State AI Laws and Marketing Compliance: What Colorado, California, and New York Mean for Consumer Protection
Artificial intelligence is now woven into how financial services companies market to consumers. It generates and personalizes content, powers chatbots that answer product questions, and helps decide which consumers see which offers. As that adoption has accelerated, states have started passing AI laws that govern how the technology can be used. For marketing and compliance teams, though, the real headline is not about the technology. It is about consumer protection.
Colorado, California, and New York have each taken a different approach, and the rules do not line up. A company that markets across state lines has to account for all of them at once, which usually means the strictest applicable standard sets the bar. Underneath that patchwork sits a principle that has not changed: the consumer protection laws financial marketers already follow apply to AI-generated and AI-targeted marketing, with no exception.
Here is what the major state AI laws require, how they connect to consumer protection and marketing compliance, and what financial services teams should be doing about it.
What State AI Laws Mean for Marketing Compliance
State AI laws are rules enacted at the state level that add transparency, disclosure, and accountability requirements around how artificial intelligence is used. Some focus on telling consumers when AI created the content they are seeing. Others focus on how automated systems make decisions that affect consumers. What they share, and what matters most for compliance teams, is that they are consumer protection measures at their core.
In most cases, these laws are enforced the same way other consumer protection rules are: as unfair or deceptive trade practices, with state attorneys general as the primary enforcers. That places them alongside the marketing compliance obligations financial services companies already manage, rather than in a separate technology silo.
There Is No AI Exemption From Consumer Protection Law
Before getting into the individual states, it is worth being clear about the foundation. Federal regulators have stated plainly that there is no AI exemption from existing consumer protection law. In a joint statement, the CFPB, FTC, Department of Justice, and EEOC confirmed that automated systems, including tools marketed as artificial intelligence, are not an excuse for lawbreaking, and that they would enforce their respective laws regardless of the technology involved.
For marketing specifically, that has teeth. The CFPB has said that digital marketers who use algorithms to identify or select prospective customers, or to place content that affects consumer behavior, can be treated as service providers under the Consumer Financial Protection Act and held accountable for unfair, deceptive, or abusive acts or practices. The Bureau has also made clear that giving a consumer incorrect information through an AI chatbot can itself be a UDAAP violation.
The principle behind all of this is straightforward. The regulatory question is not who or what generated a piece of marketing. It is whether a consumer was misled or harmed, and what the company did to prevent it. The fact that a machine produced the content is not a defense.
New York: Telling Consumers When AI Is Involved
New York offers the clearest recent example of a state requiring transparency about AI in consumer-facing content. Its synthetic performer disclosure law, codified at New York General Business Law Section 396-b, took effect on June 9, 2026. It requires advertisers that knowingly use an AI-generated synthetic performer, meaning a digital asset built to look like a human who is not a real, identifiable person, to conspicuously disclose that fact to consumers.
The compliance mechanics are familiar. Penalties run $1,000 for a first violation and $5,000 for each one after that, and there is no private right of action, so enforcement sits with the New York attorney general. The underlying idea is a consumer protection one: people are entitled to know when what they are looking at was generated by AI rather than captured from real life.
California: Building Consumer-Facing AI Transparency
California has moved further than any other state, having enacted 18 AI-related laws across 2023 and 2024. Several of them are aimed at the same goal as New York’s, which is making sure consumers can tell when content is AI-generated.
The California AI Transparency Act, for example, requires providers of large generative AI tools to give users a way to detect AI-generated content and to embed disclosures that travel with that content. The specifics are still phasing in through 2026 and 2027. The direction, though, is consistent. California is building a consumer-facing transparency layer around AI, and marketers who rely on these tools inherit those expectations through the systems they use every day.
Colorado: AI, Automated Decisions, and Fair Lending
Colorado is the state most directly relevant to financial services, because its approach reaches automated decisions, not just creative content. Its original AI Act was repealed and replaced in May 2026 by a narrower framework focused on automated decision-making technology, which takes effect January 1, 2027. The new law requires consumer notice, explanations for adverse outcomes, and meaningful human review when automated systems materially influence consequential decisions in areas like lending, housing, and employment.
Two things make this a consumer protection and marketing compliance issue rather than a pure technology one. First, violations are treated as deceptive trade practices under the Colorado Consumer Protection Act and enforced by the state attorney general. Second, the lending angle overlaps directly with fair lending law. The CFPB has repeatedly confirmed that the Equal Credit Opportunity Act applies regardless of how novel or complex the technology is, and that lenders must give specific, accurate reasons for adverse actions even when an AI model produced the decision. Colorado’s framework reinforces that same expectation at the state level.
The Consumer Protection Throughline Across State AI Laws
Step back and a pattern emerges. New York requires disclosure of AI-generated content. California is building tools so consumers can identify it. Colorado governs how automated systems make decisions about consumers. The mechanisms differ, but the goal is the same: protect consumers from being deceived, kept in the dark, or treated unfairly when AI is involved.
For financial services marketers, that means the risk is not new in kind. It is the same risk you already manage, which is consumer-facing content and outcomes that are inaccurate, misleading, missing disclosures, or unfair. AI raises the stakes by producing more content faster and by making decisions at scale, and state attorneys general have joined federal regulators as active enforcers. The compliance obligation itself, though, is one your team already understands.
What State AI Laws Mean for Financial Services Marketing Compliance
The practical exposure for a bank, lender, or fintech tends to show up in a few places, and each one is a consumer protection problem before it is a technology problem:
- AI-generated marketing copy or imagery that omits a required disclosure or overstates a product
- AI-driven targeting that produces disparate outcomes and creates fair lending risk
- AI chatbots that give consumers incorrect information about rates, fees, or terms
A practical approach to managing that exposure looks like this:
- Treat AI-generated marketing as subject to the same review and approval as any other consumer-facing content
- Apply required disclosures consistently, and assume the strictest applicable state standard for national campaigns
- Monitor published content across every channel, including how AI platforms describe your products, to catch inaccuracies and missing disclosures
- Watch AI-driven targeting and decisioning for fair lending and UDAAP exposure
- Document how and when AI is used, and keep an evidence trail in case a regulator asks
The recurring theme is visibility. A policy that requires accurate, disclosed, and fair marketing is necessary but not sufficient. Confirming that what is actually live across every channel meets that standard, at the scale financial marketing now operates, is where programs succeed or fall short.
FAQs About State AI Laws and Marketing Compliance
State AI laws add transparency, disclosure, and accountability requirements around how AI is used in marketing and decision-making. For compliance teams, they function as consumer protection measures, usually enforced by state attorneys general as unfair or deceptive trade practices, and they layer on top of existing federal obligations like UDAAP and fair lending.
Yes. Federal regulators have confirmed there is no AI exemption from existing consumer protection law. AI-generated marketing content is subject to the same UDAAP, fair lending, and disclosure standards as any other consumer-facing content. If a consumer is misled or harmed, the fact that AI created the content is not a defense.
No. The CFPB, FTC, and other regulators have stated that automated systems and AI are not an excuse for noncompliance. The Equal Credit Opportunity Act applies regardless of how complex or novel the technology is, and providing incorrect information through an AI chatbot can constitute a UDAAP violation.
In some states, yes. New York requires conspicuous disclosure when an advertisement knowingly uses an AI-generated synthetic performer, effective June 9, 2026. California is phasing in transparency requirements for AI-generated content. Beyond specific state rules, undisclosed AI in consumer-facing marketing can also raise broader consumer protection concerns.
Financial services companies face two layers of exposure: state transparency rules for AI-generated marketing content, and automated decision-making rules like Colorado’s that overlap with fair lending. Both sit on top of the heavy marketing compliance obligations these companies already carry, from UDAAP to fair lending to product-specific disclosures.
State attorneys general are the primary enforcers of most state AI laws, typically treating violations as unfair or deceptive trade practices. Federal regulators, including the CFPB and FTC, enforce existing consumer protection laws as they apply to AI. Many state AI laws do not include a private right of action.
Colorado, California, and New York are the most prominent, though the list is growing. Each takes a different approach, which is why companies running national marketing campaigns generally have to comply with the strictest applicable standard.
Keeping AI Marketing Compliant and Consumer-Safe
State AI laws are multiplying, and the common thread is consumer protection. Marketers face a moving set of transparency and accountability requirements that differ by state, while the federal consumer protection rules they already follow continue to apply to everything AI touches. For financial services companies, the safest posture is to treat AI-generated and AI-targeted marketing exactly like any other consumer-facing content: accurate, disclosed, fair, and documented.
The hard part is seeing it all. Knowing what your policy requires is not the same as knowing what is actually reaching consumers across every channel where your brand appears.
PerformLine continuously monitors, evaluates, and scores marketing content across web, social, email, and other channels, including AI-generated responses about your brand and products. As state AI laws and consumer protection expectations continue to expand, having an ongoing, evidence-backed view of what your marketing is actually saying, and whether it is accurate, disclosed, and fair, is what keeps a compliance program ahead of the risk.
