AI Disclosure Requirements: The Complete Guide for Businesses Using Artificial Intelligence

A client recently asked a question that sounds simple but opens up an entire compliance landscape: “Do we need to add a statement to our Terms & Conditions about using AI-generated images?”

The short answer is: it depends — on your industry, your audience, your jurisdiction, what the images are used for, and which platform they appear on.

The longer answer is this article.

AI disclosure is one of the fastest-moving areas in privacy and technology law right now. The obligations come from multiple directions simultaneously — federal regulators, state legislatures, the EU, platform policies, and sector-specific rules — and they are not always consistent with each other. Businesses that touch AI-generated content, AI-assisted decisions, or AI-powered customer interactions need a clear picture of what is required, by whom, in what form, and when.

This guide covers the complete AI disclosure landscape: every major framework, every category of AI use that triggers disclosure obligations, what “disclosure” actually requires in practice, and — specifically — what your T&Cs, privacy notices, and consumer-facing communications need to say.  1. Why AI Disclosure Is a Distinct Compliance Category

AI disclosure sits at the intersection of several existing legal frameworks — consumer protection law, privacy law, advertising law, sector-specific regulations — but it is increasingly a distinct regulatory category in its own right.

The core legal theory driving disclosure requirements is consistent across frameworks: consumers have the right to know when they are interacting with, or being affected by, artificial intelligence in ways that are material to their decisions, their wellbeing, or their legal rights. That theory plays out differently depending on context.

When you interact with AI directly — a chatbot, a voice assistant, an AI customer service agent — you have a right to know you’re not talking to a human.

When AI generates content you consume — images, videos, audio, written content — you have a right to know the content was machine-generated, especially when it could affect your beliefs, purchase decisions, or political views.

When AI makes or influences decisions about you — in hiring, lending, insurance, healthcare, or criminal justice — you have a right to know AI was involved and, in many jurisdictions, the right to appeal or request human review.

When AI processes your personal data — in ways that involve profiling, automated decision-making, or sensitive inferences — privacy law frameworks impose specific transparency obligations.

These categories overlap, and the laws governing them overlap too. The starting point for building a compliant AI disclosure program is understanding which categories apply to your business and which frameworks govern each one.

The Six Categories of AI Use That Trigger Disclosure Obligations

Not all AI use requires disclosure. The categories below are where the law — current and emerging — consistently imposes transparency requirements.

Category 1: AI-Generated Content (Images, Video, Audio, Text)

Synthetic media created by AI, including photorealistic images, deepfake video, AI-generated voices, and AI-written text presented as human-authored. Disclosure is required in specific contexts under EU law, multiple U.S. states, and all major platforms.

Category 2: AI-Powered Customer Interactions (Chatbots, Virtual Agents)

Any automated system that interacts with consumers in ways that could be mistaken for human communication. The EU AI Act creates explicit disclosure obligations here. FTC guidance and FCC rules address deceptive robocall and chatbot practices.

Category 3: Automated Decision-Making With Legal or Significant Effects

AI systems that make or significantly influence decisions about individuals — in employment, credit, insurance, housing, or healthcare. GDPR Article 22 creates rights around automated decisions. Multiple U.S. state privacy laws require privacy impact assessments for profiling activities.

Category 4: AI in Employment and Hiring

The use of AI tools in recruitment, screening, assessment, and performance management. Several U.S. states have enacted specific laws requiring employer disclosure and, in some cases, bias audits.

Category 5: AI in Political and Electoral Advertising

The use of AI-generated content in political advertisements and campaign communications. This is one of the most rapidly legislated areas — more than a dozen states have enacted disclosure requirements.

Category 6: AI Systems That Process Sensitive Personal Information

AI applications that process or generate inferences about health, financial status, race, religion, sexual orientation, or other sensitive categories. Multiple frameworks impose heightened obligations when AI touches sensitive data.

The EU AI Act: The World’s Most Comprehensive AI Transparency Framework

The EU AI Act entered into force in August 2024 and is being phased in across 2025 and 2026. For any organization that serves EU users or operates in the EU, it is the most comprehensive AI governance framework in existence.

Transparency Requirements Under Article 50

Article 50 establishes four specific disclosure obligations:

1. AI Interaction Disclosure Providers of AI systems intended to interact directly with natural persons must ensure those systems identify themselves as AI to the people they interact with — unless the context makes this obvious. The practical application: any chatbot, virtual assistant, or AI customer service system that could be mistaken for a human must affirmatively disclose that it is an AI system.

2. Emotion Recognition and Biometric Categorization Disclosure Operators of AI systems that perform emotion recognition or biometric categorization must inform the natural persons exposed to these systems. This has direct implications for retail analytics, workplace monitoring, and consumer research applications that use facial analysis.

3. Deepfake and Synthetic Media Disclosure Persons who use AI to generate or manipulate image, audio, or video content that resembles real events, persons, or places must disclose that the content has been artificially generated or manipulated. This covers deepfake video, AI-synthesized audio, and photorealistic AI-generated imagery depicting real or fictional people in realistic scenarios.

The disclosure obligation here is notable for its breadth: it applies to the person deploying or publishing the content, not just the AI system provider. If your business publishes AI-generated content that could be mistaken for real images or footage, you carry the disclosure obligation under EU law.

4. AI-Generated Text on Matters of Public Interest Providers of general-purpose AI systems that generate text intended for publication on matters of public interest must ensure the output is marked as machine-generated. This targets the use of AI in news, political content, and public affairs communication.

Risk Classification and What It Means for Disclosure

The AI Act classifies AI systems by risk level, and obligations scale accordingly:

• Unacceptable risk: Prohibited outright (e.g., social scoring, real-time remote biometric surveillance in public spaces)
• High risk: Subject to conformity assessments, registration, and detailed documentation requirements (e.g., AI in hiring, credit scoring, critical infrastructure, education, law enforcement)
• Limited risk: Subject to transparency obligations (chatbots, deepfakes — covered by Article 50)
• Minimal risk: No specific obligations (spam filters, AI-assisted games)

If your AI application falls into the high-risk category, the documentation and transparency requirements go well beyond a disclosure statement — they include technical documentation, human oversight mechanisms, accuracy and robustness standards, and registration in the EU AI Act database.

Timeline (Verify current implementation status for 2026)

• February 2025: Prohibited AI practices provisions took effect
• August 2025: Rules for general-purpose AI (GPAI) models took effect
• August 2026: Full application of high-risk AI system requirements
• August 2027: High-risk AI systems already on market must comply

U.S. Federal Requirements: FTC, Endorsements, and Deceptive Practices

There is currently no comprehensive federal AI disclosure law in the United States. (Verify whether this has changed in 2026 — multiple bills have been proposed.) However, several existing federal frameworks create meaningful AI disclosure obligations.

The FTC Act: Deceptive Practices Baseline

Section 5 of the FTC Act prohibits unfair or deceptive acts or practices. The FTC has been explicit that this applies to AI-related conduct, including:

• Using AI to generate fake consumer reviews without disclosure
• Deploying AI-generated testimonials or endorsements that misrepresent human experience
• Using AI chatbots to impersonate humans in consumer-facing contexts
• Generating misleading AI imagery or video to deceive consumers about products or services

The FTC’s updated Endorsement Guides (revised 2023) specifically address AI-generated endorsements: reviews, testimonials, and influencer-style content generated or significantly assisted by AI must be disclosed as such when presented as authentic consumer experiences. The standard is whether the average consumer would assume the content reflects genuine human experience.

Practical implication: AI-generated product reviews, AI-assisted customer testimonials, and synthetic influencer content deployed in advertising require disclosure. The FTC has already taken enforcement action in cases involving fake review schemes, and AI-generated content is on its active enforcement radar.

FTC Guidance on AI Chatbots and Impersonation

The FTC has issued guidance specifically warning against AI systems that impersonate humans — in customer service contexts, in telemarketing, and in social media. The standard is deception: if a consumer reasonably believes they are communicating with a human, and the organization knows this, the failure to disclose is a deceptive practice.

FCC Rules on AI Robocalls

The FCC ruled in February 2024 that AI-generated voices in robocalls are subject to the Telephone Consumer Protection Act (TCPA). Calls using AI-generated voices require prior express consent, and failure to disclose the AI nature of the call creates additional liability. (Verify implementation and enforcement status for 2026.)

U.S. State Laws: California Leads, Others Follow

State AI disclosure legislation is proliferating rapidly. The following frameworks represent the current landscape as of mid-2025; verify the status of each and check for new enactments before publishing.

California: The Most Comprehensive State Framework

California AI Transparency Act (SB 942) — Effective January 1, 2026

SB 942 requires providers of “large AI systems” (systems with 1 million or more monthly users in California) to:

1. Include a provenance disclosure in all AI-generated content — a detectable signal, either a watermark or metadata, identifying the content as AI-generated
2. Provide a publicly accessible, free AI detection tool that can identify content generated by their system
3. Disclose in their terms of service and privacy policy that their system generates AI content and how users can identify it

Key scope: SB 942 places obligations on AI system providers — the companies whose AI generates the content — not necessarily every business that uses AI-generated content. However, if you are deploying AI-generated content that a provider’s system created, the provenance disclosure should be embedded in the content itself. And your T&Cs and privacy policy should accurately describe your use of AI-generated content.

California AB 2355 — AI in Political Advertisements

Political advertisements that contain AI-generated content depicting a candidate, elected official, or opposition must include a clear and conspicuous disclosure. The disclosure must state that the content was created using artificial intelligence and must appear in the advertisement itself.

California AB 2602 — AI-Generated Replicas of Performers

Contracts for digital replicas of performers created using AI require explicit written consent. The contract must specifically address the AI use; a general grant of rights is insufficient. This has direct implications for entertainment, advertising, and media companies using AI-generated likenesses.

CCPA Automated Decision-Making Regulations

The CPPA has been developing regulations on automated decision-making technology (ADMT) under CPRA authority. These regulations — once finalized — will require businesses to provide opt-out rights for certain automated decisions affecting consumers and to disclose the use of ADMT in their privacy notices. (Verify finalization status and effective date for 2026.)

Other Key State Laws (Verify current status)

Political Advertising AI Disclosure Laws — 20+ States

More than twenty states have enacted or proposed legislation requiring disclosure of AI-generated content in political advertising, including Texas, Minnesota, Washington, Florida, Georgia, Indiana, and others. The specific requirements vary — some require on-screen text, some require audio disclosure, some apply only to state races. If your organization produces political advertising or communications, this patchwork requires careful state-by-state review.

Employment AI Disclosure Laws

• Illinois: The Artificial Intelligence Video Interview Act requires employers to disclose when AI is used to analyze video interviews and obtain consent before analysis.
• New York City: Local Law 144 requires bias audits for automated employment decision tools, with results published publicly. Employers must notify candidates when an AEDT is used.
• Colorado: The Colorado AI Act (SB 205, signed 2024) requires developers and deployers of high-risk AI systems — including those used in employment, housing, education, and financial services — to use reasonable care to avoid algorithmic discrimination and to provide notice to consumers when AI is used in consequential decisions. (Verify effective date and implementation status.)

Minnesota MNCDPA

Minnesota’s comprehensive privacy law includes provisions addressing automated decision-making, requiring disclosure and consumer rights around profiling activities. Minnesota is also the only state to explicitly require a data inventory under its framework.

Platform Policies: What Meta, YouTube, TikTok, and Others Require

Platform policies create disclosure obligations that apply regardless of whether a law technically requires it. Violation of platform policies can result in content removal, account suspension, demonetization, or permanent bans — consequences that can be as operationally significant as regulatory enforcement.

Meta (Facebook, Instagram)

Meta requires disclosure of AI-generated content for:

• Realistic-looking video or audio depicting real people saying or doing things they didn’t say or do
• Realistic-looking images of real events that didn’t occur
• Political and social issue advertising using AI-generated content

Meta’s system uses AI to detect synthetic content and applies labels. However, creators are independently required to disclose AI generation when publishing, particularly for political content. Failure to disclose when Meta’s system detects AI content can result in the disclosure label being applied automatically — with a notation that the creator failed to disclose.

YouTube

YouTube requires creators to disclose realistic AI-generated content in videos — particularly:

• Content depicting real, identifiable people saying or doing things they didn’t do
• Realistic-looking footage of actual events that never occurred
• Realistic depictions of sensitive topics (health, elections, conflict)

The disclosure must be made during video upload, and YouTube may display a label on the content. For YouTube Partner Program participants, failure to disclose when disclosure is required can result in monetization removal.

TikTok

TikTok requires AI-generated content labels for realistic synthetic media. TikTok uses its own detection system and will apply automatic labels, but creators are independently required to self-disclose. The platform’s policy is particularly strict for content involving public figures, political content, and realistic synthetic imagery.

LinkedIn

LinkedIn requires disclosure of AI-generated content in certain advertising contexts and has policies against AI-generated content that misrepresents professional credentials, experience, or testimonials.

X (formerly Twitter)

X requires disclosure for political advertising containing AI-generated content and has policies against synthetic media used to deceive. (Note: X’s policy enforcement has been inconsistent; verify current status.)

The practical takeaway: If you are publishing AI-generated content on any major platform, platform policies independently require disclosure — in the content itself, in captions, or in the upload metadata process. These obligations exist alongside and often in addition to legal requirements.

Sector-Specific Disclosure Rules

Certain industries have AI disclosure obligations layered on top of general frameworks. If your organization operates in any of these sectors, these requirements apply in addition to everything above.

Healthcare

• FDA Guidance on AI/ML-Based Software as a Medical Device: AI-powered diagnostic and clinical decision support tools require transparency about their AI/ML foundations in labeling and documentation
• HIPAA Implications: AI systems that generate, process, or analyze protected health information must be addressed in your HIPAA privacy and security programs; patients have rights to know how their information is used
• FTC Health Breach Notification: AI systems that process consumer health data outside HIPAA’s scope must comply with FTC health data requirements

Financial Services

• CFPB Guidance on AI in Credit Decisions: The CFPB has issued guidance requiring that adverse action notices explain the specific reasons for credit denials even when AI was used in the decision — a generic “AI said no” is insufficient. Consumers must receive human-comprehensible explanations
• SEC and FINRA on AI in Investment Advice: Broker-dealers and investment advisers using AI in client recommendations must disclose the use of AI and ensure it doesn’t create conflicts of interest
• Fair Credit Reporting Act (FCRA): AI systems that generate consumer reports or are used in credit, employment, housing, or insurance decisions must comply with FCRA adverse action and disclosure requirements

Employment

As noted above: Illinois, New York City, Colorado, and a growing number of jurisdictions require disclosure when AI tools are used in hiring and performance decisions. The trend is clearly toward expansion, and federal EEOC guidance has addressed AI in employment contexts as well.

Legal and Professional Services

The practice of law in many jurisdictions now requires disclosure when AI tools are used to generate legal documents, briefs, or advice. Several bar associations have issued formal guidance requiring attorney supervision of AI output and, in client-facing contexts, appropriate disclosure of AI use.

AI-Generated Imagery Specifically: What the Law Actually Says

Back to the original client question: AI-generated images, and whether a T&C disclosure is required.

Here is what the current legal landscape actually says about AI-generated imagery:

When Disclosure Is Legally Required

EU AI Act (Article 50): If your AI-generated images depict real people, real events, or realistic scenarios in ways that could deceive viewers, disclosure is required. This obligation falls on the deployer of the content — meaning your business, not just the AI tool you used.

California SB 942: If the AI system that generated your images is a “large AI system” subject to SB 942, the provider is required to embed provenance data in the output. Your obligations depend on whether you are the provider or a user of that system. If you are a user publishing the images, the provenance data should already be present — but your T&Cs and privacy policy should accurately describe your use of AI-generated content.

Political Advertising: If the images are used in political advertising in California or any other state with an AI political ad disclosure law, explicit disclosure within the advertisement is required.

Platform Policies: If you are publishing AI-generated imagery on Meta, YouTube, TikTok, or other major platforms, platform policies require disclosure regardless of legal requirements.

FTC Deceptive Practices: If AI-generated images are used in advertising, product listings, or testimonials in ways that could mislead consumers about a product’s appearance, features, or real-world use, the FTC’s deceptive practices framework applies.

When Disclosure Is Best Practice But Not Currently Mandated

AI-generated imagery used purely for internal purposes, for illustrative/decorative purposes where no deception is possible (e.g., clearly stylized or abstract AI art labeled as such), or in creative contexts where the AI origin is obvious, does not currently carry mandatory disclosure requirements in most jurisdictions outside of the political advertising and realistic depiction contexts.

However: the regulatory trajectory is clearly toward broader disclosure requirements, and the reputational risk of undisclosed AI imagery — particularly when discovered — is significant.

The T&C Question Specifically

Does your client need to add a statement to their T&Cs about AI-generated images?

Yes, if any of the following apply:

• The images are published on platforms that require creator disclosure (Meta, YouTube, TikTok, etc.)
• The images depict real people, real events, or realistic scenarios in commercial or advertising contexts
• The images are used in California, the EU, or any jurisdiction with AI content disclosure requirements
• The organization is subject to California SB 942 as a provider of a large AI system
• The images are used in advertising, testimonials, product imagery, or other consumer-facing commercial contexts where the AI origin could be material

The specific T&C language should, at minimum:

• Acknowledge that the organization uses AI tools to generate images
• Describe the categories of content affected
• State how AI-generated content is identified or labeled
• Reference any provenance data or detection tools available to users
• Link to the full privacy policy where AI use is described

This is a floor, not a ceiling. In most contexts, T&C disclosure alone is insufficient — it needs to be accompanied by in-content labeling, platform disclosures at upload, and privacy notice updates.

What Your T&Cs, Privacy Notice, and Website Actually Need to Say

Across all AI disclosure frameworks, the following documents need to be reviewed and updated if your organization uses AI in any consumer-facing way.

Your Privacy Notice

Your privacy notice should describe:

• What AI systems you use that process personal information (AI chatbots, recommendation engines, personalization systems, fraud detection, automated decision-making tools)
• What data those systems use — including any data used for training or fine-tuning
• Whether automated decision-making occurs with legal or significant effects on individuals, and if so, what the basis is and what rights consumers have
• Whether AI-generated inferences or profiles are created about users, and what categories those cover
• How to opt out of automated decision-making or AI-driven profiling where applicable law provides that right
• Whether AI-generated content is present on your platform and how it is identified

For organizations subject to GDPR: Article 22 requires explicit disclosure of solely automated decision-making that produces legal or similarly significant effects, including the logic involved, the significance, and the envisaged consequences — all in plain language.

For organizations subject to CCPA: The CPPA’s ADMT regulations (verify finalization status) will require opt-out rights and privacy notice disclosures for certain automated decision-making uses once finalized.

Your Terms and Conditions

Your T&Cs should address:

• AI content disclosure: Whether your platform or service uses AI-generated content, what categories are affected, and how users can identify it
• User AI content: If users can generate AI content on your platform, your T&Cs should address labeling obligations, platform policy compliance, and what happens to undisclosed AI content
• AI interactions: If AI chatbots or virtual agents are used, disclosure that users may interact with AI systems
• Automated decisions: If your service makes consequential decisions about users using AI (access, pricing, personalization), the basis and the available review mechanisms
• Data used for AI training: If user content or data may be used to train or improve AI systems, explicit disclosure and applicable opt-out rights

In-Content Labels and Interface Disclosures

T&Cs and privacy notices are not sufficient on their own for most disclosure requirements. In addition:

• AI-generated images should be labeled in the image itself, in the caption, in the metadata (C2PA, see below), or at the point of publication — depending on the context
• AI chatbots should disclose their AI nature at the beginning of every interaction, not just in the T&Cs
• AI-generated video or audio should carry visible or audible disclosure in the content itself
• Automated decisions should be accompanied by plain-language explanation at the point of decision, not just referenced in a privacy policy

The Content Provenance Standards You Need to Know: C2PA

The Coalition for Content Provenance and Authenticity (C2PA) has developed an open technical standard for embedding provenance information — origin, history, and modifications — directly in digital content files.

C2PA “content credentials” can be embedded in images, video, audio, and documents. They record:

• Whether the content was AI-generated or AI-edited
• Which tools were used
• When and where the content was created or modified
• Whether the content has been subsequently altered

Major AI image generators — Adobe Firefly, DALL-E, and others — have begun incorporating C2PA credentials into their output by default. California’s SB 942 explicitly contemplates provenance data as the mechanism for AI disclosure.

Why this matters for compliance:

If you are using AI image tools that generate C2PA-credentialed output, the provenance disclosure is embedded in the file by default. Stripping or modifying that metadata to remove the AI-generated designation is a separate legal and reputational risk.

If you are building a compliance program around AI-generated content, adopting C2PA standards — or using tools that do — is quickly becoming the operational baseline for demonstrating AI content transparency.

Building an AI Disclosure Compliance Program

The frameworks above are not a checklist to complete once. They are a moving target that requires an ongoing program. Here is the structure:

Step 1: AI Use Inventory

Catalog every AI system your organization uses that has consumer-facing implications or involves personal data. For each system, identify: what it does, what data it processes, whether it generates content, whether it makes or influences decisions, and who interacts with it.

Step 2: Applicability Assessment

For each AI use, map the disclosure obligations that apply: EU AI Act risk classification, applicable U.S. state laws, platform policies, sector-specific rules. The output is a matrix: AI use × applicable framework × disclosure obligation.

Step 3: Documentation Gap Analysis

Compare your current T&Cs, privacy notice, and in-product disclosures against the obligation matrix. Identify every gap.

Step 4: Remediation

Update documentation in priority order: highest-risk uses and most imminent legal deadlines first. Privacy notice updates, T&C revisions, and in-content labeling practices should be implemented together, not sequentially.

Step 5: Governance Integration

Build AI disclosure review into your new product and vendor onboarding process. Any time a new AI tool is deployed, the disclosure obligations should be assessed as part of the privacy impact assessment — not after launch.

Step 6: Monitor and Update

Set a review cadence. AI disclosure law is adding new requirements faster than almost any other compliance area. A quarterly review of legislative developments and a biannual documentation review is a reasonable minimum.

Frequently Asked Questions

Does every AI-generated image require a disclosure statement? Not universally — it depends on the context. Politically-themed images, realistic depictions of real people, images used in advertising or testimonials, and images published on platforms that require disclosure (Meta, YouTube, TikTok) all require disclosure. Clearly stylized AI art for decorative purposes in contexts where no one could be deceived does not currently carry mandatory disclosure requirements in most jurisdictions.

Do T&Cs alone satisfy AI disclosure obligations? No. For most AI disclosure obligations, T&C disclosure is a floor, not a ceiling. In-content labeling, interface disclosures at the point of AI interaction, and metadata (C2PA) are separately required or expected under most frameworks. T&Cs tell users the rules; in-context disclosure gives them meaningful notice.

Does the EU AI Act apply to U.S. businesses? Yes, if you offer AI systems or AI-generated content to individuals in the EU, regardless of where your business is located. The territorial scope follows the user, not the server location.

What is the difference between AI disclosure in a privacy notice versus a terms and conditions? A privacy notice addresses how personal data is used, including in AI systems. A T&C addresses the rules of your service, including what AI systems operate within it and what content is AI-generated. Both documents are necessary; they cover different aspects of the same underlying obligation to be transparent about AI.

Our AI images were created by a third-party tool. Is disclosure still our responsibility? Yes, in most frameworks. While the AI system provider carries obligations under laws like California’s SB 942, your business — as the deployer and publisher of AI-generated content — carries the disclosure obligation at the point of publication. The fact that you didn’t build the AI is not a disclosure defense.

What is C2PA and do we need to use it? C2PA is a technical standard for embedding provenance data in digital content files, indicating whether it was AI-generated and by what system. California SB 942 contemplates C2PA as a disclosure mechanism. Using AI tools that generate C2PA-credentialed output is rapidly becoming the operational baseline for AI content transparency compliance.

Is there a federal AI disclosure law in the U.S.? As of mid-2025, no comprehensive federal AI disclosure law had been enacted. Multiple bills have been proposed. (Verify whether any have passed or been signed as of 2026.)

The Bottom Line

AI disclosure is not a single requirement with a single answer. It is a layered compliance obligation that depends on what your AI does, who it affects, where your users are, and which platforms you operate on.

The good news: the core framework is coherent. Across every jurisdiction and every platform, the underlying obligation is the same — be transparent when AI is material to a consumer’s experience, decision, or understanding. Build your compliance program around that principle, map it to the specific frameworks that apply to your business, and document both what you’ve disclosed and why.

For the client who asked about T&C language for AI-generated images: yes, you likely need that language — and you probably need more. Start with the documentation, then work backward to what needs to be visible where.

Captain Compliance helps organizations assess their AI disclosure obligations across all applicable frameworks — from EU AI Act risk classification through U.S. state law compliance, platform policy alignment, and documentation updates.