Which AI systems in retail and e-commerce fall under the AI Act?

AI systems for personalized recommendations, dynamic pricing, customer profiling, AI chatbots and automated customer service fall under the AI Act. Some systems, like AI for credit assessment in buy-now-pay-later, are high-risk.

When is my retail AI system high-risk under the AI Act?

A retail AI system is high-risk when used for credit assessment (e.g., buy-now-pay-later), biometric identification of customers, or employee monitoring. Recommendation systems and chatbots typically fall under limited risk with transparency obligations.

What are the first steps for AI Act compliance in retail?

Start with an inventory of all AI applications — from recommendation algorithms to chatbots. Classify each system by risk, implement transparency notifications for AI interactions, and ensure compliance with both the AI Act and DSA.

What fines apply under the AI Act for retailers?

Fines can reach up to €35 million or 7% of global annual turnover for prohibited AI practices, €15 million or 3% for high-risk violations, and €7.5 million or 1% for incorrect information.

Do AI chatbots in e-commerce need to comply with the AI Act?

Yes, AI chatbots fall under Article 50 of the AI Act with transparency obligations. Customers must be informed that they are communicating with an AI system. For chatbots producing AI-generated content, additional labeling requirements apply.

Consumer & Biometrics

AI Act Compliance for Retail & E-commerce

Personalisation, biometrics and consumer protection — regulated under the AI Act

Practical guidelines for retailers, webshops and e-commerce platforms to comply with the EU AI Act.

View the compliance checklist

Why Take Action Now?

The AI Act has major impact on the retail & e-commerce sector

August 2025

First obligations come into effect — biometric systems in stores will be banned or strictly regulated

Biometrics = Banned or High-risk

Facial recognition in stores is almost always prohibited under the AI Act

Fines up to €35 million

Or 7% of global annual turnover — regulators will enforce consumer protection

Transparency Obligation

Consumers must know when they are interacting with AI or being assessed by AI

High-risk AI in Retail & E-commerce

These AI applications fall under strict AI Act requirements (Annex III)

Biometric Identification

Facial recognition, emotion recognition and behavioural analysis in physical stores — largely prohibited under the AI Act.

Facial recognition in storesCustomer emotion recognitionBehavioural pattern analysisAI age verification

Credit & Customer Assessment

AI systems that assess customers for buy-now-pay-later, return policies or customer scoring — high-risk when impacting access.

BNPL scoringReturn risk profilingCustomer value scoringCustomer fraud detection

Price Discrimination & Dynamic Pricing

Algorithms that personalise prices based on customer profiles — transparency obligations and non-discrimination requirements.

Personalised pricingSurge pricingA/B test price optimisationAI loyalty pricing

Recommendation Systems

AI that makes product recommendations, personalises content or influences search results — transparency obligations for online platforms.

Product recommendationsSearch result rankingContent personalisationCross-sell algorithms

Specific Challenges for Retail & E-commerce

The AI Act brings unique compliance questions for the retail sector

Navigating the Biometrics Ban

Where is the line between prohibited facial recognition and permitted security? How do you implement age verification compliantly?

Transparency in Personalisation

How do you inform customers about AI-driven recommendations and pricing without disrupting the user experience?

DSA and AI Act Overlap

Online platforms fall under both the Digital Services Act and the AI Act. How do you combine both compliance obligations?

Cross-border E-commerce

Different EU countries, different interpretations. How do you ensure compliance across all of Europe?

Third-party AI in Platforms

Marketplace sellers use their own AI tools. Are you as a platform responsible for their AI systems?

Consumer Rights & Complaints

Customers have the right to explanation for AI decisions. How do you set up a complaints procedure for algorithms?

AI Act Compliance Roadmap

Practical steps for retailers and e-commerce businesses

AI Inventory

2-4 weeks

Map all AI systems. From recommendations to pricing, from chatbots to biometrics.

Risk Classification

1-2 weeks

Determine which systems are prohibited, high-risk or limited risk. Pay attention to biometrics and customer assessment.

Gap Analysis

3-6 weeks

Compare current transparency and documentation with AI Act and DSA requirements.

Remediation

3-12 months

Implement transparency labels, customer information, bias testing and human oversight processes.

Ongoing Monitoring

Ongoing

Set up processes for continuous monitoring of AI performance and consumer complaints.

15-month trajectory

Implementation Roadmap

Detailed 6-phase trajectory with concrete deliverables

InventoryMonth 1-2

ClassificationMonth 2-3

Gap AnalysisMonth 3-4

Governance FrameworkMonth 4-6

ImplementationMonth 6-12

Audit-readyMonth 12-15

Phase 1.Inventory

Month 1-2

Complete AI system registerMapping of prohibited systemsVendor AI overview

Phase 2.Classification

Month 2-3

Prohibited vs. high-risk vs. limited per systemDSA overlap analysisBiometrics audit

Phase 3.Gap Analysis

Month 3-4

Transparency gap per customer touchpointDocumentation gap per AI system

Phase 4.Governance Framework

Month 4-6

AI governance structureAlgorithm complaints procedureVendor compliance policy

Phase 5.Implementation

Month 6-12

Transparency labels liveBias testing operationalConsumer information pagesHuman oversight processes

Phase 6.Audit-ready

Month 12-15

Internal auditMystery shopping on complianceContinuous monitoring operational

AI System Inventory

Typical AI systems in retail & e-commerce and their likely classification

Note: many "personalisation" tools contain AI without marketing labeling it as such. Also inventory tools from third-party vendors and marketplace sellers.

Biometrics in Stores

Prohibited or high-risk

Facial recognitionEmotion recognitionHeatmap trackingAge estimation

Art. 5 — emotion recognition in retail is prohibited; facial recognition almost always prohibited

Customer Assessment & Credit

Often high-risk

BNPL scoringReturn risk scoringCustomer value calculationFraud detection

Annex III, cat. 5b — high-risk when impacting access to financial services

Pricing & Promotions

Context-dependent

Dynamic pricingPersonalised discountsDemand forecastingMarkdown optimization

Limited risk with transparency obligation; high-risk for discriminatory pricing

Recommendations & Search

Limited risk

Product recommendationsSearch result rankingCategory personalisationCross-sell engines

Transparency obligations (Art. 50 + DSA Art. 27 for platforms)

Chatbots & Customer Service

Limited risk

Customer service botsVirtual assistantsFAQ automationSentiment analysis

Art. 50 — customer must know it is AI; not high-risk unless it makes decisions

Supply Chain & Operations

Usually minimal risk

Demand forecastingInventory managementRoute optimizationWarehouse robotics

Minimal risk — no direct impact on consumers

Classification Decision Tree

Quickly determine the risk classification of your AI system

Does the system use biometrics (facial recognition, emotion recognition)?

Yes

Prohibited or high-risk (Art. 5)

Go to next question

Does it assess the creditworthiness or financial reliability of customers?

Yes

Automatically high-risk (Annex III)

Go to next question

Does it interact directly with consumers (chatbot, recommendation, pricing)?

Yes

Limited risk — transparency obligation

Go to next question

Is it purely back-office without customer impact (inventory, logistics)?

Yes

Minimal risk

Consult an expert for classification

This is a simplified decision tree. Consult your legal team for definitive classification.

Governance Structure

Recommended organizational structure for AI governance in retail & e-commerce

Management / C-suite

AI Governance Committee (Marketing + Tech + Legal + CX)

AI Product Owners per channel

Data Privacy Team

Consumer Trust & Compliance

Vendor Management

Start with the customer journey: which AI touches the customer? That is where compliance is most urgent.

Key Roles

AI Product Owner

Responsible per AI system for compliance and customer experience

Consumer Trust Lead

Ensures transparency and complaint handling for AI-driven interactions

Vendor Compliance Manager

Verifies AI Act compliance of third-party tools and marketplace AI

Data Protection Officer

Coordinates GDPR and AI Act obligations for customer data

Compliance Checklist for Retail & E-commerce AI

Concrete checkpoints for each AI system

Biometric systems audited against Art. 5 prohibitionsArt. 5

High-risk systems registered in EU databaseArt. 49

Transparency labels on AI chatbots and virtual assistantsArt. 50

Customer information about recommendation algorithmsDSA Art. 27

Bias testing on pricing and customer assessmentArt. 10

Complaints procedure for AI decisions establishedArt. 86

Human oversight for BNPL and credit decisionsArt. 14

Vendor AI compliance verifiedArt. 25

FRIA completed for high-risk systemsArt. 27

Dark pattern audit completedArt. 5

This checklist combines AI Act and DSA obligations. Consult your legal team for platform-specific requirements.

Common Mistakes

Avoid these pitfalls in AI Act implementation

Not seeing personalisation as AI

Recommendation engines, dynamic pricing and A/B testing are AI systems under the AI Act.

Emotion recognition in stores

Cameras analysing customer emotions are explicitly prohibited under Art. 5. Remove these immediately.

Ignoring BNPL scoring

Buy-now-pay-later credit checks are high-risk. Many retailers don't realize they are deployers.

Assuming vendor compliance

Tools from Shopify, Salesforce or custom vendors — you are responsible as deployer.

Overlooking dark patterns

AI that manipulates consumers towards purchases may fall under Art. 5 prohibited practices.

Not inventorying marketplace AI

Sellers on your platform use AI. As platform you have co-responsibility.

What Makes Retail AI Different?

Sector-specific considerations

Biometrics Restrictions

Retail is one of the few sectors where certain AI applications are directly prohibited

Consumer-centric

AI Act and consumer legislation reinforce each other — transparency is central

Platform Responsibility

E-commerce platforms have additional obligations as gatekeepers under DSA and AI Act

Data-intensive

Retail AI processes enormous amounts of personal data — GDPR and AI Act obligations stack

Consumer regulation

Regulatory Overlap

How the AI Act connects with existing retail and consumer regulation

Digital Services Act (DSA)

Overlap: Transparency for recommendation systems, ad targeting, content moderation

Practical tip: Combine DSA Art. 27 transparency with AI Act Art. 50 for recommendation systems

Consumer Rights Directive

Overlap: Consumer information, withdrawal rights, price transparency

Practical tip: AI Act transparency obligations reinforce existing consumer information requirements

GDPR

Overlap: Customer profiling, automated decision-making, data minimisation

Practical tip: DPIA and FRIA overlap — combine where possible for efficiency

Omnibus Directive

Overlap: Dynamic pricing transparency, fake reviews, personalised pricing

Practical tip: Mandatory notification of personalised prices already applies — AI Act adds AI-specific requirements

Product Safety Regulation

Overlap: AI in product safety, recall management

Practical tip: AI-driven safety monitoring may fall under both regulations

Knowledge base

Deepen your knowledge of AI Act compliance in retail & e-commerce

FRIA

FRIA: Complete Guide to Article 27 AI Act

Everything about the mandatory fundamental rights impact assessment for high-risk AI systems.

AI Agents

AI Agents: The Governance Challenge

How organizations responsibly deploy and manage AI agents.

Chatbots

AI Act & Customer Contact: Chatbot Compliance

What the AI Act means for AI chatbots in customer contact and service.

Ready to Start AI Act Compliance?

Practical tools and guidance for retailers and e-commerce businesses

Use the FRIA Generator

Generate a Fundamental Rights Impact Assessment

Calculate your fine risk

Discover what non-compliance can cost

Classify your AI systems

Use our decision tree tool

Free 30-minute orientation call

Practical updates, no legal jargon

AI Act Compliance for Retail & E-commerce

Why Take Action Now?

August 2025

Biometrics = Banned or High-risk

Fines up to €35 million

Transparency Obligation

High-risk AI in Retail & E-commerce

Biometric Identification

Credit & Customer Assessment

Price Discrimination & Dynamic Pricing

Recommendation Systems

Specific Challenges for Retail & E-commerce

Navigating the Biometrics Ban

Transparency in Personalisation

DSA and AI Act Overlap

Cross-border E-commerce

Third-party AI in Platforms

Consumer Rights & Complaints

AI Act Compliance Roadmap

AI Inventory

Risk Classification

Gap Analysis

Remediation

Ongoing Monitoring

Implementation Roadmap

Phase 1.Inventory

Phase 2.Classification

Phase 3.Gap Analysis

Phase 4.Governance Framework

Phase 5.Implementation

Phase 6.Audit-ready

AI System Inventory

Biometrics in Stores

Customer Assessment & Credit

Pricing & Promotions

Recommendations & Search

Chatbots & Customer Service

Supply Chain & Operations

Classification Decision Tree

Governance Structure

Key Roles

AI Product Owner

Consumer Trust Lead

Vendor Compliance Manager

Data Protection Officer

Compliance Checklist for Retail & E-commerce AI

Common Mistakes

Not seeing personalisation as AI

Emotion recognition in stores

Ignoring BNPL scoring

Assuming vendor compliance

Overlooking dark patterns

Not inventorying marketplace AI

What Makes Retail AI Different?

Biometrics Restrictions

Consumer-centric

Platform Responsibility

Data-intensive

Regulatory Overlap

Digital Services Act (DSA)

Consumer Rights Directive

GDPR

Omnibus Directive

Product Safety Regulation

Related Articles

FRIA: Complete Guide to Article 27 AI Act

AI Agents: The Governance Challenge

AI Act & Customer Contact: Chatbot Compliance

Ready to Start AI Act Compliance?

Use the FRIA Generator

Calculate your fine risk

Classify your AI systems