Customer-facing AI chatbot deployed on our marketing site

EU, UK, US federalConsumers2026-05-25

In accordance with our privacy statement.

Summary

EU AI Act transparency violations are live today. GDPR indefinite logging is the secondary fire.

This chatbot is already in breach of EU AI Act Article 50 disclosure requirements: the marketing page deploys a smiling avatar and "always-available customer support" framing that affirmatively obscures the AI nature of the system at the moment of interaction, across 40,000 monthly conversations. That is not a gray area. The GDPR exposure compounds it, because every one of those conversations is being logged indefinitely without a documented lawful basis or a defined retention period, which puts you offside on Articles 6 and 25 simultaneously. The Article 22 automated-decision risk is low given the human escalation design, but only if that workflow is documented. The US exposure (FTC deception, right of publicity for the avatar) is real but secondary to the live EU obligations.

0 dealbreakers10 obligations2 watch items

Top priorities

1Add explicit AI disclosure at the start of every chat session and revise the marketing-page copy to remove any implication of human interaction, per AI Act Art. 50(1) -- this is the single most urgent fix because the violation is active and consumer-facing at scale.
2Add a persistent AI-generated content label to every chatbot response, visible before the user reads the substantive answer, to satisfy Art. 50(2) synthetic content marking obligations.
3Identify and document the lawful basis for conversation logging under GDPR Art. 6, separated by customer vs. prospect status, and set automatic deletion schedules tied to defined QA use cases per Art. 25 -- indefinite retention with no documented basis is indefensible on audit.
4Confirm whether the smiling avatar depicts an identifiable real person. if it does, secure written consent or replace it with a provably generic illustration to eliminate right-of-publicity exposure across US state laws.
5Draft a human-escalation workflow document showing that no refund denial or account action occurs without human judgment, and keep it current as the product evolves, to preserve the Art. 22 exclusion and support any FTC inquiry into automated handling of refund inquiries.

Biggest open question

Whether the chatbot's handling of refund inquiries -- even where a human formally approves the outcome -- constitutes a preparatory automated process with legal or similarly significant effect on consumers under GDPR Art. 22, given that the chatbot's framing of the inquiry may functionally determine the result before any human reviews it.

AI laws that may apply

10 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

Synthetic content labeling (AI Act Art.50(2))Settled rule, unsettled applicationVerified 2026-05-25
Providers of AI systems generating synthetic audio, image, video, or text must ensure outputs are marked as artificially generated.
Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).

Privacy

Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Consumer protection

Unfair or deceptive practices (FTC Act Sec.5)Settled rule, unsettled applicationVerified 2026-05-25
Prohibits unfair or deceptive acts or practices affecting commerce, which can include false claims about an AI product capabilities or negligent AI design endangering consumers.

Accessibility

ADA Title II Digital Accessibility (DOJ rule)Settled rule, unsettled applicationVerified 2026-05-25
DOJ Title II rule mandates that websites and mobile apps conform to WCAG 2.1 Level AA standards.
EU EN 301 549 / WCAG 2.1Settled rule, unsettled applicationVerified 2026-05-25
Under the EU Web Accessibility Directive, public-sector websites and mobile apps must meet EN 301 549 incorporating WCAG 2.1 Level AA.

Liability

EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25
The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

EU AI Act, Art. 50Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23
Imposes transparency obligations on providers and deployers of AI systems. Providers must ensure persons interacting with AI systems are informed they are interacting with AI (unless obvious). Providers of generative AI…

Worth watching

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

DMCA 512 Safe Harbor (AI Content)Under 17 USC 512, online service providers are shielded from liability for user-posted infringing content if t…copyright.gov ↗
Right of Publicity for AI LikenessesState right-of-publicity laws can prohibit using a person likeness or voice without permission.leginfo.legislature.ca.gov ↗

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.