What is the EU AI Act deadline for websites?

For most eCommerce and SaaS websites, the key deadline is August 2, 2026. This is when Article 50 transparency obligations take full effect — requiring disclosure when visitors interact with AI-powered systems such as chatbots, AI-generated product descriptions, or personalisation engines. The prohibition on unacceptable-risk AI systems has been in effect since February 2025.

What AI features on my website need to be disclosed under the EU AI Act?

Under Article 50, you must disclose: (1) when visitors are interacting with an AI chatbot or virtual assistant — they must know they are not talking to a human; (2) when content is AI-generated or AI-manipulated, such as AI-written product descriptions, AI-generated reviews, or deepfake-style images; (3) when AI is used to recommend products or personalise the experience in ways that process personal data. The disclosure must be clear, timely, and in plain language.

What are the EU AI Act fines?

Fines vary by violation severity. Using prohibited AI systems (unacceptable risk) can result in fines up to €35 million or 7% of global annual turnover. High-risk AI violations carry fines up to €15 million or 3% of turnover. Providing incorrect information to authorities carries fines up to €7.5 million or 1.5% of turnover. For limited-risk transparency violations — the category most relevant to website owners — fines are up to €15 million or 3% of global turnover.

Is an AI chatbot on my website covered by the EU AI Act?

Yes. AI chatbots and virtual assistants are explicitly covered under Article 50 of the EU AI Act as 'limited risk' AI systems. From August 2, 2026, any chatbot on your website must clearly inform EU visitors that they are interacting with an AI system — not a human. This applies to chatbots powered by GPT-4, Claude, Gemini, or any other AI model, regardless of how the chatbot is branded.

EU AI Act: What Every Website Owner Needs to Know in 2026

CIPA Compliance for Websites: The Complete 2026 Guide

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework governing artificial intelligence. It entered into force on August 1, 2024, and is rolling out in phases through 2027. The goal is to ensure that AI systems used in the European Union are safe, transparent, and respect fundamental rights.

Unlike GDPR — which was a response to privacy violations that had already occurred at scale — the AI Act is proactive regulation. The EU is attempting to set the rules for AI before the harms become widespread. In doing so, they have created obligations that will affect every website owner who uses AI tools to interact with, serve content to, or make decisions about EU visitors.

🌍

Extraterritorial reach — it applies globally

Just like GDPR, the EU AI Act applies to any organisation that places AI systems on the EU market or whose AI systems produce outputs that are used within the EU — regardless of where the organisation is based. A Shopify store in Austin that uses an AI chatbot for EU customers is subject to the Act. A SaaS company in Mumbai offering AI-personalised product recommendations to EU users is subject to the Act.

Does the EU AI Act apply to your website?

The short answer: if your website has EU visitors and uses any form of AI, you are almost certainly covered. The more nuanced answer depends on what kind of AI you use and what role you play in the AI supply chain.

The two roles: Provider vs Deployer

The Act assigns obligations by role, not company size or location:

Provider An organisation that develops an AI system and places it on the market under its own name. If you build your own chatbot or recommendation engine from scratch, you are a provider.
Deployer An organisation that uses an AI system in its own context. If you add a third-party chatbot (ChatGPT, Intercom AI, Tidio) to your website, you are a deployer of that system.

Most small and medium-sized website owners are deployers — they use AI tools built by others. This matters because deployers generally have lighter obligations than providers. But deployers still have concrete obligations, particularly around transparency.

⚠️

You can be both a provider AND a deployer

If your SaaS platform uses OpenAI's API to power a feature you ship to customers under your own brand, you are a deployer of OpenAI and a provider of your own AI-powered feature. Most SaaS companies fall into both categories simultaneously. Each role carries its own set of obligations under the Act.

The four risk categories — where does your AI fall?

The Act classifies AI systems into four risk tiers. Your obligations depend entirely on which tier your AI use cases fall into. For most website owners, the relevant tier is Limited Risk — but understanding all four is important for the full picture.

Prohibited — Banned since Feb 2025

Unacceptable Risk

Social scoring systems. Real-time biometric surveillance in public spaces. Emotion recognition in workplaces and schools. AI that exploits cognitive vulnerabilities. Predictive policing. Not relevant to standard website use — these are banned entirely.

High Risk — Aug 2, 2026 deadline

Consequential Decisions

AI used in: hiring and employment decisions, credit scoring, medical diagnosis, educational assessment, critical infrastructure, law enforcement. Requires risk management systems, technical documentation, human oversight, conformity assessments. Most standard eCommerce AI is NOT in this category.

Limited Risk — ⚠️ Your most likely category

Transparency Obligations

AI chatbots and virtual assistants. AI-generated or manipulated content (text, images, audio). Recommender systems. AI-personalised experiences. Requires clear disclosure to users. Most eCommerce websites using AI features fall here. Article 50 applies from August 2, 2026.

Minimal Risk — No specific obligations

Low-Impact AI

AI spam filters. AI-assisted grammar tools. Simple automation. Search ranking algorithms. Basic personalisation without profiling. No specific AI Act obligations — general good practice recommended.

Key deadlines — what applies when

The EU AI Act has a staggered implementation timeline. Not everything applies at once, and different obligations have different effective dates. Here is what matters for website owners:

✓

August 1, 2024

Act enters into force

The EU AI Act was officially published and became law. The two-year compliance clock started. No obligations yet for most businesses.

✓

February 2, 2025

Prohibited AI systems banned

All unacceptable-risk AI systems became prohibited. Social scoring, real-time biometric surveillance, and exploitative AI banned from EU market. Article 4 AI literacy requirement also active.

✓

August 2, 2025

GPAI model obligations begin

General-purpose AI model providers (OpenAI, Anthropic, Google, Meta) must comply with transparency and safety obligations. Governance infrastructure established.

August 2, 2026 — KEY DATE FOR WEBSITE OWNERS

Full application — Article 50 transparency obligations

This is the deadline that affects most website owners. Article 50 requires disclosure when visitors interact with AI chatbots, AI-generated content, or AI-powered systems. High-risk AI system obligations also begin. If you use AI on your website, this is your compliance date.

→

August 2, 2027

Extended transition for embedded AI in regulated products

Extended deadline for AI systems embedded in regulated products (medical devices, machinery) already on market before August 2025. Not relevant to standard websites.

Article 50 — exactly what you must disclose

Article 50 is the provision that directly affects most website owners. It sets out transparency obligations for limited-risk AI systems. From August 2, 2026, these disclosures are legally required when EU visitors interact with your website's AI features.

🤖

AI chatbots and virtual assistants

When a visitor interacts with a chatbot, virtual assistant, or automated customer service agent on your website, they must be clearly informed that they are not talking to a human. This applies to chatbots powered by GPT-4, Claude, Gemini, or any AI model — regardless of how the chatbot is branded. The disclosure must be given at the beginning of the interaction, not buried in a privacy policy.
✍️

AI-generated text, images, and audio

Content that has been generated or substantially manipulated by AI must be labelled as AI-generated. This includes AI-written product descriptions, AI-generated blog posts, synthetic product images, and AI-manipulated visuals. The disclosure must be machine-readable (for platforms) and visible to users. Deepfake-style content has stricter watermarking requirements from December 2, 2026.
🎯

AI-powered personalisation and recommendations

When AI systems are used to create significantly personalised experiences — product recommendations, dynamic pricing, content personalisation based on profiling — visitors must be informed that AI is being used to tailor their experience. This intersects with GDPR consent requirements where personal data is processed.
📢

Emotion recognition and biometric categorisation

If your website uses any system that attempts to detect emotions or categorise visitors by biometric characteristics (rare but worth noting), subjects must be explicitly informed before the system activates. High penalties apply. Most eCommerce sites have no such system — but AI analytics tools claiming to detect "engagement" or "frustration" from behaviour patterns may come close.

💡

The disclosure must be timely and clear

It is not enough to mention AI use in your privacy policy. The AI Act requires disclosure at the point of interaction — when the visitor encounters the AI feature, not when they sign up or read small print. A visitor opening your chatbot must be told it is AI before or at the moment they start typing, not in a footer link three clicks away.

GDPR vs EU AI Act — how they relate

Many website owners ask whether the EU AI Act replaces GDPR or is the same thing. It is neither — they are separate, complementary obligations that overlap in important places.

Dimension	GDPR	EU AI Act
What it regulates	Personal data — collection, processing, storage, transfer	Artificial intelligence systems — their use, disclosure, and risk management
Core obligation	Get consent before processing personal data; protect it; give people rights over it	Disclose when AI is active; manage AI risk; don't use prohibited AI
When it applies to AI	When AI processes personal data (almost always)	When AI is deployed to users or produces outputs in the EU
Max fine	€20M or 4% of global turnover	€35M or 7% of global turnover (prohibited systems)
Overlap zone	AI personalisation using personal data requires both GDPR consent and AI Act disclosure. A single disclosure mechanism can satisfy both if designed correctly.

✅

One banner can handle both

The consent banner your website already uses for GDPR/CCPA cookie disclosure is the natural place to add EU AI Act transparency disclosures. A "Details" section in the banner that lists both cookie categories and AI systems used gives visitors a single, clear disclosure point that satisfies both regimes simultaneously. This is exactly the approach ConsentPixel — Privacy · Verified takes with its built-in AI Content disclosure toggle.

What this means for eCommerce websites specifically

If you run a Shopify store, WooCommerce site, or any eCommerce operation with EU customers, here is a practical inventory of AI features you may already be using that create EU AI Act obligations:

AI features that require Article 50 disclosure

→AI chatbots — Tidio AI, Intercom Fin, Gorgias AI, Drift, ChatGPT-powered support bots. All require disclosure that the visitor is talking to an AI.
→AI product recommendations — "Customers also bought", personalised homepage, AI-curated collections. Require disclosure when driven by an AI recommendation engine processing visitor behaviour.
→AI-generated product descriptions — Content written or substantially edited by GPT-4, Gemini, Claude, Jasper, or similar tools. Require labelling as AI-generated.
→AI-generated product images — Images created by Midjourney, DALL·E, Stable Diffusion, or similar. Require labelling as AI-generated from August 2026.
→Dynamic pricing engines — AI systems that adjust prices based on demand, visitor behaviour, or profiling. Require disclosure when they create meaningfully different experiences between visitors.
→AI search and filtering — Semantic search, AI-ranked results, behavioural filtering. Require disclosure when they significantly personalise results based on visitor profiling.

AI features that likely do NOT require explicit disclosure

Not everything triggers Article 50. Basic automation, simple rule-based systems, and background AI that does not interact with users or significantly personalise their experience generally falls into the minimal-risk category:

AI spam filtering on contact forms. Grammar and spell-check tools in your CMS. Basic SEO keyword suggestions. Backend fraud detection. Standard A/B testing. Search engine ranking (not user-facing AI personalisation).

🔍

When in doubt — disclose

The threshold for disclosure is lower than for GDPR consent. You do not need visitors to opt in or opt out of AI features in most cases — you just need to tell them AI is there. If you are unsure whether a feature requires disclosure, erring on the side of transparency is both legally safer and better for visitor trust. A "What AI we use" section in your banner details panel adds virtually no friction and eliminates the ambiguity entirely.

How to comply — practical steps for 2026

Compliance for a standard eCommerce or SaaS website is genuinely achievable. The EU AI Act does not require large compliance teams, expensive audits, or technical certifications for limited-risk AI. What it requires is transparency — and transparency is something you can implement quickly.

Step 1 — Audit your AI use

List every AI tool, feature, and integration active on your website. For each one: does it interact with visitors? Does it generate content visitors see? Does it personalise their experience? Does it make any decisions about them? This inventory is the foundation of everything else.

Step 2 — Add AI transparency disclosures to your consent banner

The most practical and visitor-friendly approach is to add an "AI Systems" or "AI-Powered Features" category to the details panel of your existing consent banner. This gives EU visitors a single place to see both your cookie/tracking disclosures (required by GDPR) and your AI feature disclosures (required by the AI Act). It requires no extra pop-ups, no separate AI notice, and no additional friction.

The disclosure should identify which AI systems are active, what they do, and (where personal data is involved) what data they process. ConsentPixel — Privacy · Verified includes a built-in "AI Content Transparency" toggle in the banner builder — when enabled, your banner's details panel automatically surfaces an AI disclosure section for EU visitors.

Step 3 — Label AI-generated content

For product descriptions, blog posts, or images created by AI tools, add a visible label. This can be as simple as a small "Created with AI assistance" note in the product description, a site-wide footer disclosure ("Some content on this site is AI-generated"), or a more prominent per-product label. The Act does not specify the exact format — clarity is the requirement.

Step 4 — Configure chatbot disclosure

If you use an AI chatbot, ensure it identifies itself as an AI at the start of every conversation. Most major chatbot platforms (Intercom, Tidio, Zendesk) have a configuration option for this. Add a visible label to the chat widget itself: "AI-powered support" or "Chat with our AI assistant." Check that your chatbot does not impersonate a named human agent without disclosure.

Step 5 — Update your privacy policy

Add an "AI Systems" section to your privacy policy that lists the AI tools you use, what they do, and how they process visitor data. This serves both the AI Act transparency requirement and the GDPR documentation requirement. Your privacy policy is not a substitute for timely disclosure at the point of interaction — but it provides the legal paper trail that regulators look for.

⏱

How long does this take?

For a typical eCommerce store: completing an AI audit takes 1–2 hours. Adding an AI disclosure toggle to a ConsentPixel banner takes under 5 minutes. Labelling AI-generated content is a one-time task per content type. Configuring chatbot disclosure is usually a single settings toggle. Total realistic effort to be meaningfully compliant: less than a day for most sites. The barrier is awareness, not complexity.

Frequently asked questions

Yes. The EU AI Act has extraterritorial reach — it applies to any business that places AI systems on the EU market or whose AI systems produce outputs used in the EU. If your US-based eCommerce website has EU visitors and uses AI chatbots, AI product recommendations, or AI-generated content, the Act applies to you. This is the same approach the EU took with GDPR.

For most eCommerce and SaaS websites, the key deadline is August 2, 2026. This is when Article 50 transparency obligations take full effect — requiring disclosure when visitors interact with AI chatbots, AI-generated content, or personalisation engines. The prohibition on unacceptable-risk AI has been in effect since February 2025.

Under Article 50, you must disclose: when visitors are interacting with an AI chatbot (not a human); when content is AI-generated or AI-manipulated (product descriptions, images, reviews); when AI is used to significantly personalise the visitor experience. The disclosure must be timely — at the point of interaction — not just in a privacy policy.

For limited-risk transparency violations — the category most relevant to website owners — fines are up to €15 million or 3% of global annual turnover. For high-risk AI violations, fines are up to €15 million or 3% of turnover. The most severe penalties (€35M or 7%) apply only to prohibited AI systems. Enforcement ramps up after August 2026.

Yes. AI chatbots and virtual assistants are explicitly covered under Article 50 as limited-risk AI systems. From August 2, 2026, any chatbot on your website must clearly inform EU visitors they are interacting with an AI — not a human. This applies regardless of how the chatbot is branded or what AI model powers it.

GDPR is about personal data — how you collect, process, and protect it. The EU AI Act is about artificial intelligence — how you use, deploy, and disclose it. They are complementary but separate obligations. A website can be GDPR-compliant but non-compliant with the AI Act if it uses AI without disclosure. For most small websites, the AI Act adds transparency requirements on top of existing GDPR obligations.

The bottom line for website owners

The EU AI Act is not GDPR 2.0. It is a different kind of regulation — focused on transparency rather than consent, disclosure rather than opt-in. For most eCommerce sites and SaaS products, compliance is straightforward: tell EU visitors when they are talking to an AI, label content that AI generated, and keep a record that you did both. The obligation is disclosure, not permission. The deadline is August 2, 2026. The cost of getting it right is a few hours of work. The cost of ignoring it is up to 3% of global annual turnover.

Handle EU AI Act disclosures automatically

ConsentPixel — Privacy · Verified includes a built-in AI Content Transparency toggle in the banner builder. Enable it, describe your AI features, and your consent banner automatically surfaces the required Article 50 disclosure for EU visitors — no extra pop-ups, no separate AI notice.

Start 14-day free trial → Scan my site free

No credit card required · Setup in 5 minutes · Cancel anytime

EU AI Act: What EveryWebsite Owner Needs to Know in 2026