Customer-support chatbot (EU/UK/US)

EU, UK, US federalConsumers2026-05-26

In accordance with our privacy statement.

Summary

EU/UK consumer chatbot with overlapping AI disclosure mandates and GDPR lawful-basis gaps.

This launch sits squarely under EU AI Act Article 50 and GDPR, with secondary FTC and ADA exposure for the US audience. The most material risk is not any single provision but the convergence of two: the chatbot has no pre-conversation AI disclosure and no documented lawful basis for logging transcripts, meaning the two highest-scrutiny requirements in the EU are both unmet at launch. The revised Product Liability Directive adds a defect-documentation obligation that is easy to satisfy now and expensive to reconstruct later if a claim arises over a bad refund answer. FTC Section 5 and ADA Title II round out the US exposure but are lower probability given the chatbot's purely informational role and the absence of any human-impersonation design.

0 dealbreakers10 obligations1 watch item
Top priorities
  1. 1Add a single pre-conversation disclosure banner stating the user is interacting with an AI assistant, satisfying both AI Act Art. 50(1) and Art. 50(2) and the FTC deception standard in one implementation.
  2. 2Document and lock the lawful basis for each distinct processing activity under GDPR Art. 6 before launch, specifically: real-time query handling, transcript logging for QA, and API transmission to Claude.
  3. 3Audit the logging architecture under GDPR Art. 25 to confirm only the data fields necessary for QA are captured, and set a retention limit with automatic deletion.
  4. 4Snapshot and retain the RAG source articles, Claude version, and system prompt configuration at launch to support any future product liability defense under the Revised Product Liability Directive.
  5. 5Conduct a WCAG 2.1 Level AA audit of the chatbot UI covering input fields, response display, and error states to close ADA Title II exposure for the US user base.
Biggest open question

Whether transmitting conversation transcripts containing EU consumer personal data to Anthropic's API for Claude generation satisfies GDPR Art. 6 on a legitimate-interests basis alone, or whether a data processing agreement and transfer mechanism are independently required before any UK or EU user sends a message.

AI laws that may apply

10 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

2
  • Synthetic content labeling (AI Act Art.50(2))Settled rule, unsettled applicationVerified 2026-05-25

    Providers of AI systems generating synthetic audio, image, video, or text must ensure outputs are marked as artificially generated.

  • Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25

    Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).

Privacy

3
  • Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25

    Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.

  • Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25

    Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.

  • Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25

    Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Consumer protection

1
  • Unfair or deceptive practices (FTC Act Sec.5)Settled rule, unsettled applicationVerified 2026-05-25

    Prohibits unfair or deceptive acts or practices affecting commerce, which can include false claims about an AI product capabilities or negligent AI design endangering consumers.

Accessibility

2
  • ADA Title II Digital Accessibility (DOJ rule)Settled rule, unsettled applicationVerified 2026-05-25

    DOJ Title II rule mandates that websites and mobile apps conform to WCAG 2.1 Level AA standards.

  • EU EN 301 549 / WCAG 2.1Settled rule, unsettled applicationVerified 2026-05-25

    Under the EU Web Accessibility Directive, public-sector websites and mobile apps must meet EN 301 549 incorporating WCAG 2.1 Level AA.

Liability

1
  • EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25

    The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

1
  • EU AI Act, Art. 50Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23

    Imposes transparency obligations on providers and deployers of AI systems. Providers must ensure persons interacting with AI systems are informed they are interacting with AI (unless obvious). Providers of generative AI…

Worth watching

1

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

  • DMCA 512 Safe Harbor (AI Content)Under 17 USC 512, online service providers are shielded from liability for user-posted infringing content if tcopyright.gov

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.

Customer-support chatbot (EU/UK/US) — Anteroom