Marketing and advertising AI under the EU AI Act

Marketing and advertising AI under the EU AI Act

Marketing teams across Europe have deployed AI at every layer of the funnel: personalisation engines that tailor homepage content to individual users, programmatic ad targeting that segments audiences at scale, large language models generating email copy and product descriptions, chatbots handling first-touch customer conversations, and synthetic media tools producing images and video for campaigns. The EU AI Act creates compliance obligations for all of these tools, but not all under the same rules or on the same timeline. Understanding which track applies to your stack is the first step.

What the EU AI Act says about marketing AI

The EU AI Act establishes two distinct compliance tracks that are relevant to marketing and advertising AI.

The first track is Article 50 transparency obligations, which apply from August 2, 2026. Article 50 requires that any AI system interacting with natural persons must disclose that the person is interacting with an AI, unless this is obvious from context. It also requires that AI-generated synthetic content, including deepfakes, AI-generated images, video, and audio, carries a machine-readable marking indicating its artificial origin. This obligation catches a wide range of marketing tools: chatbots on your website, AI voice agents in call centres, AI-generated ad creatives, and AI-written content presented as editorial.

The second track is Annex III high-risk classification, which applies to AI systems used in specific sensitive domains. For marketing teams, the most relevant Annex III categories cover AI used in employment decisions (recruitment screening, candidate ranking), consumer credit decisions (creditworthiness assessment, loan scoring), and education decisions (student admissions, performance evaluation). If your marketing data or customer intelligence feeds into any of these downstream decisions, or if your organisation builds AI products that operate in these categories, the more stringent Annex III obligations apply, with full enforcement beginning December 2, 2027.

For completeness: Article 5 prohibitions on unacceptable-risk AI, such as social scoring and subliminal manipulation, have been in force since February 2, 2025. Highly manipulative ad targeting designed to exploit psychological vulnerabilities could in principle fall within scope of Article 5, though the boundaries of that provision continue to be debated in regulatory guidance.

See our overview of Article 50 transparency obligations and the full EU AI Act deadline timeline for more detail on how these provisions interact.

Who this applies to

Article 50 obligations apply to providers and deployers of AI systems that interact with users or generate synthetic content. In a marketing context, that means:

  • Companies that build and sell AI chatbots, personalisation engines, or content generation tools (providers)
  • Marketing teams that deploy third-party AI tools on their own websites, apps, or ad channels (deployers)
  • Agencies that use AI generation tools to produce creative assets for clients

The geographic scope follows the EU AI Act's reach: if the AI system is deployed in the EU market or the output is used to interact with people in the EU, EU rules apply regardless of where the provider or deployer is headquartered. A US-based SaaS company with EU customers running AI-generated email campaigns falls within scope.

Annex III high-risk obligations apply primarily to providers building AI systems in those specific categories, but deployers who put high-risk AI into service in the EU also carry obligations around registration, record-keeping, and human oversight.

What the obligations require in practice

For AI interacting with humans: Any chatbot, virtual assistant, or AI-powered customer service tool must clearly disclose its AI nature at the start of the interaction. The disclosure must be timely, clear, and in plain language. A small disclaimer buried in a footer is unlikely to satisfy the requirement. The disclosure needs to happen before or at the start of the interaction, not after.

For AI-generated synthetic content: This is where the machine-readable marking requirement comes in. Images, video, and audio generated or substantially modified by AI must carry a technical marking, typically implemented via metadata or watermarking standards such as C2PA (Coalition for Content Provenance and Authenticity). The marking must be machine-readable, meaning it can be detected programmatically, not just visible to a human reviewer looking at the file. Industry surveys suggest that as of mid-2026, only around 38% of AI-generated content in commercial use carries compliant watermarking, leaving the majority of marketing teams exposed as the August 2026 deadline approaches.

For written AI-generated content: Article 50 also covers AI systems that generate text intended to inform the public on matters of public interest. For most commercial marketing copy, this provision is less directly applicable, but where AI-generated content is presented in a journalistic or editorial format, disclosure obligations may apply.

For Annex III high-risk systems: The obligations are more extensive, covering conformity assessments, technical documentation, human oversight mechanisms, data governance requirements, and registration in the EU database of high-risk AI systems. These requirements are substantially heavier than the Article 50 transparency track and require dedicated compliance infrastructure.

Key deadlines

  • February 2, 2025 (already in force): Article 5 prohibitions on unacceptable-risk AI
  • August 2, 2026: Article 50 transparency obligations for AI interacting with humans and AI-generated synthetic content
  • August 2, 2026: GPAI (general-purpose AI) model obligations and fines up to EUR 15 million or 3% of global annual turnover
  • December 2, 2027: Annex III high-risk AI obligations fully applicable

The August 2, 2026 deadline is the most immediately pressing for most marketing teams. It covers both Article 50 disclosures and the new GPAI rules that govern the foundation models underlying many AI marketing tools. For a full breakdown of every date, see our EU AI Act deadline guide.

What to do now

The practical steps for marketing teams before August 2, 2026 are:

  1. Inventory your AI tools. List every AI system your team uses that interacts with users (chatbots, AI sales assistants, personalisation engines) or generates content (image generators, video tools, copy writers). Include third-party SaaS tools, not just in-house builds.
  2. Check chatbot disclosure. Review the opening flow of every customer-facing chatbot or AI assistant. Ensure there is a clear, prominent disclosure at the start of the interaction.
  3. Audit synthetic media workflows. If your team generates AI images, video, or audio for campaigns, identify whether your tools support C2PA or equivalent machine-readable marking. If not, engage your vendor about their roadmap or evaluate alternatives.
  4. Assess high-risk exposure. If your AI tools feed into employment, credit, or education decisions, begin the Annex III assessment process. This takes time and you have until December 2027, but the documentation requirements are substantial.
  5. Engage your vendors. Many of the Article 50 obligations fall on providers, not just deployers. Ask your AI vendors what they are doing to support compliance: are they building disclosure mechanisms, offering watermarking, providing documentation?
  6. Document everything. Even for Article 50 obligations, which are lighter than Annex III, regulators will expect to see that deployers took compliance seriously. Keep records of your inventory, your disclosure decisions, and any vendor communications.

If you are unsure whether your specific AI use cases trigger Article 50 obligations, Annex III classification, or both, the first step is a structured assessment of your stack against the Act's provisions. If you are building AI products for marketing or using AI tools in regulated decision-making, you should also check whether you need to comply with the GPAI model rules that come into force in August 2026.

For context on whether your organisation's AI use cases are in scope at all, read do I need to comply with the EU AI Act.

Check your obligations

Use the free ActComply risk screener to find out which EU AI Act provisions apply to your marketing AI stack and get a personalised summary of your obligations: https://www.getactcomply.com/check

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener