What Marketing Analytics Has to Learn from the EU AI Act (Even If You Don't Build AI)

Why this is a marketing topic even without an AI project

In the marketing meeting, the question often comes up, "do we need to deal with the EU AI Act?", and the answer comes too quickly: "no, we don't build AI". Three months later the data-protection officer arrives with a list of questions that directly contradict that assumption.

Here's the problem with the assumption: the EU AI Act defines "AI system" so broadly that many marketing setups fall under it. Smart Bidding in Google Ads is an AI system. Lookalike audiences in Meta are AI systems. Attribution models in GA4 are AI systems. Personalisation engines in a shop are AI systems.

The question isn't "does this affect us", it's "which risk category does our setup fall into, and which obligations follow from it".

The EU AI Act is like a building code. It doesn't say "no more houses". It says "houses have to meet these properties depending on whether they're a home, a hospital or a nuclear plant". Risk classification, not blanket ban.

The risk classification

The Act distinguishes four tiers. The pyramid below is interactive, click or tab through to see concrete marketing examples and the primary obligation per tier.

Short version in words:

• Prohibited (Unacceptable Risk). Social scoring, manipulative systems, real-time biometric identification in public spaces. Marketing setups don't reach this tier.
• High Risk. Education and employment systems, critical infrastructure, biometrics. Not in standard marketing either, exception: HR recruitment AI with personnel decisions.
• Limited Risk. Systems that interact with humans or generate synthetic content, chatbots, AI-generated images/text, deepfake tools, emotion analysis. Transparency obligation applies: users must know they're interacting with AI.
• Minimal Risk. Everything else, most marketing tools land here. Smart Bidding, lookalike audiences, standard personalisation. Documentation and oversight obligations apply, but no tool-specific compliance requirements.

For marketing owners: in 95% of cases setups land in Minimal or Limited Risk.

Which setups count as AI systems

The definition in the EU AI Act (Art. 3(1)): an AI system is a machine-based system that operates with varying degrees of autonomy, can adapt, and from received inputs derives content, predictions, recommendations, or decisions.

Concretely in the marketing context, tool by tool, with explicit risk-tier mapping:

• Google Ads Smart Bidding → AI system, Minimal Risk. Algorithms that set bids based on conversion data and user signals. No user-facing interaction, no synthetic content. Obligation: inventory + provider contract.
• GA4 Predictive Audiences (Purchase Probability, Churn Probability) → AI system, Minimal Risk. Algorithmic classification at cohort level without user interaction. Obligation: documentation in the DPIA, no user notice required.
• GA4 Data-Driven Attribution → AI system, Minimal Risk. Algorithm-based distribution of conversion value instead of last-click. No user-facing consequence, so no transparency obligation.
• Meta Lookalike Audiences → AI system, Minimal Risk. Algorithms that identify similar users based on existing customer cohorts. Review provider contract (Meta DPA).
• Recommendation engines on shops ("Customers also bought") → AI system, mostly Minimal Risk. As long as there's no heavy personalisation with profile building, documentation is enough.
• AI chatbots on the website (Intercom AI, Drift, custom GPT wrappers) → AI system, Limited Risk. The transparency obligation applies: a clear notice at the start of the conversation ("You're chatting with an AI assistant") is mandatory.
• GenAI for blog and ad copy (Jasper, Copy.ai, in-house LLM workflows) → AI system, Limited Risk. AI-generated content must be labelled as such, industry standards like the C2PA protocol will likely become relevant.
• AI-generated images / ad creative (Midjourney, DALL·E, Stable Diffusion in ad creatives) → AI system, Limited Risk. Same labelling obligation as for text, especially when images show real people or products that aren't real.
• AI emotion analysis for UX (Affectiva and similar tools on webcam feeds) → AI system, Limited Risk with heightened scrutiny. If the analysis runs in a recruiting or HR context, it tips into High Risk.
• Marketing Mix Modelling (MMM). Edge case, usually not an "AI system" in the narrower sense, because no adaptive decision is made. Depends on the specific tool.
• Heatmap / session-recording tools (Hotjar, Contentsquare). If they detect patterns automatically or personalise, possibly AI system. Pure recording, not.

Rule of thumb: if a tool derives predictions or recommendations from data and adapts in doing so, it's an AI system under the EU AI Act. If it also interacts with humans or produces synthetic content, it jumps from Minimal to Limited Risk.

What Limited Risk really means

If a setup falls into Limited Risk, typically because of chatbots, AI-generated content, or emotion analysis, three obligations apply:

Transparency. Users must know they're interacting with an AI system. For chatbots that means a notice at the start of the conversation, not hidden in the footer. For AI-generated images: no "real photo" impression without disclosure.

Labelling. AI-generated content must be marked as such. That goes for marketing text written by an LLM and for images produced by an image generator. The exact labelling format is still being defined in regulatory practice, industry standards like the C2PA protocol will likely become relevant.

Documentation. Which AI systems are deployed? For what purpose? With what data? Documented in the DPIA, or in a separate AI impact assessment. Regulators have been actively asking for this documentation since Q1 2026.

What Minimal Risk really means

Obligations apply at Minimal Risk too, they're just less strict:

Inventory. Which AI systems are in the setup? Smart Bidding yes or no. Lookalike audiences yes or no. Recommendation engine yes or no. A simple list in the internal wiki is enough.

Provider contract. Who's the AI system's provider? Google for Smart Bidding, Meta for lookalikes, the shop vendor for recommendations. Check contract terms, specifically the DPA clauses on AI usage.

Document the data output. If the AI system makes decisions for marketing activities (e.g. who sees which ad), document it: what goes in, what comes out. That's 80% the same content as a DPIA, if you have one, you're already most of the way there.

Five-point checklist

The most important five steps as an interactive checklist, tick off what's already done:

As a plain-text fallback (for print or pasting into the internal wiki):

1. Build an AI inventory. Which AI systems does marketing use? Smart Bidding, lookalikes, personalisation, chatbots, AI tools for content. List in an internal doc.
2. Classify the risk per system. Limited or Minimal? When in doubt, usually Minimal, but verify the transparency obligation.
3. Transparency layer for Limited-risk systems. Chatbot notice, AI-generated-content labelling, documentation of the deployed models.
4. Extend DPIA / AI impact assessment. An existing DPIA should cover AI systems. If it dates from 2022, it's probably out of date.
5. Review provider contracts. Does Google's contract have an AI-usage clause? Meta's? The shop engine's? DPO or counsel should review.

Datascale runs the AI Readiness Audit as a service, we walk through the setup, classify every AI component, document the risk tier, and deliver an actionable plan. Our own EU AI Act Quick-Check Tool can also give a first read in 5 minutes.

More on the methodology on the AI Strategy & Data Readiness service page.

EU AI Act audit on the horizon? Request an audit sprint →, from €3,000 · 3–6 weeks.