
• Algorithmic audits revealing bias or discrimination
• Failure to conduct required impact assessments
• Inadequate transparency or failure to provide explanations
• Data governance violations

Private Right of Action

While SB 5838 primarily empowers the Attorney General, consumers harmed by AI system violations may have claims under existing Washington consumer protection laws, discrimination statutes, or industry-specific regulations.

Reputational Risk

Beyond legal penalties, consider the business impact of AI-related incidents:

• Media coverage of algorithmic bias
• Customer loss of trust
• Difficulty recruiting if HR AI is discriminatory
• Vendor relationship damage

The cost of non-compliance extends well beyond fines.

How Washington Compares to Other States

Washington's AI legislation is comprehensive, but it's not alone. Understanding the landscape helps if you operate in multiple states.

Most Similar: Colorado

Colorado's AI Act (SB 24-205) shares Washington's focus on algorithmic impact assessments and consumer rights. If you're compliant with Washington's requirements, you're well-positioned for Colorado compliance. Both states require:

• Impact assessments for high-risk AI
• Transparency about AI use
• Consumer explanation rights
• Anti-discrimination testing

California's Approach

California doesn't have a single comprehensive AI law like Washington, but has sector-specific regulations:

• CPRA includes automated decision-making provisions
• AB 331 regulates AI in employment
• Various bills targeting specific AI applications

Washington's framework is broader than California's patchwork approach.

Texas and Utah

Both states have passed AI legislation, but with a lighter touch:

• Less prescriptive than Washington
• Fewer mandatory assessments
• More focused on transparency than testing

New York City

NYC has the strictest local AI regulation for employment (Local Law 144). If you use hiring AI for NYC positions, you need compliance beyond Washington's requirements, including:

• Third-party bias audits
• Publication of audit results
• Specific notice requirements

The Patchwork Problem

There's no federal AI law yet, creating compliance challenges for multi-state businesses. Washington's framework represents the higher end of regulatory stringency—if you comply with Washington and Colorado standards, you'll largely satisfy other states' requirements, including neighboring Oregon's OCPA-based approach.

What Washington Small Businesses Should Do Right Now

You don't need to panic, but you do need to act. Here's your prioritized action plan:

Immediate Actions (This Week)

Inventory your AI tools. Spend two hours listing every AI system you use. Include:

• ChatGPT or other LLMs
• Your CRM's AI features
• Marketing automation AI
• Any HR or recruiting tools
• Customer service automation
• Pricing or inventory software with AI

Identify high-risk systems. Mark which tools make consequential decisions about consumers—anything involving employment, credit, housing, healthcare, or material service access.

Update your privacy policy. Add a section describing your use of automated decision-making systems. This gives you baseline transparency while you build full compliance.

This Month

Conduct basic impact assessments. For your highest-risk AI systems, document:

• What the system does
• What data it uses
• How decisions are made
• What oversight exists
• Known limitations or risks

You can refine these later, but getting something documented now creates defensibility.

Implement consumer notifications. Add clear disclosure where AI is used for consequential decisions. Simple language works: "We use automated tools to help make decisions about [X]. You have the right to request an explanation of any automated decision."

Establish human review processes. Ensure that for high-stakes AI decisions, a person reviews and can override the automated recommendation.

Next 90 Days

Complete formal AIAs for all high-risk systems using the requirements outlined earlier in this guide.

Test for bias. Run your AI systems through testing scenarios to identify potential discriminatory outcomes. Document results and mitigation steps.

Develop data governance policies. Create written procedures for data collection, use, retention, and deletion specific to your AI systems.

Train your team. Ensure everyone who works with AI tools understands their compliance obligations.

Vendor management. If you use third-party AI tools, review contracts and get documentation of their compliance measures. You're still responsible even when using vendor tools.

Ongoing

Set quarterly review dates to check for:

• New AI tools added to your business
• Updates to existing AI systems
• Changes in how you're using AI
• New Washington AI guidance or enforcement actions

Stay informed. AI regulation is evolving rapidly. Subscribe to updates from the Washington Attorney General's office and industry associations relevant to your sector.

Document everything. Maintain records of your compliance efforts, assessments, testing, and decision-making. If you ever face an investigation, documentation is your best defense.

Getting Help with Washington AI Compliance

AI compliance doesn't have to be overwhelming, even for small businesses without legal departments. The key is having the right documentation and processes in place.

Attestly helps Washington businesses generate customized AI compliance documents in minutes—including algorithmic impact assessments, transparency notices, data governance policies, and consumer explanation procedures tailored to your specific AI tools and use cases. Instead of spending weeks creating compliance documentation from scratch or thousands on legal fees, you can get compliant quickly with documents specifically designed for Washington's requirements.

Whether you're just starting your compliance journey or refining existing processes, having proper documentation is essential. Washington's AI regulations are here to stay, and businesses that take compliance seriously now will avoid penalties while building consumer trust in their AI-powered services.

Frequently Asked Questions