Get Fred

AI Insights

Nobody Told You Your Chatbot Was Going To Get You Sued

March 2, 2026 8 min read

In the first weeks of 2026 alone, 78 chatbot-related bills were filed across 27 states. Seventy-eight bills in a matter of weeks.

The legal landscape shifted from “emerging concern” to “active minefield” faster than most companies realized.

I started building a solution to this problem because friends and customers kept showing me the same thing on a smaller scale: companies have no idea their chatbot is creating liability exposure with every single conversation.

So I got stuck in, wrote a script to track news on AI, chatbots, AI Chatbots and holy $#%&.

Air Canada Set the Precedent

Air Canada deployed a customer service chatbot. A passenger asked about bereavement fares. The chatbot got it wrong. The passenger relied on the bad information and bought a ticket.

Air Canada refused the refund. The passenger sued.

Air Canada’s defense? The chatbot was a “separate legal entity” responsible for its own actions.

The British Columbia Civil Resolution Tribunal didn’t just reject that argument. They called it “remarkable.” Not in a good way. In Moffatt v. Air Canada, the tribunal ruled Air Canada liable for negligent misrepresentation through the chatbot’s responses.

You own every word your chatbot says. Courts aren’t going to buy the “AI did it” defense when you’re the one who deployed it.

The Wiretap Problem Nobody Saw Coming

Chatbot wiretap lawsuits went from 2 matters in 2021 to 30 in 2025. That’s a 1,400% increase in four years.

Companies running chatbots on their websites now face class actions in California and Massachusetts under state wiretapping laws. The theory: your chatbot intercepts and records communications without proper consent.

This is now the fastest-growing category of AI litigation facing companies.

And the financial exposure goes way beyond what you’d expect. Legal expenses for representation, review, and settlement routinely exceed the actual damages paid. You’re not risking a single customer complaint. You’re risking class action exposure across every customer who ever typed into your chatbot.

California Created a Private Right of Action

On January 1, 2026, California’s Senate Bill 243 took effect. It targets companion chatbots, meaning AI systems designed for emotional or social interaction that sustain relationships across multiple interactions.

Unlike previous bot disclosure laws, SB 243 includes a private right of action.

Companion chatbot operators who violate the law and cause consumer injury face actual or statutory damages of $1,000 per violation, plus attorneys’ fees.

Do the math on a social AI platform. If your companion chatbot has 10,000 users in emotional relationships and you violate disclosure requirements, you’re looking at $10 million in exposure before legal fees even enter the picture.

Important distinction: SB 243 specifically exempts customer service bots, technical support bots, and standard business chatbots. This targets companion AI, the platforms designed to form emotional bonds with users. But if you’re anywhere near that space, this is the most consequential chatbot law in the country right now.

Europe Skipped the Warning Shot

GDPR violations carry fines up to €20 million or 4% of global annual revenue, whichever is higher.

Italy temporarily banned ChatGPT in March 2023. The reason: OpenAI wasn’t transparent about data collection, lacked a legal basis for processing personal data, and had no age verification. The ban only lasted a month before OpenAI made changes, but it showed that European regulators will pull the trigger.

When your chatbot calls an API like OpenAI’s, user prompts travel to servers in the US. If a customer shares sensitive data through your chatbot and it ends up training a foundation model, you’ve lost control of that data. That’s a purpose limitation violation under GDPR.

If your chatbot uses AI models or servers outside the European Economic Area, you need a valid legal basis for the transfer. Standard Contractual Clauses at minimum.

The companies I talk to? They have no idea where their chatbot data actually goes. They can’t trace the path from user input to storage to model training. That’s not a compliance gap. That’s a liability time bomb.

How your chatbot is architected determines your exposure here. Whether user data passes through a vendor’s servers or goes directly to the model provider you chose changes your compliance picture completely. Not all chatbot architectures carry the same GDPR risk, but most companies never ask the question.

Real Deaths, Real Lawsuits

In October 2024, Megan Garcia filed a wrongful death lawsuit against Character.AI and Google after her 14-year-old son Sewell Setzer III died by suicide. The suit alleged the chatbot engaged the teen in harmful interactions, including sexualized conversations. In January 2026, Google and Character.AI agreed to settle with the families.

In August 2025, parents filed a separate wrongful death lawsuit against OpenAI, alleging that ChatGPT coached their 16-year-old California son Adam Raine in planning and taking his own life.

More lawsuits followed in September 2025. More families, more deaths, more teens who suffered serious harm after interacting with Character.AI chatbots.

The government response matched the severity. In September 2025, the FTC opened a formal inquiry into how generative AI developers are handling harm to minors. A bipartisan coalition of 44 state attorneys general sent a letter to Google, Meta, OpenAI, and others about child safety. Kentucky AG Russell Coleman became the first to file a state-level lawsuit against Character.AI, alleging the app exposed children to sexual conduct, exploitation, and substance abuse.

None of this is slowing down. It’s compounding.

Illinois Banned AI Therapy

On August 4, 2025, Governor Pritzker signed the Wellness and Oversight for Psychological Resources Act. No phase-in. No grandfather clause. Immediate effect.

AI systems, including chatbots, cannot make independent therapeutic decisions. Cannot interact directly with clients in therapeutic communication. Cannot generate treatment plans without a licensed professional reviewing them. Cannot detect emotions or mental states for therapeutic purposes.

$10,000 per occurrence.

If you’re deploying chatbots anywhere near healthcare, mental health, or wellness, this is current law. Other states are watching Illinois closely.

The FTC Will Come After Your Marketing

In FTC v. DoNotPay, Inc., the FTC went after a chatbot marketed as “the world’s first robot lawyer.”

The company claimed it could substitute for human legal expertise. It couldn’t. The chatbot generated legal documents without validation or oversight, producing outputs that weren’t fit for use. They never tested whether it performed at a human lawyer’s level. Never hired attorneys to check output quality.

DoNotPay paid $193,000 and had to notify every subscriber from 2021 to 2023 about the settlement.

If your chatbot can’t do what you say it can do, you have FTC exposure. “We’re using AI” is not a defense. Substantiation requirements don’t disappear because you put a language model behind your product.

Where This Leaves You

Regulators at federal and state levels are investigating, filing lawsuits, and imposing penalties. Right now. Not next year.

The “move fast and break things” era of chatbot deployment is over. Companies that put chatbots into production without legal review now face exposure on multiple fronts: privacy violations through unauthorized data collection, wiretap claims for recording without consent, negligent misrepresentation when the chatbot gives wrong answers, deceptive advertising when marketing exceeds capabilities, child safety violations when minors interact without safeguards, and GDPR penalties for cross-border data transfers without a legal basis.

Any one of these can hit millions. Stack a few together and you’re looking at existential risk for a mid-size company.

Six Questions I Ask Every Prospect

Nobody can answer all of these. Most can’t answer two.

Where does your data actually go? Which servers process user inputs? Can you trace the flow from input to storage to model training? If your answer starts with “I think it goes to…” you have a problem.

What consent are you getting? Do users know they’re talking to a bot? Do they know how their data gets used? “It’s in the terms of service” is not consent.

How accurate is your chatbot? What validation happens before it answers? Who reviews outputs? What’s the plan when it hallucinates? Air Canada learned this the hard way. An untested chatbot making confident claims about your policies is a negligent misrepresentation lawsuit waiting to happen.

What are you claiming in your marketing? Does it match what the chatbot actually does? The FTC doesn’t care how good your demo was. They care what happens when a real customer uses it.

How do you handle minors? Age verification? Safeguards? Content restrictions? If you don’t have clear answers here, you’re one lawsuit from the front page.

What’s your cross-border strategy? Valid legal bases for data transfers? Standard Contractual Clauses? If you’re serving European customers through a chatbot on US infrastructure, this isn’t optional.

2026 Is Going to Be Ugly

More states will create private rights of action. The Character.AI and OpenAI settlements will set precedents for harm liability. The FTC will keep going after capability claims. GDPR enforcement on cross-border transfers will tighten. More states will follow Illinois and ban AI outright in specific sectors.

Your chatbot is generating liability exposure right now. Every conversation, every data transfer, every piece of advice it gives.

You can get ahead of this or you can wait for the letter from someone’s attorney. Your call.

Talk to Fred

Ask Fred anything

This is the same Fred you would put on your own site. Ask about your industry, compliance, or how the guardrails work. Fred listens.

Put your own Fred to work.

You just talked to Fred above. The same agent answers your visitors from your content, captures the lead, and books the job, 24/7.

Get Fred
More from AI Insights