EU AI Act for Retail & E-commerce: Transparency, Chatbots & Where AI Turns High-Risk
Retailers and e-commerce platforms run AI across recommendations, chatbots, demand forecasting and dynamic pricing. Under the EU AI Act (Regulation (EU) 2024/1689), the overwhelming majority of these uses are limited- or minimal-risk rather than high-risk. The practical obligations centre on Art. 50 transparency — with a few specific scenarios, notably in-store biometrics, capable of pulling a system into the high-risk or even prohibited tier.
Is it in scope?
General retail AI is not listed in Annex III, so recommendation engines, forecasting and personalisation are typically minimal-risk, and customer chatbots attract Art. 50 transparency duties. The exceptions are specific: biometric categorisation or remote biometric identification of shoppers can be high-risk under Annex III(1), and some biometric practices — such as untargeted scraping of facial images or emotion recognition in the workplace — are prohibited under Art. 5. Where a retailer offers store-card credit and uses AI to assess creditworthiness, that scoring is high-risk under Annex III(5)(b).
Typical AI use cases
- Product recommendation and personalisation engines
- Customer-service and shopping chatbots
- Demand forecasting and inventory optimisation
- Dynamic and personalised pricing
- In-store biometric or footfall analytics
Risk classification
For most retailers the classification is limited-risk: disclose that a chatbot is AI and mark any AI-generated content under Art. 50 (from 2 August 2026). Recommendation and forecasting tools are generally minimal-risk with no mandatory obligations, though voluntary codes are encouraged. The line is crossed only in defined cases — biometric identification/categorisation of customers (high-risk under Annex III(1), or prohibited under Art. 5 for certain practices) and consumer credit scoring for store finance (high-risk under Annex III(5)(b)). Each such feature must be assessed on its own facts.
Obligations to prepare for
Your exact duties also depend on whether you build or use the AI. See obligations by operator role — provider, deployer, importer, distributor or GPAI provider.
FAQ
Is our recommendation engine regulated by the AI Act?
Product recommendation and personalisation are not listed in Annex III and are generally minimal-risk, carrying no mandatory AI Act obligations. If the feature is delivered through a chatbot, the Art. 50 duty to disclose AI interaction still applies.
Can we use facial recognition in our stores?
Treat this with caution. Remote biometric identification and biometric categorisation of customers can be high-risk under Annex III(1), and certain practices are prohibited under Art. 5. Any in-store biometric deployment needs a specific legal assessment before launch.
Does offering AI-assessed store credit change our risk tier?
Yes. AI used to evaluate the creditworthiness or credit score of consumers is high-risk under Annex III(5)(b). That specific feature triggers the full high-risk obligations, even though the rest of your retail AI is limited- or minimal-risk.
Run the free 2-minute risk checker — no sign-up.