Customer support chatbot deployed on our marketing site

EU, UK, US federalConsumers2026-05-25

In accordance with our privacy statement.

Summary

EU AI Act Art. 50 transparency obligations dominate this launch, with layered GDPR data minimization and FTC deception risk as the material cross-cutting exposures.

This chatbot is not a high-risk AI system and does not trigger GDPR Art. 22, but it sits squarely in the EU AI Act Art. 50 transparency regime, which requires both a pre-interaction AI disclosure and a per-response synthetic content label on every Claude-generated message visible to EU and UK users. The GDPR exposure is not about the chatbot's outputs but about what happens to the conversation logs: logging refund inquiries and product questions from identified customers without a documented lawful basis and without data minimization controls is the fastest path to a regulator inquiry. The FTC risk is secondary but concrete, because any marketing copy or UI label that overstates the chatbot's authority or real-time account access creates a deception hook that costs nothing to fix before launch and is expensive to defend after.

0 dealbreakers10 obligations1 watch item

Top priorities

1Add a visible AI disclosure before the first user message and a persistent per-response label on every Claude output, satisfying both Art. 50(1) and Art. 50(2) in one coordinated UI change across all EU and UK language versions.
2Document the lawful basis for conversation logging under GDPR Art. 6 before launch, then configure logging to pseudonymize or exclude personal identifiers not actually needed for QA, implementing Art. 25 by design rather than retrofit.
3Confirm in writing . in the system design record . that the chatbot has no authority to approve or deny refunds, so the Art. 22 non-applicability finding stays defensible if a regulator ever reviews the refund inquiry flow.
4Audit all marketing copy and chatbot UI labels for claims about decision-making authority or real-time account data access, and correct any language that implies the chatbot can act rather than inform, per FTC Act Sec. 5.
5Document the Claude version and RAG source set (help-center articles, retrieval date) in the launch record now, so you can reconstruct what the chatbot was relying on for any given interaction under the EU Product Liability Directive.

Biggest open question

Whether a persistent banner or icon on the chat interface satisfies Art. 50(2)'s synthetic content labeling requirement as applied to each individual Claude response, or whether the directive requires a discrete per-message marker that survives scrolling and copy-paste.

AI laws that may apply

10 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

Synthetic content labeling (AI Act Art.50(2))Settled rule, unsettled applicationVerified 2026-05-25
Providers of AI systems generating synthetic audio, image, video, or text must ensure outputs are marked as artificially generated.
Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).

Privacy

Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Consumer protection

Unfair or deceptive practices (FTC Act Sec.5)Settled rule, unsettled applicationVerified 2026-05-25
Prohibits unfair or deceptive acts or practices affecting commerce, which can include false claims about an AI product capabilities or negligent AI design endangering consumers.

Accessibility

ADA Title II Digital Accessibility (DOJ rule)Settled rule, unsettled applicationVerified 2026-05-25
DOJ Title II rule mandates that websites and mobile apps conform to WCAG 2.1 Level AA standards.
EU EN 301 549 / WCAG 2.1Settled rule, unsettled applicationVerified 2026-05-25
Under the EU Web Accessibility Directive, public-sector websites and mobile apps must meet EN 301 549 incorporating WCAG 2.1 Level AA.

Liability

EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25
The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

EU AI Act, Art. 50Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23
Imposes transparency obligations on providers and deployers of AI systems. Providers must ensure persons interacting with AI systems are informed they are interacting with AI (unless obvious). Providers of generative AI…

Worth watching

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

DMCA 512 Safe Harbor (AI Content)Under 17 USC 512, online service providers are shielded from liability for user-posted infringing content if t…copyright.gov ↗

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.