The Complete EU AI Act Guide for Online Shops
AI ActThe EU Artificial Intelligence Act — formally Regulation (EU) 2024/1689 — is the world’s first comprehensive law governing artificial intelligence. If you run an online shop, your first instinct may be to assume it is aimed at big technology companies training foundation models, and that it has nothing to do with selling homeware or trainers or garden furniture. That instinct is only half right. The heaviest obligations do fall on developers of the most dangerous AI systems, but the Act reaches ordinary merchants too — quietly, through the everyday AI tools that have crept into modern e-commerce. The chatbot that greets your visitors, the button in your admin that writes a product description for you, the plug-in that generates a lifestyle image of a sofa, the review widget that summarises customer feedback: several of these can trigger legal duties under the AI Act.
This guide is written for the person running the shop, not for a compliance lawyer. It explains the Act’s risk-based structure, the phased dates on which each set of rules starts to bite, the practices that are simply banned, the narrow situations in which a merchant might touch genuinely “high-risk” AI, and — most importantly for the typical store — the transparency duties that apply when you use AI to talk to customers or to generate content they will see. It closes with a practical checklist, PrestaShop-specific implementation notes, the common mistakes we see, and a short FAQ. For the legal source itself and a running list of merchant-facing summaries, see our EU AI Act reference page.
Why an online shop should care
Three shifts have quietly turned the average PrestaShop store into an AI deployer without anyone signing off on a strategy. First, conversational commerce: automated chat and virtual assistants now handle a large share of pre-sales and support questions, and most of them are powered by machine learning rather than simple decision trees. Second, generative content: it is now trivial to ask a tool to draft a product description, spin up a set of category texts, or produce a photorealistic product image that never existed in a studio. Third, automated social proof: modules increasingly summarise, translate or even help draft customer reviews.
Each of those conveniences can carry a legal consequence. The AI Act does not ban them — but where AI interacts with a person or fabricates content a person will consume, the Act wants that person to know. Layered on top is a reputational and consumer-protection dimension: an AI-generated “customer” review is not just an AI Act transparency issue, it is potentially an unfair commercial practice under separate consumer law. The upshot is that AI compliance for a shop is less about paperwork and more about honesty — being clear about when a machine is talking, and when a machine made what the customer is looking at.
The risk-based approach in one picture
The Act does not treat all AI the same. Instead it sorts systems into tiers according to the risk they pose to people’s safety, rights and livelihoods, and it attaches obligations proportionate to that risk. The higher the risk, the heavier the duty; most AI most merchants use sits at the bottom two tiers. Understanding which tier a given tool falls into is the single most useful skill for a shop owner, because it tells you instantly whether you can relax, add a disclosure, or steer clear entirely.
| Risk tier | What it means | Typical merchant example |
|---|---|---|
| Unacceptable (prohibited) | Banned outright. Practices judged to threaten fundamental rights — manipulation causing harm, exploiting vulnerabilities, social scoring, certain biometric practices. | Personalisation designed to exploit a known vulnerability (e.g. targeting a gambling addiction or a child) to push a purchase. |
| High risk | Permitted but heavily regulated: risk management, data governance, logging, human oversight and conformity assessment before use. | An AI recruitment tool used to screen job applicants, or a credit-scoring integration that decides who may buy on instalments. |
| Limited risk (transparency) | Allowed, but you must tell people. The tier that matters most to shops — chatbots, and AI-generated audio, image, video or text. | A customer-service chatbot; AI-generated product images or descriptions; AI-assisted reviews or marketing “deep fakes”. |
| Minimal risk | No specific obligations. Voluntary codes of conduct are encouraged but nothing is mandatory. | Spam filters, fraud checks, and product recommendation engines (“customers also bought”). |
Read the table from the bottom up and a comforting picture emerges: the great majority of AI woven into an e-commerce stack — recommendation engines, search ranking, spam and fraud filters — is minimal risk and carries no obligations at all. Your compliance energy belongs almost entirely in the limited-risk band, where a handful of well-placed disclosures does the job, and in staying out of the prohibited band altogether.
The phased timeline: when does each rule start?
The AI Act entered into force on 1 August 2024, but it does not all apply at once. The legislator staggered the start dates so that the market — and enforcement authorities — could prepare. The most urgent bans came first; the detailed high-risk machinery comes later. Knowing the sequence matters, because a duty that is not yet “live” is still coming, and building for it early is far cheaper than retrofitting under enforcement pressure.
| Date | What starts to apply | Relevance to a shop |
|---|---|---|
| 1 August 2024 | The Regulation enters into force. The clock starts on every later phase. | Nothing to do yet, but the timeline is now fixed. |
| 2 February 2025 | Prohibitions on unacceptable-risk AI practices apply. Also duties around AI literacy for staff working with AI. | Make sure you deploy none of the banned practices; brief staff who operate AI tools. |
| 2 August 2025 | Obligations for general-purpose AI (GPAI) models, and the governance, notified-body and penalty provisions, begin. | Mostly upstream, but the penalty regime becomes enforceable for what is already in force. |
| 2 August 2026 | The bulk of the high-risk system rules apply — and the Article 50 transparency obligations become fully applicable. | The key date for merchants: chatbot and AI-content disclosures should be in place. |
| 2 August 2027 | Rules apply to high-risk systems that are safety components of products already regulated under other EU legislation. | Relevant only if you build or place regulated products embedding AI on the market. |
For a shop, the two dates to circle are 2 February 2025 (do not use anything prohibited) and 2 August 2026 (transparency duties fully applicable). The sensible posture is not to wait until August 2026 to add disclosures. They are cheap, they build trust, and getting into the habit now means you are never caught out by a tool you added later.
Prohibited practices to avoid
At the top of the pyramid sit AI practices the Union has decided are simply incompatible with fundamental rights. These are banned across the board — there is no disclosure or paperwork that makes them lawful. Most are far removed from retail, but a couple sit close enough to aggressive marketing that a merchant should understand where the line is.
- Manipulative or subliminal techniques that materially distort a person’s behaviour in a way likely to cause harm — for example, an AI-driven interface engineered to override a customer’s conscious decision-making.
- Exploiting vulnerabilities of a specific group — because of age, disability or a specific social or economic situation — to distort their behaviour in a harmful way. Targeting a child or a person with an addiction with tailored pressure would fall here.
- Social scoring — evaluating or classifying people over time based on behaviour or characteristics, leading to detrimental treatment in unrelated contexts.
- Certain biometric practices, including specific forms of biometric categorisation and untargeted scraping of facial images to build recognition databases.
The realistic risk for an online shop is the second bullet. Modern personalisation engines are powerful, and the temptation to squeeze conversion by leaning on a customer’s weak moment is real. The rule of thumb: personalisation that helps a customer find what they want is fine; personalisation designed to exploit a vulnerability so the customer acts against their own interest is not. If a growth tactic only works because it preys on someone who cannot easily resist, treat it as off-limits regardless of the technology behind it.
When could a merchant touch high-risk AI?
High-risk is where the Act’s serious machinery lives — risk-management systems, data-governance requirements, detailed logging, human oversight, technical documentation and conformity assessment before the system may be used. The good news for retailers is emphatic: running an ordinary online shop does not, by itself, involve any high-risk AI system. Selling products, taking payments, recommending items and answering questions with a bot are not high-risk activities.
The Act reserves the high-risk label for AI used in listed sensitive areas. A merchant crosses into that territory only when they step outside pure selling and start using AI to make consequential decisions about people. The clearest examples:
- Employment and recruitment. If your growing business uses an AI tool to screen, rank or filter job applicants, or to make promotion or termination decisions, that tool is a high-risk system and its obligations attach to you as its deployer.
- Access to credit. Offering “buy now, pay later” or instalment options via an integration that uses AI to score creditworthiness pulls you toward the high-risk regime for that decision.
- Biometric identification. Deploying AI that identifies people from biometric data — for example, facial recognition at a physical click-and-collect point — is high-risk and tightly constrained.
- Safety components of regulated products. If you manufacture or place on the market a product already regulated for safety and it embeds AI as a safety component, high-risk rules apply.
Notice the pattern: high-risk arises when AI decides something important about a person — who gets hired, who gets credit, who is identified. If your AI is only helping sell products, you are almost certainly not in this tier. But if you adopt an AI recruiting or credit tool, do not assume the vendor has handled compliance for you; as the deployer you carry deployer-side duties such as human oversight and using the system according to its instructions.
The transparency duties in depth (Article 50)
This is the heart of the Act for a normal shop. Article 50 sets out limited-risk transparency obligations, and they map almost exactly onto the AI features merchants actually use. The underlying principle is simple and easy to remember: people should not be deceived about whether they are dealing with a machine, or consuming content a machine produced. There are three strands, and each corresponds to something you may already have on your store.
Chatbots and AI assistants: tell people they are talking to a machine
If an AI system is designed to interact directly with people, those people must be informed that they are interacting with AI — unless it is already obvious from the circumstances to a reasonably observant person. In practice, every AI-driven chat widget, virtual shopping assistant or automated support agent on your store should identify itself as automated. This does not need to be laborious. A short line in the chat window’s opening message, or a persistent label such as “AI assistant”, satisfies the duty. What you must not do is let a bot masquerade as a human agent, or design it so customers reasonably believe they are chatting with a member of staff when they are not.
For a fuller, worked treatment of exactly how to word and place these notices — including where they belong in the customer journey — see our focused FAQ on AI transparency for online stores.
Labelling AI-generated product images and descriptions
Providers of generative AI systems must ensure that the synthetic audio, image, video or text they output is marked in a machine-readable format and detectable as artificially generated or manipulated. That provider-side duty concerns the tool builders. But the direction of travel is clear, and it interacts with a deployer-side reality: when you publish AI-generated content, you should be transparent about it.
For a shop this means being honest about AI-generated imagery in particular. If a “product photo” is in fact an AI-generated render rather than a photograph of the item a customer will receive, presenting it as a genuine photograph risks misleading them — an issue under consumer-protection law quite apart from the AI Act. The safe pattern is to keep genuine photographs for genuine product shots, and to clearly label any imagery that is AI-generated or AI-enhanced (for example, a lifestyle scene composed by AI). AI-assisted text, such as a product description you drafted with an AI tool and then edited and verified, is lower-stakes: the key obligation there is accuracy — the description must truthfully reflect the product regardless of how it was written.
AI-generated or AI-assisted reviews
Reviews are where the AI Act and consumer law collide most sharply. Using AI to fabricate customer reviews — inventing praise that no real customer wrote — is not merely an AI-transparency slip; it is a fake review, and fake or misleading reviews are treated as a prohibited unfair commercial practice under EU consumer-protection rules that were reinforced by the Omnibus reforms. Those rules require traders who display reviews to take reasonable steps to ensure they come from genuine consumers, and forbid submitting or commissioning false reviews. Combine that with the AI Act’s transparency ethos and the message is unambiguous: never generate fake reviews with AI.
Legitimate AI assistance around reviews is possible — translating a genuine review, summarising a set of real reviews, or moderating for spam — provided you do not alter meaning or manufacture sentiment, and provided the underlying reviews are real. Because this area sits at the intersection of two regimes, we cover the review rules in detail in our complete Omnibus guide, and you can find the legal background on our Omnibus reference page.
Deep fakes and marketing
Deployers who use AI to create or manipulate image, audio or video content that resembles real people, objects or events — “deep fakes” — must disclose that the content has been artificially generated or manipulated. Similarly, AI-generated text published to inform the public on matters of public interest must be disclosed as such. For marketing, the practical takeaways are: if a campaign uses an AI-generated likeness of a person, or an AI-fabricated “event” or endorsement, label it clearly as artificial; and never use a deep fake of a real individual (a celebrity, an influencer, a satisfied “customer”) to imply an endorsement that did not happen. Artistic and clearly creative uses have lighter disclosure expectations, but the safe default in commerce is to be visibly honest.
Provider vs deployer — which are you?
The Act draws a crucial distinction between two roles, and knowing yours tells you which duties you carry. A provider develops an AI system (or has one developed) and places it on the market or puts it into service under its own name. A deployer uses an AI system under its own authority in the course of a professional activity. The obligations differ: providers shoulder the design-and-build duties (including the machine-readable marking of synthetic output), while deployers carry use-side duties such as disclosing chatbots and deep fakes, and — for high-risk systems — providing human oversight.
Nearly every online shop is a deployer, not a provider. You subscribe to a chatbot SaaS, licence an image generator, or install a review module — you use these tools, you do not build and sell them. Your compliance job is therefore the deployer’s job: be transparent with the people your AI touches.
There is a caveat worth knowing. If you take a third-party AI system and rebrand it as your own, or modify it substantially, you can be treated as a provider and inherit provider duties. For the overwhelming majority of merchants using off-the-shelf tools under the vendor’s brand, though, the deployer label is the right one — and the deployer duties are manageable.
A note on general-purpose AI (GPAI) models
The Act contains a distinct chapter for general-purpose AI models — the large foundation models that power many of the tools you use, including the text and image generators behind your chatbot or content assistant. From 2 August 2025, providers of these models carry their own obligations around technical documentation, transparency to downstream developers, and (for the most capable models posing systemic risk) additional safeguards. As a merchant you are almost never a GPAI provider; you are a downstream user of a product built on top of a GPAI model. The practical relevance is indirect but real: the vendors you rely on are subject to these rules, which is one more reason to choose reputable, compliant suppliers — their compliance flows down into the tools you deploy.
Penalties: substantial and tiered
The AI Act backs its rules with a tiered penalty regime, and the ceilings are deliberately high enough to command attention from businesses of every size. The most serious breaches — deploying prohibited AI practices — attract the steepest fines, set as the higher of a large fixed sum or a percentage of worldwide annual turnover. Breaches of other obligations, including transparency duties, sit at lower but still significant tiers, and supplying incorrect or misleading information to authorities carries its own penalty band. As with the GDPR, fines scale with turnover so that they bite proportionately, and national authorities are directed to consider the nature, gravity and duration of the infringement.
We deliberately describe the penalties qualitatively rather than quoting precise figures, because the exact ceilings depend on the specific breach and can be updated. The headline for a merchant is simple: the fines are large enough that the modest effort of adding disclosures and avoiding prohibited practices is overwhelmingly worthwhile. Transparency is cheap; a penalty for concealment is not.
An AI transparency checklist for merchants
Use this as a working audit of your store. If you can tick every item honestly, you have covered the transparency obligations that apply to the vast majority of shops.
- Every AI chatbot or virtual assistant clearly identifies itself as AI to the customer at the start of the interaction.
- No automated agent is designed to pass as a human member of staff.
- AI-generated or AI-enhanced imagery is labelled, and genuine product photos are used to depict the actual item a customer will receive.
- AI-assisted product descriptions have been reviewed by a human and are factually accurate.
- No reviews are fabricated by AI; displayed reviews come from genuine consumers and any AI processing (translation, summarising) preserves their meaning.
- Any deep-fake or AI-generated likeness used in marketing is disclosed as artificial, and no fake endorsements are implied.
- You deploy none of the prohibited practices, especially manipulation exploiting vulnerable customers.
- If you use AI for recruitment, credit scoring or biometric identification, you have assessed the high-risk obligations that apply.
- Staff who operate AI tools understand their basics — an AI-literacy expectation the Act introduces.
- You have a short, public AI-use statement so customers know how and where you use AI.
PrestaShop implementation notes
Translating the rules above into a live PrestaShop store is mostly a matter of small, well-placed changes rather than a re-platforming project. The following notes cover the features most likely to be in play.
Chatbot modules and disclosure
Whichever live-chat or assistant module you use, configure its greeting and, ideally, its persistent header to state that it is an AI assistant. Many modules expose an editable “welcome message” and a bot display name — set the name to something like “Store AI Assistant” and open with a line such as “Hi, I’m an automated AI assistant.” If your module offers a human hand-off, make the transition explicit so customers know when they have moved from bot to person. Keep the disclosure in every language your store serves; a notice only in English does not discharge the duty for a French- or German-speaking customer.
AI product-description generators
AI description tools — whether a built-in feature or a third-party module — are convenient, but they demand a human review step. Treat AI output as a first draft: check every factual claim (materials, dimensions, compatibility, certifications) against reality before publishing, because an inaccurate description is a consumer-law problem no matter how it was authored. Build a simple internal rule that no AI-drafted text goes live unedited.
Labelling AI imagery
Where you use AI to create lifestyle scenes, backgrounds or composites, add a caption or badge such as “AI-generated image” and keep it clearly distinct from genuine product photography. In PrestaShop you can use the image caption/legend field, an overlay, or a line in the product description. The bright line: the images that show what the customer is actually buying should be true photographs of that item.
Review modules
Configure review modules so that only verified, genuine reviews are displayed, and disable any feature that would auto-generate review text. If a module offers AI translation or summarising of real reviews, ensure the original remains accessible and the summary does not distort sentiment. Align these settings with the fake-review rules covered in our Omnibus guide.
An AI-use policy page
Create a short CMS page — linked from the footer alongside your privacy and terms pages — that states plainly where and how your store uses AI: for chat support, for drafting content, for imagery, and so on. This is not strictly mandated for every use, but it is an inexpensive trust signal, it centralises your disclosures, and it demonstrates good faith if a question ever arises. While you are in the footer, it is also a natural home for links to your accessibility statement; if you are working through the parallel accessibility obligations, see our accessibility reference.
Common mistakes
- Assuming the Act does not apply to a shop. The transparency duties reach ordinary stores through chatbots and generated content.
- Letting a bot pose as human. Naming a chatbot “Sarah from Support” with no AI disclosure is exactly what Article 50 targets.
- Passing AI renders off as product photos. This risks misleading customers under both AI and consumer law.
- Generating fake reviews. A serious unfair-practice breach, not a minor transparency slip.
- Publishing AI descriptions unchecked. Speed is no defence for an inaccurate claim about a product.
- Assuming the vendor handled compliance. As the deployer, the use-side duties are yours.
- Waiting until 2026 to act. Disclosures are cheap and build trust now; there is no reason to delay.
Mini-FAQ
Does my online shop need to do anything under the AI Act?
If you use an AI chatbot, or publish AI-generated images, text or reviews, then yes — you have transparency duties: tell customers when they are dealing with AI, and be honest about AI-generated content. If you use none of those, and your AI is limited to recommendations, search and spam filtering, you likely have no specific obligations at all.
Am I a “provider” or a “deployer”?
Almost certainly a deployer. You use third-party AI tools under your own authority rather than building and selling AI systems. Deployer duties centre on transparency — the manageable end of the Act.
Is my recommendation engine high-risk?
No. Product recommendation engines are minimal-risk and carry no specific obligations. High-risk is reserved for consequential decisions about people, such as recruitment screening, credit scoring or biometric identification.
Can I use AI to write my product descriptions?
Yes, provided a human reviews the output and the final text is accurate. The Act does not ban AI-assisted writing; consumer law simply requires the description to be truthful, however it was drafted.
When do the transparency rules actually bite?
The Article 50 transparency obligations become fully applicable on 2 August 2026, with prohibited practices already banned since 2 February 2025. The prudent approach is to add disclosures now rather than wait.
Disclaimer
This guide is provided for general educational purposes only and reflects our understanding of Regulation (EU) 2024/1689 as at 4 July 2026. It is not legal advice and does not create a lawyer–client relationship. The AI Act applies in phases and is accompanied by guidance and implementing measures that continue to evolve, and how it applies to your business depends on your specific circumstances. For decisions affecting your legal obligations, consult a qualified professional and refer to the official text and current guidance.
Official reference: https://eur-lex.europa.eu/eli/reg/2024/1689/oj