The regulatory mood around AI chatbots flipped fast. A run of high-profile harms, a landmark wrongful-death lawsuit against a companion-chat product, and a general appetite to "do something about AI" turned a patchwork of proposals into enforceable law on two continents. If you operate a chatbot (companion, support, character, or anything that talks back) the relevant question is no longer whether rules apply, but which ones and when they bite.
This guide is the orientation we wish we'd had: the shape of the landscape, the handful of obligations that recur everywhere, and where the real teeth are. It is not legal advice, and the details below move quickly, so treat it as a map, not a contract.
The three things regulators actually care about
Strip away the jurisdiction-specific wording and almost every chatbot rule reduces to one of three concerns:
- Transparency. Users must know they are talking to a machine, not a person. No covert bots, no AI pretending to be a human agent.
- Safety. Systems that can influence vulnerable users (especially minors, and especially around self-harm) must have guardrails, escalation paths, and crisis resources.
- Age. Adult or high-risk experiences must keep minors out using methods that actually work, not a checkbox that says "I am 18."
Get those three right as product principles and you are most of the way to compliance in most places. The laws below are largely different encodings of the same three ideas.
The EU AI Act: transparency as a legal duty
The EU's AI Act is the most structured of the lot. For chatbots, the key provision is its transparency obligation: when people interact with an AI system, they have to be informed that they are dealing with AI unless it is obvious from the context. Generated or manipulated media (synthetic images, audio, video) carries its own labelling duty so that it is detectable as artificial.
The Act works in phases. Prohibited-practice rules and AI-literacy duties landed first, obligations for general-purpose models followed, and the broader transparency and high-risk provisions phase in through 2026 and beyond. The practical takeaway for a chat product: assume you will need a clear, persistent "this is an AI" signal and a way to mark any synthetic media you produce. Both are cheap to build now and awkward to retrofit under deadline.
The cheapest compliance is the disclosure you designed in from the first screen, not the banner you bolted on the week before enforcement.
The US: a patchwork, not a statute
There is no single federal AI-chatbot law. Instead, US obligations come from a growing stack of state laws, each with its own trigger and scope. A few patterns dominate:
- Bot-disclosure laws. California's long-standing bot-disclosure rule makes it unlawful to use a bot to mislead people about its artificial identity in commercial or electoral contexts. Other states have echoed the idea.
- Companion-chatbot safety laws. A newer wave targets "companion" or "relationship" chatbots specifically, requiring things like self-harm protocols, periodic reminders that the bot is not human, and protections for minors.
- Age-verification laws. Many states now mandate real age assurance for sites with a high proportion of adult material. These predate the AI boom but apply squarely to adult AI products.
Because the triggers differ (some target electoral use, some commercial transactions, some "companion" framing, some adult content) the same product can be in scope of several at once. Operating nationally means complying with the strictest applicable rule, not the average one.
Companion chatbots get their own category
The most significant shift of the last year is that "companion" chatbots are now treated as a distinct, higher-risk class. The logic is straightforward: a bot designed to form an emotional bond has more influence over a user than a bot that answers shipping questions, and that influence is dangerous when the user is a minor or in crisis. Expect obligations along these lines:
- Clear, repeated disclosure that the companion is AI, not a person.
- Detection and response protocols for self-harm or suicidal content, including surfacing crisis resources.
- Stronger defaults and restrictions for accounts that may belong to minors.
- Some transparency to users (and sometimes regulators) about how the system is designed to engage.
If your product is explicitly a companion or relationship experience, assume you are in the high-scrutiny lane and build accordingly, regardless of which single state moves first.
You are the operator, and liability flows to you
A recurring misconception is that the model provider carries the legal risk. In nearly every framework, the duties attach to whoever operates the service the user interacts with. You chose to deploy a chatbot to the public; you set its persona, its limits, and its audience. That makes you responsible for disclosure, for moderation of what it outputs, and for keeping minors out of adult experiences.
This is why the moderation and age questions are not someone else's problem. The publisher of the conversation, and of any image or video the system returns, is you.
A jurisdiction cheat-sheet
Simplified, current as of mid-2026, and deliberately high-level. Always check the live text for your situation.
| Theme | Where it bites hardest | What it asks of you |
|---|---|---|
| AI disclosure | EU (AI Act), California | Tell users they're talking to AI; label synthetic media |
| Companion safety | US states (new wave) | Self-harm protocols, "not human" reminders, minor protections |
| Age assurance | UK, many US states, EU (via DSA) | Verify age before adult access, not a self-declared checkbox |
| Synthetic media | EU, several US states | Mark deepfakes / AI media; extra rules for likeness + intimate imagery |
| Operator liability | Effectively everywhere | You own moderation + disclosure for what your service outputs |
What this means for builders, concretely
You do not need a legal team to make meaningful progress. A handful of product decisions cover most of the exposure:
- Make the AI identity unmistakable. Say it on the interface, say it in onboarding, and for companion experiences, repeat it periodically. Never let the bot claim to be human.
- Gate adult and high-risk features behind real age assurance. A checkbox is not a defence. We go deeper in the age-verification piece.
- Moderate output, not just input. A clean prompt can still produce content you cannot defend. You are the publisher.
- Build self-harm and crisis handling early. Detection, a safe response, and crisis resources. This is increasingly a legal requirement for companion products, not a nice-to-have.
- Label synthetic media. If you generate images or video, plan for provenance signalling now.
- Keep records. Log moderation decisions and disclosures so that when a dispute lands, you can show what the user saw and what the system did.
Frequently asked
Is there a single law I can just comply with?
No. The EU AI Act is the closest to a unified framework, but in the US you face a patchwork of state laws with different triggers. Operating broadly means meeting the strictest rule that applies to you, not picking one.
Does this apply to a simple support bot?
The disclosure duty does: even a support bot generally has to avoid pretending to be a human agent. The heavier companion-safety and age rules mostly target relationship or adult experiences. Match your effort to your risk class.
Whose responsibility is moderation, mine or the model's?
Yours. The duties attach to the operator of the user-facing service. You decide what your product does and who can use it, so the disclosure, moderation, and age obligations land on you.
Build on infrastructure that takes compliance seriously
Generation with moderation built in, not bolted on. 25 free credits, no card.
Start Generating →This article is general information, not legal advice. AI and chatbot laws vary by jurisdiction and change quickly; confirm the current requirements for your product with qualified counsel before relying on anything here.