Este artigo está disponível apenas em inglês no momento.
AI Governance for US Small Businesses: FTC, State Privacy Laws, and What You Need to Do
US small businesses face FTC enforcement on deceptive AI practices, growing state consumer privacy laws, and sector-specific obligations in healthcare, finance, and education.
Key Takeaways
The FTC has active enforcement authority over deceptive or unfair AI practices under Section 5 of the FTC Act — small businesses are not exempt.
Fourteen states have comprehensive consumer privacy laws in force as of 2026. California's CCPA/CPRA applies to businesses meeting certain thresholds with automated decision-making rights operative in 2026.
Healthcare businesses must comply with HIPAA restrictions on AI tools — most general-purpose AI tools are not HIPAA compliant without a Business Associate Agreement.
Financial services businesses face CFPB and OCC scrutiny of AI in credit decisions — 'the algorithm decided' is not a compliant adverse action reason.
Real estate (Fair Housing Act) and education (FERPA, COPPA) have specific AI-related obligations.
Check whether AI tools you use have Terms of Service that train on your customer data — this is the most common unaddressed risk for US SMEs.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
FTC: the baseline AI enforcement authority
The FTC's Section 5 authority covers businesses that use AI in ways that are unfair or deceptive — false claims about AI capabilities, AI used to discriminate against protected groups in consumer contexts, chatbots that deny being AI when asked, and training AI on customer data not disclosed in privacy policies. The FTC's 2024 AI policy statement confirms this authority applies fully to AI, and small businesses are not exempt.
Sector-specific obligations
Healthcare: HIPAA prohibits disclosing PHI to AI tools without a Business Associate Agreement — most general-purpose AI tools do not offer BAAs. Financial services: ECOA adverse action notices must state specific reasons when AI denies credit. Real estate: Fair Housing Act prohibits algorithmic discrimination. Education: FERPA restricts use of student records; COPPA requires parental consent for under-13s.