How does the AI Act affect my e-commerce business?
The European Artificial Intelligence Regulation (the Artificial Intelligence Act or AI Act), which entered into force in August 2024, is being implemented progressively until August 2027 and has a significant impact on economic operators, particularly on e-commerce businesses.
The purpose of the AI Act is to ensure that artificial intelligence systems are safe, ethical, and trustworthy, while respecting the fundamental rights of end users. To this end, the Regulation classifies AI systems according to the level of risk they pose and establishes different obligations depending on the applicable risk category.
Use of chatbots and AI tools
The obligations set out in the AI Act apply to the various actors involved in the use, commercialization, and making available of AI systems. It is therefore essential for each company to identify its role and understand how to comply with the applicable requirements.
In the case of e-commerce businesses, the AI Act applies whenever AI-based tools are used, including, but not limited to:
- Customer service chatbots or virtual assistants.
- Product recommendation systems.
- Tools that analyze user behavior in order to personalize offers.
- Automated stock management and logistics systems.
- Scoring models used to approve payments, financing, or credit.
- Automated generation of product descriptions, images, or marketing content.
- Dynamic pricing systems based on demand or user behavior.
These are common examples of AI tools currently implemented by e-commerce platforms. The specific compliance requirements will depend on the risk classification of each AI system. In most cases, the obligations relate primarily to transparency towards end users, traceability, human oversight, and safeguards to protect the fundamental rights of those users, ensuring the safe and responsible use of AI systems.
Among the main obligations established by the AI Act, the following are particularly relevant:
- Assessing and documenting the risk level of the AI system used.
- Clearly informing the end user when they are interacting with an automated system (for example, a chatbot).
- Ensuring human oversight, especially where automated decisions may affect users.
- Ensuring system traceability through appropriate technical documentation.
These obligations apply to all companies, regardless of their size. Even a simple recommendation plugin or an automated content-generation tool may trigger legal obligations if users are not properly informed.
Penalties and fines for non-compliance with the AI Act
This regulatory framework imposes a particularly severe penalty regime:
- Up to €35 million or 7% of global annual turnover for very serious infringements.
- Up to €15 million or 3% of global annual turnover for serious infringements.
- Lower fines for minor infringements.
Factors determining the classification of penalties include: whether the company has repeatedly failed to comply, whether the breach has an effect on the fundamental rights of the users concerned, whether AI is used without complying with transparency or human supervision obligations, or whether serious incidents have not been reported to the relevant authorities, among others.
Practical guidance for SMEs and e-commerce businesses using AI
In order to comply with the AI Act, companies must adopt technical, organizational and legal measures to ensure the responsible use of artificial intelligence.
To this end, it is essential for businesses to take the following steps:
- Provide training to staff on AI compliance and ethics.
- Audit the AI systems currently in use.
- Classify each system according to its level of risk.
- Implement transparency measures and human control mechanisms.
- Review contracts with AI technology providers.
- Train staff on regulatory compliance and AI ethics.
In practice, for most e-commerce businesses using limited-risk AI systems, the most relevant, and sometimes the only essential, step will be to update their legal documentation, including:
- Terms and Conditions of Use and/or Sale: to reflect the use of AI systems and how users interact with them.
- Privacy Policy: to clearly inform users about the processing of personal data when AI systems are used.
- Cookies Policy and consent banner: particularly where cookies are used to feed recommendation or personalization systems.
- Clear and visible information when a chatbot or virtual assistant is implemented.
- Consent checkboxes where AI systems are used to send personalized offers.
Legal texts are not static documents. If your e-commerce business uses AI and these documents have not been updated accordingly, they are outdated and may expose your business to regulatory sanctions.
Candela Martín es abogada especialista en derecho digital, propiedad intelectual y protección de datos.
Graduada en Derecho por la Universidad de Granada, completó un doble máster en acceso a la abogacía y derecho digital en la Universidad de Navarra. Su práctica se centra en privacidad, comercio electrónico y contratación, con una visión proactiva y resolutiva en el asesoramiento a empresas del entorno tecnológico.
More from my site
New European Regulation 2023/988. How does it impact ecommerce?
Legal challenges to turn your traditional business into an ecommerce
Legal mistakes of ecommerces
Protecting eCommerce domains and websites from cybersquatting
Common legal mistakes by ecommerces and possible sanctions
European Commission guidelines on practices prohibited by the AI Regulation