EU AI Act compliance for martech and advertising SaaS

MarTech SaaS using AI for audience targeting, personalisation, predictive lead scoring, or AI-generated ad creative faces two clusters of obligations on 2 August 2026: Article 5 prohibited practices (subliminal manipulation, exploitation of vulnerabilities, social scoring) and Article 50 transparency (AI-generated content marking, chatbot disclosure). Penalty ceilings stack: €35M or 7% of global turnover for Article 5, €15M or 3% for Article 50. The DSA and the upcoming ePrivacy Regulation overlap intensifies the pressure.

Is your product high-risk under Annex III?

MarTech is NOT typically high-risk under Annex III. Exception cases:

  • AI used to evaluate consumer creditworthiness as part of lead scoring (Annex III point 5(b))
  • AI used in political microtargeting that could influence democratic processes (Annex III point 8)
  • AI used in employment-adjacent recruitment marketing (Annex III point 4)

For standard CDP, email marketing, social media management, audience analytics, and ad-creative generation, Annex III does not apply directly. Your main exposure is Article 5 and Article 50.

Article 50 transparency obligations

Article 50 applies in two ways:

Article 50(1): conversational AI in martech (chatbots for lead capture, AI-powered SDR tools) must disclose AI nature.

Article 50(2): AI-generated ad copy, AI-generated images, AI-written email sequences, AI-summarised lead-research must be marked as AI-generated. The marking obligation falls on the deployer (your customer) and on you as the provider of the tool. Build the marking into your output by default.

Article 5 is the under-discussed risk for martech:

  • 5(1)(a) prohibits subliminal techniques manipulating behaviour in ways that cause harm. AI-optimised conversion funnels that learn psychological pressure tactics against specific user segments sit very close to this line.
  • 5(1)(b) prohibits exploitation of vulnerabilities due to age, disability, or socioeconomic situation. Targeting algorithms that identify and exploit financial-distress signals are a documented enforcement-priority for the European Commission.

Self-audit checklist before 2 August 2026

Seven checks before 2 August 2026:

  1. List every AI feature: audience targeting, predictive lead scoring, ad-creative generation, copy generation, send-time optimisation, chatbot, journey orchestration.
  2. Run an Article 5 review. Document the design rationale for any feature that learns or exploits psychological pressure, urgency framing, or vulnerability targeting.
  3. Add Article 50(1) disclosure to all chatbots and conversational SDR features.
  4. Add Article 50(2) machine-readable markers and visible labels to AI-generated ad creative, email copy, and landing-page content. Build it into the export and the publish flow.
  5. Update merchant-facing documentation: your customers will use your AI in their own campaigns and need to inherit your compliance posture.
  6. Coordinate with your DSA and ePrivacy compliance work. The Article 5 prohibition and DSA Article 28 (dark patterns) overlap heavily.
  7. Set up Article 73 incident reporting for misuse cases reported by users or watchdog groups.

Penalties and enforcement

Penalty ceilings:

  • Article 5 prohibited-practice violations: €35M or 7% of global turnover
  • Article 50 failures: €15M or 3%

Worked example: a martech SaaS with €6M ARR faces a theoretical Article 5 maximum of €420,000 plus Article 50 maximum of €180,000 per violation. Bigger cost: ad-platform delisting. Meta, Google, TikTok, and LinkedIn now enforce platform-side Article 50 marking compliance and remove integrations that flood ad surfaces with unmarked AI-generated creative. Recovery takes 3 to 9 months.

Last updated: 2026-05-28