Customer support chatbot deployed on our marketing site

EU, UK, US federalConsumers2026-05-25

In accordance with our privacy statement.

Summary

EU AI Act transparency obligations dominate. GDPR lawful basis gap is the live litigation risk.

This deployment is a low-complexity AI system under the EU AI Act but carries real exposure under two distinct Art. 50 transparency obligations that overlap and must be satisfied together, not treated as duplicates. The more immediate litigation risk is GDPR Art. 6: you are processing personal data from both existing customers and unauthenticated prospects right now, and the lawful basis for each population is different, undocumented, and undefended. The EU Product Liability Directive adds a strict liability tail if the chatbot surfaces wrong refund or product information, which makes accuracy controls and clear scope disclaimers a prerequisite to launch, not a post-launch cleanup item. FTC Act exposure is real but secondary to the EU stack given the user population.

0 dealbreakers10 obligations1 watch item

Top priorities

1Document separate GDPR Art. 6 lawful bases for prospects (likely legitimate interest, requiring a balancing test) versus existing customers (likely contract performance), and record both before any EU or UK traffic reaches the chatbot.
2Satisfy AI Act Art. 50(1) and 50(2) together with a single persistent disclosure in the chat interface opening message that names the system as AI-powered and identifies Claude as the underlying model, covering both the interaction-level and synthetic-content-level obligations in one place.
3Audit conversation logging under GDPR Art. 25: confirm that QA logs retain only the minimum fields necessary, that retention periods are defined, and that personal data referenced in refund inquiries is masked or pseudonymized at rest.
4Before launch, document and test the precise scope of what the chatbot can and cannot do on refund inquiries, ensure the UI does not overstate that scope, and confirm in writing that refund decisions are made by a human agent, satisfying both FTC Act Sec. 5 and the GDPR Art. 22 automated-decision-making boundary.
5Run a WCAG 2.1 Level AA audit of the chat interface covering keyboard navigation, screen reader compatibility, and color contrast to satisfy the ADA Title II obligation for US users before go-live.

Biggest open question

Whether processing unauthenticated prospect conversations through the RAG pipeline constitutes legitimate interest under GDPR Art. 6(1)(f) without a formal balancing test, or whether it requires consent, which would materially change the pre-chat UX flow.

AI laws that may apply

10 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

Synthetic content labeling (AI Act Art.50(2))Settled rule, unsettled applicationVerified 2026-05-25
Providers of AI systems generating synthetic audio, image, video, or text must ensure outputs are marked as artificially generated.
Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).

Privacy

Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Consumer protection

Unfair or deceptive practices (FTC Act Sec.5)Settled rule, unsettled applicationVerified 2026-05-25
Prohibits unfair or deceptive acts or practices affecting commerce, which can include false claims about an AI product capabilities or negligent AI design endangering consumers.

Accessibility

ADA Title II Digital Accessibility (DOJ rule)Settled rule, unsettled applicationVerified 2026-05-25
DOJ Title II rule mandates that websites and mobile apps conform to WCAG 2.1 Level AA standards.
EU EN 301 549 / WCAG 2.1Settled rule, unsettled applicationVerified 2026-05-25
Under the EU Web Accessibility Directive, public-sector websites and mobile apps must meet EN 301 549 incorporating WCAG 2.1 Level AA.

Liability

EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25
The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

EU AI Act, Art. 50Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23
Imposes transparency obligations on providers and deployers of AI systems. Providers must ensure persons interacting with AI systems are informed they are interacting with AI (unless obvious). Providers of generative AI…

Worth watching

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

DMCA 512 Safe Harbor (AI Content)Under 17 USC 512, online service providers are shielded from liability for user-posted infringing content if t…copyright.gov ↗

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.