Your company probably already uses AI-powered chatbots to handle customer service inquiries, screen job applicants, answer employee HR questions, and manage internal workflows. However, legal risks are rapidly increasing, especially if policies and oversight have not kept pace with current usage. A patchwork of state laws is expanding across the country, as regulators write new rules and plaintiffs’ lawyers test new theories. Here are the most common mistakes companies make when implementing AI chatbots, and 10 ways to fix them today.
Mistake #1: Using “It’s just a chatbot” as a legal defense
Many companies utilize chatbots on the assumption that these tools are too routine to be subject to close scrutiny. That assumption is no longer safe.
Washington state became the first state to sign a companion chatbot bill this year, with HB 2225 going into effect on January 1, 2027. California’s SB 243 and Maine’s chatbot disclosure law are already enforceable. Lawmakers in Idaho and Georgia passed chatbot bills just a few weeks ago. And bills in Arizona, Hawaii, Colorado, Michigan, Oklahoma, Maryland and other states are moving quickly through committees and floor votes.
Mistake #2: Not disclosing that the user is talking to a bot
Disclosure is the single most universal requirement across all state chatbot laws enacted or currently pending. Most laws and bills require companies to make it clear to users that they are interacting with an AI and not a human. For example, Washington state law requires disclosure at the beginning of every interaction and provides reminders every three hours for adult users and every hour for minors. California is tracking closely. Other states have similar timing requirements, but they are not identical.
However, many companies still do not do this. This especially happens with in-house HR chatbots where companies believe there is no need to tell their employees that they are talking to a machine.
Mistake #3: Overlooking digital eavesdropping responsibilities
Plaintiffs’ lawyers claim chatbot vendors are recording users’ conversations without proper consent, sparking a wave of privacy lawsuits under state wiretap laws. A federal court in Florida has ruled that user input captured by a chatbot on a healthcare provider’s website can qualify as substantive communication, not just technical data, allowing a class action lawsuit based on this very theory to proceed in 2025.
Florida lawsuits related to website chatbots and tracking tools increased from five in 2021 to 28 in 2024, with hundreds filed in 2025 alone. Similar risks exist in California and other bilateral agreement states. In class action scenarios involving thousands of website visitors, statutory damages associated with such claims can quickly add up.
Mistake #4: Ignoring data privacy and sensitive input risks
Whether a company intends it to be so or not, chatbots are data collection tools. Every conversation generates input such as personal information, health data, and financial details. And for internal chatbots, this could include trade secrets, client strategy, and privileged communications.
- Externally: This move means you need to be concerned about data privacy laws such as CCPA, HIPAA (for covered entities), and the growing number of state agency AI data regulations.
- Internally: Risk is employee behavior. Employees using AI assistants may enter information that cannot leave the organization. This may include customer data, litigation strategies, unpublished financial results, and proprietary product information.
- Additional risks: AI chat history can serve as evidence in a lawsuit. Two recent federal cases reached nearly opposite conclusions regarding whether employee interactions with AI tools are protected by attorney-client privilege or the work product doctrine. This means that legal protection for these conversations is open and jurisdiction-dependent. Those logs can be discovered when employees use chatbots to investigate legal issues, draft correspondence with claimants, or discuss HR issues. Also, remember that AI chatbot tools have robust audit trails that closely track conversations, which can be an expensive asset when discovered.
Mistake #5: Mixing chatbots into hiring decisions
Employers are increasingly incorporating chatbots into HR operations to screen resumes, answer questions about benefits eligibility, route accommodation requests, schedule interviews, and more. However, companies often use them without fully considering whether they are influencing hiring decisions. If so, it would entail new legal exposure.
Title VII of the Civil Rights Act, the Americans with Disabilities Act, and the Age Discrimination in Employment Act all apply to automated tools that influence employment outcomes, just as they apply to human decision makers. Chatbots that consistently exclude certain candidates from consideration (or provide inconsistent information about benefit eligibility, such as based on factors correlated with protected characteristics) can create disparate influence liability.
In addition to federal law, local and state requirements may soon be added. New York City Local Law 144 requires employers who use automated hiring decision tools to hire or promote to conduct an annual independent bias audit and make the results publicly available. Other states, including Colorado, Illinois, and California, are currently or soon to regulate this area.
Mistake #6: Ignoring the “companion creep” problem
Washington, California, and other states have enacted laws that draw a legal line between chatbots for business use (which are narrowly targeted, transactional, and exempt from the most stringent requirements) and companion chatbots (broadly defined as AI systems that can meet the social needs of users through adaptive, human-like conversations).
What many companies don’t realize is that this line can change over time. Customer service bots trained on increasingly extensive conversational data and in-house HR bots that employees begin to use for emotional support and personal guidance could drift toward companion territory without a deliberate decision by the company. Bots that were eligible for the business use exemption on launch day may no longer be eligible six months later.
Mistake #7: No human escalation protocol.
What happens when a user’s chatbot conversation turns serious? A customer files a harassment complaint through your service portal. Employees ask internal HR bots about mental health resources. A job seeker expressed distress during an AI-assisted selection interaction.
Many companies don’t have clear answers to these questions or procedures for when and how to hand over the conversation to a human. This gap has both legal and human implications.
A new law in Washington state requires companion chatbots to redirect users who raise topics such as suicide or self-harm to a mental health professional, and California law has a similar requirement. But even for chatbots that fall under the business use exemption and are not subject to these laws, mishandled escalations pose real and significant reputational risks. Plaintiffs’ lawyers will likely view HR chatbots without escalation protocols as a lawsuit waiting to happen.
Mistake #8: Blind vendor dependency
Businesses routinely assume compliance is a vendor issue. After all, the vendor builds the bot and runs the infrastructure. So if something goes wrong, the vendor is responsible…right? Wrong. This assumption is not always correct and can be costly.
All chatbot laws enacted to date hold companies legally responsible for the behavior of their chatbots, regardless of who developed them. Additionally, some vendor contracts include broad disclaimers that impose liability on companies that use AI.
This is also where the risk of eavesdropping due to mistake #3 becomes an issue with vendor contracts. If a chatbot vendor’s tools record user conversations and those recordings violate state wiretapping laws, your company could be exposed. Whether there is contractual protection against such exposure depends entirely on the actual content of the contract.
Mistake #9: No employee policy or training
Many companies invest in chatbot technology, but don’t provide anything to help employees use it properly. The results are predictable. Employees use tools in ways prohibited by policy, rely too heavily on outputs that deserve skepticism, or simply don’t know the rules at all.
There are two different failure modes here.
- The first is when employees enter sensitive data, privileged communications, or trade secrets into third-party tools without understanding the consequences (see Mistake #4).
- The second option is for employees to treat AI-generated answers as final without validating them and hold them accountable if they are wrong.
Both failure modes are avoidable, but only if companies commit to real training.
Mistake #10: Treating adoption as a finish line
After a company deploys a chatbot, the implementation team often moves on to the next task. There’s no one doing continuous monitoring, so the bot runs on autopilot until something goes wrong. However, chatbots are not static, so launching the product does not end the process.
Conversation patterns change. Training data evolves. Vendors update their technology stacks. The law takes effect in the new state. Your compliance attitude on the day your chatbot is released may be exactly the same as your compliance attitude a year later. If we don’t monitor it, we won’t know until we hear from regulators and plaintiffs’ lawyers.
