Customer support chatbot deployed on our marketing site

EU, UK, US federalConsumers2026-05-25

In accordance with our privacy statement.

Summary

EU AI Act disclosure and GDPR data minimization are the live compliance obligations at launch.

This chatbot sits squarely under the EU AI Act Art. 50 transparency regime and GDPR, with meaningful but manageable obligations across both. The most material risk at launch is not a single dramatic provision but the compounding effect of shipping without a documented lawful basis for conversation logging and without a visible AI disclosure, which exposes the company simultaneously under GDPR Art. 6, AI Act Art. 50, and FTC Act Sec. 5 across three jurisdictions at once. Article 22 automated decision-making is not triggered as long as refund decisions stay with humans, and that line must be documented and held. The EU Product Liability Directive creates a longer-horizon product quality obligation that argues for building a hallucination and failure-mode inventory before launch, not after the first user complaint.

0 dealbreakers10 obligations1 watch item

Top priorities

1Before launch, map every data type the chatbot logs (conversation content, customer identity, refund status) to a specific GDPR Art. 6 lawful basis and record that mapping in writing, because absent this the entire logging practice is unlawful for EU and UK users.
2Add a visible AI disclosure in the chatbot interface header or opening message stating users are interacting with an AI system, satisfying AI Act Art. 50(1), Art. 50(2), and FTC Act Sec. 5 in a single implementation pass.
3Define and enforce a data minimization policy under GDPR Art. 25 specifying exactly which conversation fields must be retained for QA and the retention period, discarding everything else at session close.
4Document in writing that the chatbot provides information only and that any refund determination requires a human decision, in order to lock in the Art. 22 exclusion and prevent scope creep at the product level.
5Conduct a WCAG 2.1 Level AA accessibility audit of the chatbot interface before launch to satisfy the ADA Title II digital accessibility obligation for US users, and retain results to show good-faith compliance effort.

Biggest open question

Whether conversation logs tied to a customer account constitute processing for a contract performance purpose under GDPR Art. 6(1)(b) or require a separate legitimate interest assessment under Art. 6(1)(f), which determines the strength of any erasure or objection right a user could assert against the QA logging practice.

AI laws that may apply

10 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

Synthetic content labeling (AI Act Art.50(2))Settled rule, unsettled applicationVerified 2026-05-25
Providers of AI systems generating synthetic audio, image, video, or text must ensure outputs are marked as artificially generated.
Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).

Privacy

Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Consumer protection

Unfair or deceptive practices (FTC Act Sec.5)Settled rule, unsettled applicationVerified 2026-05-25
Prohibits unfair or deceptive acts or practices affecting commerce, which can include false claims about an AI product capabilities or negligent AI design endangering consumers.

Accessibility

ADA Title II Digital Accessibility (DOJ rule)Settled rule, unsettled applicationVerified 2026-05-25
DOJ Title II rule mandates that websites and mobile apps conform to WCAG 2.1 Level AA standards.
EU EN 301 549 / WCAG 2.1Settled rule, unsettled applicationVerified 2026-05-25
Under the EU Web Accessibility Directive, public-sector websites and mobile apps must meet EN 301 549 incorporating WCAG 2.1 Level AA.

Liability

EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25
The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

EU AI Act, Art. 50Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23
Imposes transparency obligations on providers and deployers of AI systems. Providers must ensure persons interacting with AI systems are informed they are interacting with AI (unless obvious). Providers of generative AI…

Worth watching

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

DMCA 512 Safe Harbor (AI Content)Under 17 USC 512, online service providers are shielded from liability for user-posted infringing content if t…copyright.gov ↗

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.