This page covers U.S. law as of June 2026. This is not legal advice. For a plain-English compliance answer tailored to your situation, use the Compliance Checker at DiscloseAI.net.
Penalties range from FTC civil fines up to $51,744 per violation to Illinois BIPA private lawsuits with $1,000–$5,000 per violation. Colorado's AI Act allows the state attorney general to seek civil penalties. NYC Local Law 144 violations carry fines up to $500 per day. The most significant financial exposure for small businesses is Illinois BIPA, which has produced class action settlements in the hundreds of millions of dollars.
FTC Civil Penalties
The FTC can seek civil penalties of up to $51,744 per violation (as of 2024, adjusted periodically for inflation) for violations of specific FTC trade regulation rules (such as the Impersonation Rule, 16 C.F.R. Part 461, and the Endorsement Guides rule) and for violations of prior FTC consent orders. Initial Section 5 violations that are not subject to a specific rule typically result in injunctive relief and consumer redress orders, not civil penalties directly — civil penalties attach at the violation-of-order stage. For rule-covered conduct (fake reviews, AI impersonation), penalties of up to $51,744 per violation per day apply. The FTC may also seek consumer redress, disgorgement of profits, and injunctive relief.
Illinois BIPA — Private Right of Action
Illinois BIPA (740 ILCS 14) creates a private right of action — individual plaintiffs and class action lawsuits can be filed without government involvement. Statutory damages:
- $1,000 per violation for negligent violations
- $5,000 per violation for intentional or reckless violations
- Attorney's fees and litigation costs for prevailing plaintiffs
BIPA class actions have produced settlements ranging from tens of millions to over $650 million (Facebook's facial recognition settlement). A business with 50 employees whose AI HR tool collected biometric data without consent could face $50,000–$250,000 in statutory exposure.
Colorado AI Act Enforcement
Colorado SB 24-205 designates the Colorado Attorney General as the sole enforcement authority. The AG may bring civil actions seeking injunctive relief, civil penalties, and corrective action orders. The Colorado AI Act does not create a private right of action — consumers cannot sue directly under SB 24-205. Colo. Rev. Stat. § 6-1-1701 et seq.
NYC Local Law 144
Violations of NYC Local Law 144 (automated employment decision tools) are subject to civil penalties administered through the NYC Commission on Human Rights: up to $500 per day for each day of non-compliance, with separate penalties for each failure to provide required candidate notices. N.Y.C. Admin. Code § 20-870 et seq.
Risk Prioritization for Small Businesses
- Highest risk: Any collection of biometric data via AI in Illinois without BIPA compliance — class action exposure
- High risk: AI video interview analysis in Illinois without AIUA notice and consent
- Meaningful risk: Automated hiring tools used for NYC positions without Local Law 144 compliance
- Ongoing risk: AI chatbots designed to appear human — FTC enforcement potential in any state
- Forward-looking risk: Colorado AI Act obligations for businesses using AI in consequential decisions affecting Colorado consumers