Customer support chatbot deployed on our marketing site

EU, UK, US federalConsumers2026-05-25

In accordance with our privacy statement.

Summary

Consumer-facing AI chatbot under EU AI Act Art. 50 disclosure obligations with layered GDPR processing risks and FTC deception exposure on refund flows.

The dominant regulatory shape of this launch is EU AI Act Art. 50, which imposes non-negotiable, persistent disclosure obligations before the chatbot goes live, and the overlap with GDPR Art. 6 means that conversation logging for QA is the most legally exposed processing activity because it almost certainly lacks a documented lawful basis. The refund-inquiry function is the highest-stakes feature: even though no automated decision is being made, the chatbot's outputs on refund eligibility or deadlines create product liability exposure under the revised EU directive and FTC deception risk if a consumer reasonably relies on an incorrect answer. Neither risk is a dealbreaker, but both require structural fixes before launch, not post-launch patches.

0 dealbreakers10 obligations1 watch item

Top priorities

1Add a persistent, visible 'You are chatting with an AI assistant' label to the chat widget UI that is present before and throughout every session, satisfying both Art. 50(1) and Art. 50(2) of the EU AI Act in a single UI implementation rather than two separate disclosures.
2Map and document a lawful basis under GDPR Art. 6 for each distinct processing activity before launch: real-time inference, RAG retrieval, conversation logging for QA, and any downstream analytics each need a separate entry in the records of processing activities.
3Audit the conversation logging pipeline against GDPR Art. 25 data minimization before it goes live: strip or hash order IDs, names, and account identifiers that are not strictly necessary for QA, and set a defined retention period.
4Document in the system design record that the chatbot has no authority to approve, deny, or modify a refund outcome, and add a visible human-escalation path in the refund flow to contain both GDPR Art. 22 and EU product liability exposure.
5Audit the chatbot widget against WCAG 2.1 Level AA covering keyboard navigability, focus management, and color contrast before launch, and flag for counsel whether your primary EU markets extend accessibility obligations to private commercial sites.

Biggest open question

Whether the chatbot's refund-inquiry outputs, specifically statements about eligibility or applicable deadlines, constitute a sufficiently definitive representation to a consumer that a court would treat an incorrect answer as an adverse automated determination under GDPR Art. 22 or a defective digital product under the revised EU Product Liability Directive, given that the system design record characterizes the chatbot as purely informational.

AI laws that may apply

10 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

Synthetic content labeling (AI Act Art.50(2))Settled rule, unsettled applicationVerified 2026-05-25
Providers of AI systems generating synthetic audio, image, video, or text must ensure outputs are marked as artificially generated.
Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).

Privacy

Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Consumer protection

Unfair or deceptive practices (FTC Act Sec.5)Settled rule, unsettled applicationVerified 2026-05-25
Prohibits unfair or deceptive acts or practices affecting commerce, which can include false claims about an AI product capabilities or negligent AI design endangering consumers.

Accessibility

ADA Title II Digital Accessibility (DOJ rule)Settled rule, unsettled applicationVerified 2026-05-25
DOJ Title II rule mandates that websites and mobile apps conform to WCAG 2.1 Level AA standards.
EU EN 301 549 / WCAG 2.1Settled rule, unsettled applicationVerified 2026-05-25
Under the EU Web Accessibility Directive, public-sector websites and mobile apps must meet EN 301 549 incorporating WCAG 2.1 Level AA.

Liability

EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25
The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

EU AI Act, Art. 50Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23
Imposes transparency obligations on providers and deployers of AI systems. Providers must ensure persons interacting with AI systems are informed they are interacting with AI (unless obvious). Providers of generative AI…

Worth watching

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

DMCA 512 Safe Harbor (AI Content)Under 17 USC 512, online service providers are shielded from liability for user-posted infringing content if t…copyright.gov ↗

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.