United States 8 min read 2026

AI Governance for US Small Businesses: FTC, State Privacy Laws, and What You Need to Do

US small businesses face FTC enforcement on deceptive AI practices, growing state consumer privacy laws, and sector-specific obligations in healthcare, finance, and education.

AIRiskAware

Specialist AI Risk Governance & Compliance

AI Governance for US Small Businesses: FTC, State Privacy Laws, and What You Need to Do

Key Takeaways

The FTC has active enforcement authority over deceptive or unfair AI practices under Section 5 of the FTC Act — small businesses are not exempt.
Fourteen states have comprehensive consumer privacy laws in force as of 2026. California's CCPA/CPRA applies to businesses meeting certain thresholds with automated decision-making rights operative in 2026.
Healthcare businesses must comply with HIPAA restrictions on AI tools — most general-purpose AI tools are not HIPAA compliant without a Business Associate Agreement.
Financial services businesses face CFPB and OCC scrutiny of AI in credit decisions — 'the algorithm decided' is not a compliant adverse action reason.
Real estate (Fair Housing Act) and education (FERPA, COPPA) have specific AI-related obligations.
Check whether AI tools you use have Terms of Service that train on your customer data — this is the most common unaddressed risk for US SMEs.

Important: This content is AI-assisted and under ongoing accuracy review

Articles on AIRiskAware are drafted with AI assistance to summarise complex regulatory landscapes. Specific facts (dates, fine amounts, statute references, case citations) may contain errors. Do not rely on this content for legal, regulatory, financial, or professional decisions. Always verify directly against primary sources (regulator websites, official legislation) or consult a qualified specialist.

Spotted an error? Please report it — we review and correct promptly.

FTC: the baseline AI enforcement authority

The FTC's Section 5 authority covers businesses that use AI in ways that are unfair or deceptive — false claims about AI capabilities, AI used to discriminate against protected groups in consumer contexts, chatbots that deny being AI when asked, and training AI on customer data not disclosed in privacy policies. The FTC's 2024 AI policy statement confirms this authority applies fully to AI, and small businesses are not exempt.

Sector-specific obligations

Healthcare: HIPAA prohibits disclosing PHI to AI tools without a Business Associate Agreement — most general-purpose AI tools do not offer BAAs. Financial services: ECOA adverse action notices must state specific reasons when AI denies credit. Real estate: Fair Housing Act prohibits algorithmic discrimination. Education: FERPA restricts use of student records; COPPA requires parental consent for under-13s.

Stay ahead of AI governance

Regulatory updates, practical frameworks, and new articles — free, monthly. No spam.

No spam. Unsubscribe anytime. We'll never share your email.

Work with AIRiskAware

Specialist AI risk governance and compliance advisory for enterprise organisations and businesses of all sizes.

Get in Touch

Found this useful? Share it.

Share on LinkedIn

All insights

United States 10 min read

AI in Hiring and Employment: A Compliance Guide for US Employers

United States 10 min read

AI in US Insurance: NAIC Model Bulletin, State Regulators, and the Governance Framework for Insurers

United States 10 min read

The US AI Executive Order and What It Means for Enterprise AI Governance in 2026

More from AIRiskAware

Practical AI governance guidance for organisations at every stage.

All Insights Free Assessment

Key Takeaways

FTC: the baseline AI enforcement authority

Sector-specific obligations

Stay ahead of AI governance

Related articles

AI in Hiring and Employment: A Compliance Guide for US Employers

AI in US Insurance: NAIC Model Bulletin, State Regulators, and the Governance Framework for Insurers

The US AI Executive Order and What It Means for Enterprise AI Governance in 2026

More from AIRiskAware