Customer-support chatbot (EU/UK/US)

EU, UK, US federalConsumers2026-05-26

In accordance with our privacy statement.

Summary

EU AI Act transparency and GDPR obligations dominate a consumer-facing support chatbot with refund handling.

This launch sits squarely under EU AI Act Article 50 disclosure requirements and GDPR, with a US-side FTC deceptive practices risk that is not theoretical given the chatbot handles refund inquiries. The single most material risk is the refund inquiry workflow: if the chatbot communicates anything that reads like a binding refund decision without human review, you have a live GDPR Article 22 violation and a credible FTC Section 5 exposure at the same time. The AI Act transparency obligations are overlapping and largely redundant in practice, meaning one well-designed disclosure at chatbot launch satisfies both Article 50(1) and 50(2) together. The logging of prospect conversations is the least-settled lawful basis question and the one most likely to surface first in a regulatory inquiry.

0 dealbreakers10 obligations1 watch item

Top priorities

1Before launch, gate the refund inquiry flow so that no binding outcome is communicated to the user until a human agent reviews and approves it, satisfying GDPR Art. 22 and pre-empting the FTC Section 5 risk in a single design decision.
2Display a clear AI disclosure before the user can submit their first message, naming the system as AI-powered and not a human agent, which satisfies both AI Act Art. 50(1) and Art. 50(2) in one persistent UI element.
3Document the lawful basis for conversation logging separately for existing customers (contract, Art. 6(1)(b)) and for prospects (likely legitimate interests, Art. 6(1)(f)), and record that analysis in your processing register before go-live.
4Audit the help-center articles used in the RAG pipeline for third-party copyright exposure now, since DMCA 512 safe harbor does not apply to content you generate or curate yourself, and add a terms-of-use disclaimer limiting chatbot responses to informational use only to reduce EU Product Liability Directive exposure.
5Run a WCAG 2.1 Level AA check on the chat widget before launch, prioritizing keyboard navigation, focus indicators, and color contrast, to satisfy the ADA Title II obligation that applies because this is a customer-facing interface on your public marketing site.

Biggest open question

Whether a chatbot that generates an initial refund assessment and presents it to the customer, even with a downstream human approval step, constitutes a solely automated decision producing a significant effect under GDPR Art. 22, or whether the human review is sufficiently meaningful to take it outside that prohibition.

AI laws that may apply

10 surfaced across 6 lenses

Grouped by legal lens. Click any provision to see how it applies to this launch specifically.

AI-specific

Synthetic content labeling (AI Act Art.50(2))Settled rule, unsettled applicationVerified 2026-05-25
Providers of AI systems generating synthetic audio, image, video, or text must ensure outputs are marked as artificially generated.
Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).

Privacy

Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Lawfulness of processing (GDPR Art.6)Settled rule, unsettled applicationVerified 2026-05-25
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Consumer protection

Unfair or deceptive practices (FTC Act Sec.5)Settled rule, unsettled applicationVerified 2026-05-25
Prohibits unfair or deceptive acts or practices affecting commerce, which can include false claims about an AI product capabilities or negligent AI design endangering consumers.

Accessibility

ADA Title II Digital Accessibility (DOJ rule)Settled rule, unsettled applicationVerified 2026-05-25
DOJ Title II rule mandates that websites and mobile apps conform to WCAG 2.1 Level AA standards.
EU EN 301 549 / WCAG 2.1Settled rule, unsettled applicationVerified 2026-05-25
Under the EU Web Accessibility Directive, public-sector websites and mobile apps must meet EN 301 549 incorporating WCAG 2.1 Level AA.

Liability

EU Revised Product Liability Directive (2024)Settled rule, unsettled applicationVerified 2026-05-25
The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

other

EU AI Act, Art. 50Settled rule, unsettled applicationPending · omnibus_viiVerified 2026-05-23
Imposes transparency obligations on providers and deployers of AI systems. Providers must ensure persons interacting with AI systems are informed they are interacting with AI (unless obvious). Providers of generative AI…

Worth watching

Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.

DMCA 512 Safe Harbor (AI Content)Under 17 USC 512, online service providers are shielded from liability for user-posted infringing content if t…copyright.gov ↗

Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.