EU AI Act compliance for e-commerce and Shopify-app SaaS

E-commerce SaaS using AI for personalisation, recommendations, dynamic pricing, AI-generated product descriptions, or chatbot support generally avoids Annex III but faces three clusters of obligations on 2 August 2026: Article 5 prohibited practices (subliminal manipulation, exploitation of consumer vulnerabilities), Article 50 transparency rules (chatbot disclosure, AI-content marking), and the Digital Services Act overlap for very large platforms. Penalty ceiling is €15M or 3% of global turnover for Article 50, and €35M or 7% for Article 5 prohibitions.

Is your product high-risk under Annex III?

E-commerce SaaS is NOT typically high-risk under Annex III. Exception cases:

  • AI used in credit-style buy-now-pay-later (BNPL) underwriting falls under Annex III point 5(b)
  • AI used in employment decisions for marketplace sellers may inherit Annex III point 4 obligations
  • AI-powered identity verification or KYC tools may fall under Annex III point 1(a) biometric categorisation

For standard recommendations, search, A/B testing, product photography, and customer support, Annex III does not apply directly.

Article 50 transparency obligations

Three sub-rules apply in e-commerce:

Article 50(1): chatbots and conversational shopping assistants must disclose AI nature.

Article 50(2): AI-generated product descriptions, AI-written reviews, AI-summarised user feedback, and AI-generated visuals must be marked as AI-generated. Marketplace-side implication: Shopify, Amazon, and Etsy are starting to enforce vendor-side marking compliance through their seller agreements.

Article 50(4): synthetic AI-generated influencer endorsements, deepfake product demos, and AI-generated voice testimonials must disclose synthetic origin.

Article 5 is the under-discussed risk:

  • 5(1)(a) prohibits subliminal techniques manipulating user behaviour in ways that cause harm.
  • 5(1)(b) prohibits exploitation of vulnerabilities due to age, disability, or socioeconomic situation.

Dynamic pricing engines that detect impulse-buy state, urgency-pressure UX with AI-tuned countdowns, and personalised manipulation of vulnerable customers all sit close to or inside the prohibition.

Self-audit checklist before 2 August 2026

Seven checks before 2 August 2026:

  1. List every AI feature: recommendations, search, ranking, dynamic pricing, AI product descriptions, AI imagery, chatbot, fraud detection, review summarisation.
  2. Run an Article 5 review: are any features near the subliminal-manipulation or vulnerability-exploitation lines? Document the design rationale and any safeguards.
  3. Add Article 50(1) disclosure to all chatbots and conversational features.
  4. Add Article 50(2) machine-readable markers and visible labels to AI-generated descriptions, images, and reviews.
  5. Update product-detail-page templates with the marker by default.
  6. Review your A/B testing infrastructure for risk: experiments that exploit known psychological biases against specific vulnerable cohorts require redesign.
  7. Update merchant-facing documentation explaining your Article 50 compliance posture so your merchant customers can rely on it in their own compliance reviews.

Penalties and enforcement

Penalty ceilings under Article 99:

  • Article 5 prohibited-practice violations: €35M or 7% of global turnover
  • Article 50 transparency failures: €15M or 3%

Worked example: an e-commerce SaaS with €4M ARR faces a theoretical Article 5 maximum of €280,000 plus Article 50 maximum of €120,000 per violation. Bigger cost: marketplace de-listing. Shopify App Store, Amazon Marketplace, and Meta's Commerce surfaces enforce platform-level compliance and remove apps that trigger merchant complaints related to AI Act non-compliance. Recovery from delisting takes 3 to 6 months.

Last updated: 2026-05-28