fbpx Award Confetti logo-bs logo-dxn logo-odl Magento Piggy Bank 09AEAE68-D07E-4D40-8D42-8F832C1A04EC 79C8C7E9-0D9D-48AB-B03B-2589EFEE9380 1A734D92-E752-46DD-AA03-14CE6F5DAD57 E622E2D4-3B9C-4211-8FC3-A1CE90B7DFB2 Group 19
The Breakthrough Agency.

The EU AI Act deadline retailers aren’t ready for

The EU AI Act became law in August 2024. Most people filed it under “something to worry about later” and moved on. The deadline for the part that affects retailers most directly is August 2026 – and now, later is starting to feel quite close.

That’s producing the predictable spike in questions. I’ve been asked about it enough times in the last few weeks that I wrote it up properly.

The Act’s transparency chapter – Article 50 – is the provision that doesn’t care whether your AI is “high risk” or not. It catches almost every retailer running AI across their customer journeys, which at this point is most of them. The question isn’t whether you’re in scope. It’s whether you’ve looked.

What Article 50 actually requires

The Act works on risk tiers, and most retailers have correctly concluded they’re not running high-risk AI. Article 50 operates separately from that. It’s about transparency at customer touchpoints, regardless of risk category.

Four obligations cover most retail use cases.

Chatbots and virtual assistants. If you deploy AI that interacts with customers, they must be explicitly told it’s AI. The “obvious from context” exception is narrower than most assume – a chat widget named “Aria” or “Max” doesn’t automatically qualify. Disclosure needs to be clear, at the point of interaction, before the conversation starts.

Emotion recognition and biometric categorisation. If you use systems that read customer sentiment, infer demographics from facial or body data, or categorise people by biometric characteristics – including through audience intelligence tools from retail media networks or in-store analytics platforms – people must be informed before they’re in scope. In-store signage before the capture zone is the minimum expectation.

Synthetic content depicting real people. Generating or manipulating images, audio, or video that falsely appears to show real people requires disclosure that the content is artificial. This covers content using real people’s likenesses. AI-generated synthetic models in product imagery sits in a genuinely grey area; content that depicts or impersonates actual individuals does not.

AI-generated text on matters of public interest. More media-facing than retail-specific, but worth reviewing if you publish editorial or category commentary that’s AI-generated and presented as considered human perspective.

Where most retailers are sitting

Most have deployed AI faster than governance has caught up. A chatbot switched on two years ago by the platform team. Product descriptions running through a generation tool that nobody asked compliance questions of. In-store analytics from a retail media partnership whose terms haven’t been read recently.

Here’s what a gap actually looks like: you’re running a chatbot from your platform vendor. It has a name, a friendly avatar, and it answers product questions convincingly. Somewhere in the admin panel there’s a setting – “inform users this is an AI” – and it’s off by default. Nobody turned it on because nobody knew it needed to be. That’s the typical gap: turned on, not implemented. Not malicious, just unreviewed.

The harder problem is ownership. Article 50 doesn’t sit neatly inside legal, IT, or marketing. The chatbot disclosure question is a UX decision. The in-store analytics question is a vendor question. The synthetic content question lands with creative. No single team has the full picture unless someone has gone looking for it, and in most retailers, nobody has.

Do this. Not that.

Do:

  • Map every customer-facing AI touchpoint before anything else
  • Turn on disclosure settings in your chatbot platforms (they’re already there, just off by default)
  • Brief your creative agencies on synthetic content requirements now, before the next campaign brief
  • Document the audit – what you checked, what you found, what changed
  • Treat this as cross-functional from the start: one person needs to coordinate legal, tech, UX, and creative

Don’t:

  • Assume “obvious from context” covers your chatbot
  • Treat this as legal’s problem to solve in isolation
  • Wait for a vendor or agency to raise it (most won’t)
  • Assume that because your AI isn’t “high-risk” you’re outside the Act’s scope
  • Confuse GDPR compliance (done) with AI Act compliance (different, and not done)

Should you wait and let competitors go first?

I want to address this directly, because I’ve heard it enough times that it’s worth answering properly.

The logic: moving first on Article 50 disclosure might flag to customers that you’ve been using AI in ways they hadn’t noticed. Better to wait until competitors move, see how their customers react, then implement once the path is clearer.

Here’s why I’d push back on it.

First, the regulation removes the choice. From August 2026, non-disclosure isn’t a strategy – it’s a breach. Penalties run to €15 million or 3% of global annual turnover, whichever is higher. The question isn’t whether to disclose, only when and how.

Second, the trust risk is backwards. Customers don’t react badly to knowing they’re talking to an AI. They react badly to finding out you were using AI and chose not to tell them. That’s the trust event – the one that ends up in the press and gets screenshotted. Proactive disclosure is the brand-safe move.

Third, the differentiation window closes fast. Retailers who implement this thoughtfully – treating disclosure as part of a good customer experience rather than a legal footnote – will be ahead of those who bolt it on in a scramble in Q2 2026. That advantage is available right now. Once everyone’s compliant, it’s gone.

Waiting for competitors to lose customer trust assumes the loss comes from disclosure. It doesn’t.

Between now and August

Four months is enough time to do this properly if you start now and don’t overcomplicate it.

The first thing to do is the touchpoint map – not a project, just a list. Every AI system that touches customers, in one place, with the owning team next to it. Don’t skip this by assuming you know what’s running. In most retailers, the chatbot was set up by IT, the content generation tool was brought in by marketing, and the in-store analytics are a line item in a retail media contract. Nobody has the complete list unless someone has gone looking.

Once you have it, work through each item against the four obligations. Most of the fixes are configuration changes, not development work. The chatbot settings, the content metadata, the in-store signage – the bulk of Article 50 exposure can be cleared in a few focused days once you know where to look.

The piece that takes longer is documentation. You’ll want a record of what was in place before you started, what changed, and when. Regulators aren’t looking for perfection – they’re looking for evidence that you took the obligation seriously and acted on it. Build that as you go, not retrospectively.

By June you should know what you have and what you’ve fixed. July is for verification: is the disclosure actually showing up the way it should? Is the in-store signage in place? Have your agencies confirmed their pipelines are compliant?

August is not the time to start. It’s the time to be done.