European AI law already requires online stores to label deepfake images. Virtual models that look like real people, AI-generated faces, lifestyle scenes with synthetic characters that could pass for authentic photographs... if you are using any of these in your store without disclosing it, you are already breaking the EU AI Act. This guide explains exactly what the regulation requires, which images it applies to, and how to comply without the headache.
The EU Artificial Intelligence Act (Regulation EU 2024/1689), commonly known as the AI Act, is the world's first comprehensive AI law. It entered into force in August 2024 and applies in stages: some obligations are already in effect, with full enforcement reaching most businesses on 2 August 2026.
Do not mistake "phased application" for "I can wait." The transparency obligations under Article 50 (which include the labelling of AI-generated content) are already in force. And that is where most online stores have a compliance problem without realising it.
Spain's AI supervisory agency (AESIA) has already opened 23 preliminary investigations. The Spanish data protection authority (AEPD) has increased AI-related investigations by 340% compared to the previous year. Across the EU, the ecommerce sector has seen 330% more in digital compliance fines over the past year alone.
Because ecommerce has adopted AI faster than almost any other sector, and has done so without thinking too hard about the legal implications. Today, a significant share of the images on online stores have passed through some form of generative AI: virtual fashion models that look like real people, AI-generated lifestyle photography, product images where the human context is entirely synthetic...
When those images could pass for authentic photographs of real people, they fall within the definition of a deepfake under the AI Act and must be labelled. Today, almost none of them are.
Before you can address your obligations, you need to know which AI systems you are actually using. Many online stores use AI without being fully aware of it. Here is the most common picture:
| Tool | Typical ecommerce use | Does it create or alter images of people? |
|---|---|---|
| Midjourney, DALL-E, Firefly (to create realistic people or scenes) | Virtual fashion models, AI lifestyle photography | Yes, if the result could be mistaken for a real photo (deepfake) |
| AI virtual fashion models (Botika, Ablo) | Showing garments on AI-generated people | Yes (deepfake: synthetic person who looks real) |
| AI face or body alteration tools | Modifying a real person's appearance in a photo | Yes (deepfake: manipulation of a real person's likeness) |
| Midjourney, DALL-E, Firefly (for objects or abstract content) | Product shots without people, abstract banners | No (not a deepfake) |
| Canva AI, Adobe Generative Fill (background or object editing) | Removing backgrounds, adding non-human elements | No (not a deepfake) |
| AI image upscaling tools | Improving resolution of product photos | No (not a deepfake) |
| AI-powered customer service chatbots | Support, FAQs, recommendations | No, but disclosure to users is required (Art. 50.1) |
| AI product recommendation engines | "You might also like" | No, but transparency is required |
| Dynamic or personalised pricing | Real-time price adjustments | No, but transparency is required when prices are personalised |
| AI fraud detection | Automatic blocking of suspicious transactions | No, but may qualify as high risk |
The key question is whether the image depicts a person (real or synthetic) in a way that could be mistaken for an authentic photograph. A product-only shot, a typographic banner, or an AI-generated background are not deepfakes. A virtual model who looks like a real person wearing your clothes is.
The AI Act organises AI systems into four risk levels. Most ecommerce businesses operate at the limited risk and minimal risk levels, but that does not mean they have no obligations. It means their obligations are primarily around transparency.
Systems that are entirely banned in the EU. For ecommerce, the most relevant cases are using AI to psychologically manipulate users (subliminal techniques to push a purchase), exploiting the vulnerabilities of groups such as minors or elderly people, or real-time facial recognition in public spaces without consent. If any of your tools do this, they must be removed immediately.
For ecommerce, this primarily affects businesses that offer instalment payments or buy-now-pay-later with AI-based credit scoring, or fraud detection systems that automatically block or penalise users. These require technical documentation, human oversight, activity logging, and impact assessments.
This is where most ecommerce sits. It covers chatbots, recommendation engines, personalised pricing, and, critically, all visual content generated or manipulated by AI that could constitute a deepfake. The Article 50 transparency obligations apply at this level and are already in force.
Spam filters, basic catalogue search without profiling, spell-checkers. No formal obligations.
This is the provision that affects ecommerce businesses most right now, and the one that is being most widely ignored.
Article 50 of the AI Act sets out several transparency obligations. The provision with the most direct impact on ecommerce businesses as deployers of AI is paragraph 4: it requires disclosure whenever content constitutes a deepfake, meaning images, video, or audio generated or manipulated by AI that depicts people, places, or events in a way that appears authentic but is not.
The obligation does not apply to all AI-generated or edited content. It applies specifically to content that could mislead viewers about the authenticity of what is being depicted. The central question is whether the content could pass for a real photograph or recording.
In the context of an online store, the most common cases are the following.
AI-generated virtual fashion models. If you use tools like Botika or Ablo to show your garments on synthetic people who look like real human beings, those images are deepfakes under the AI Act. The consumer is looking at a "person" who does not exist, with an appearance designed to look like an authentic photograph.
AI-generated people in product or lifestyle imagery. If you use Midjourney, DALL-E, or similar tools to create lifestyle photography in which people appear to be using or interacting with your product, and those people could be mistaken for real individuals in a real situation, those images are deepfakes.
Alteration of a real person's appearance. If you use AI to modify the face, body, or appearance of a real person in an image (for example, making a model look younger or changing their features with Generative Fill), that manipulated image is a deepfake.
It is just as important to know what falls outside this obligation. A product-only image without people, generated or retouched with AI, is not a deepfake. An AI-created typographic banner is not a deepfake. An AI-generated background behind a real product is not a deepfake. Removing a background with AI, or improving resolution with upscaling, is not a deepfake.
The line is the deceptive representation of people: if there is no person (real or photorealistic synthetic) in the image, the Article 50.4 obligation is not triggered.
The AI Act provides for the use of technical marking mechanisms (watermarking) to identify deepfake content, particularly through metadata. This means compliance is not satisfied simply by adding a small "AI-generated" text somewhere on the page. The image file itself must be identifiable as AI-generated or manipulated through its metadata, following standards such as C2PA (Coalition for Content Provenance and Authenticity).
This is the core obstacle for most ecommerce businesses. If you have hundreds or thousands of images in your store (some supplied by manufacturers, some by agencies, some created in-house), there is no manual way to know which ones contain AI-generated or AI-altered people. And without knowing, you cannot label them.
That is exactly the problem AI Sentinel by Lawwwing solves.
Beyond deepfake labelling, the AI Act imposes further obligations that every ecommerce business should be aware of.
Chatbot transparency. If you have an AI-powered virtual assistant or customer service chatbot, you must inform users that they are speaking with an AI and not a human being. This obligation has been in force since February 2025. A clear, visible notice at the start of the conversation is sufficient, but it must be unambiguous.
Transparency in recommendations and personalised pricing. If your store displays AI-powered product recommendations or charges different prices based on user profiles, you must disclose this. Users have the right to know when a decision affecting them has been made or influenced by an automated system.
Updated privacy policy. Your privacy policy must reflect every AI system that processes personal data: what data is used, for what purpose, whether automated decisions are involved, and how users can exercise their rights in relation to those decisions.
AI literacy (Art. 4). Article 4 of the AI Act requires businesses to ensure that employees working with AI systems have the minimum knowledge and skills needed to use them safely and responsibly. This obligation has been in force since February 2025.
Supplier contract review. If you use third-party AI tools (AI-powered email marketing platforms, smart advertising tools, AI plugins for Shopify...), you must review your contracts to verify that the provider complies with the AI Act. As a deployer, you have your own obligations that do not disappear simply because you sourced the tool from a third party.
| Date | What comes into force | Already active? |
|---|---|---|
| 1 August 2024 | EU Regulation 2024/1689 enters into force | ✅ |
| 2 February 2025 | Prohibited practices (unacceptable risk) + AI Literacy (Art. 4) + Transparency obligations under Art. 50 including deepfake labelling | ✅ Already applies |
| 2 August 2025 | Obligations for general-purpose AI models (GPAI) | ✅ |
| 2 August 2026 | Full enforcement for high-risk AI systems (Annex III) | ⏳ In 77 days |
| Dec 2027 (possible) | Potential extension for some high-risk systems via Digital Omnibus (pending approval) | ❓ Not confirmed |
The Article 50 deepfake labelling obligation is already in force. It is not a future requirement.
| Type of infringement | Maximum penalty |
|---|---|
| Prohibited AI systems (unacceptable risk) | €35 million or 7% of global annual turnover |
| Non-compliance with high-risk system requirements | €15 million or 3% of global turnover |
| Non-compliance with transparency obligations (Art. 50) | €7.5 million or 1% of global turnover |
Fines for breaching Article 50 (the provision covering deepfake labelling) can reach €7.5 million or 1% of global annual turnover. For a mid-sized store with €2 million in revenue, that is up to €20,000 in fines for failing to label images correctly.
These penalties stack on top of GDPR fines. If the AI system also processes personal data (for example, profiling used to serve those images), you can face fines from both regulations for the same incident.
Transparency and labelling obligations (Art. 50), already in force
Privacy and data protection
Team and compliance culture
For high-risk systems (if applicable: credit scoring, fraud detection)
Identifying which images in your store are deepfakes under the AI Act is harder than it sounds. Images arrive from manufacturers, agencies, freelance designers, stock libraries... and increasingly from generative AI tools that your own team uses day to day. Working out which ones contain synthetic people or AI-altered faces, and distinguishing them from images that simply have a retouched background or improved resolution, is not something that can be done manually at scale.
AI Sentinel by Lawwwing solves exactly that.
AI Sentinel scans every image on your website and analyses, one by one, whether they contain people generated or manipulated by AI that could constitute a deepfake under Article 50.4 of the AI Act. The output is a clear report: which images require labelling, which do not, and how to proceed to document your compliance.
With that information, you can act: label only what the law actually requires you to label, and stop worrying about the rest.
In fashion, beauty, and lifestyle retail, the use of AI-generated virtual models has exploded. They cost less than a photo shoot, are available instantly, and can be adapted to any garment or aesthetic. But they represent exactly the kind of content European legislators want identified as artificial: people who look real but are not, in situations designed to appear like authentic photographs.
Article 50.4 exists precisely so that consumers know when what they are looking at is an artificial representation. In ecommerce, where images directly shape purchasing decisions and product expectations, that transparency also carries weight in terms of consumer rights.
If you already use Lawwwing for GDPR compliance, cookie management, and legal texts for your store, AI Sentinel integrates into the same ecosystem. One single dashboard to manage your store's complete legal compliance: privacy, cookies, consent, and now AI content labelling as well.
Compatible with WordPress, WooCommerce, Shopify, PrestaShop, Magento, Wix, and every other platform Lawwwing already supports.
Want to know how many images on your site are already in breach of Art. 50 of the AI Act?
Scan your store with AI Sentinel
The obligation under Art. 50.4 of the AI Act for deployers (which is what ecommerce businesses are) applies specifically to deepfakes: content generated or manipulated by AI that depicts people, places, or events in a way that appears authentic but is not. It does not apply to all AI content, only to content that could mislead viewers about its authenticity.
In practice: an AI-generated product photo with no people is not a deepfake. A virtual model generated with AI who looks like a real person wearing your clothes is. Removing a background with AI is not a deepfake. Altering a real person's face in an image with AI is.
You are responsible for the content you publish in your store. If you cannot demonstrate that an image was not generated or altered with AI, the risk sits with you. That is precisely why automated auditing with AI Sentinel matters: it tells you with certainty which images in your catalogue require labelling, regardless of where they came from.
The AI Act provides for both visible notices to users and technical marking mechanisms (metadata watermarking). For basic compliance, a clear and visible disclosure next to the image or on the product page is the starting point. For full compliance, the European Commission is developing technical standards based on initiatives like C2PA that will require marking within the image file's own metadata. AI Sentinel helps you identify which images need that treatment.
Yes. The AI Act applies to any business that deploys AI systems or publishes AI content directed at users in the EU, regardless of size. Fines do have a proportional calculation for SMEs (whichever is lower between the fixed amount and the percentage of turnover), but the compliance obligations are the same. A small store with unlabelled AI-generated images is just as non-compliant as a large multinational.
It is already in force. The transparency obligations under Article 50, including the labelling of content generated or significantly manipulated by AI, came into effect on 2 February 2025. This is not a future deadline. If you have unlabelled deepfake images in your store, you are already non-compliant.
They are complementary regulations that apply simultaneously. The GDPR governs how your customers' personal data is processed (consent, purpose, access rights...). The AI Act governs how AI systems are used and communicated (risk classification, transparency, documentation, content labelling). You can be fully GDPR-compliant and still breach the AI Act by failing to label your deepfake images, and vice versa. Fines from both can accumulate.
AI Sentinel is Lawwwing's tool that scans every image on your website to detect which ones have been generated or significantly manipulated by artificial intelligence in a way that constitutes a deepfake under Art. 50.4 of the AI Act. It returns an image-by-image report so you can identify which ones require labelling and document your compliance. It is the fastest and most reliable way to audit the AI content in your online store without doing it manually.
The conversation around AI in ecommerce tends to focus on chatbots and recommendation algorithms. But there is a more immediate, more concrete, and far more overlooked obligation: the labelling of images that constitute deepfakes.
It is already in force. It applies to any store that uses virtual models, AI-generated people, or images in which real people's appearances have been altered with generative AI. And non-compliance carries real penalties.
The first step is knowing which images in your store are deepfakes under the AI Act. AI Sentinel by Lawwwing detects them for you, automatically, so you can act on real information rather than guesswork.
Compliance starts with knowing what you have.
Analyse your website with AI Sentinel
Article last updated May 2026. This content is reviewed periodically to reflect regulatory changes under the EU Artificial Intelligence Act (Regulation EU 2024/1689).
