Most websites added AI features quietly. A chatbot here. A recommendation engine there. AI-generated product descriptions. Personalisation based on browsing history. None of it required a press release — and most of it didn't prompt anyone to update the privacy policy or terms of service.

That's becoming a problem. EU AI Act enforcement is underway. US states are writing disclosure rules. And regulators in multiple jurisdictions are starting with the most visible, obvious thing: does this website tell users what AI it's using?

This guide covers each type of AI website feature and what it requires.

Type 1: Chatbots and Virtual Assistants

What it is: Any AI system users can have a conversation with — customer support bots, sales assistants, help centre agents, lead qualification chatbots.

What's required: Users must be clearly informed they are interacting with an AI system before or at the very start of the interaction. This is required under the EU AI Act and increasingly expected under US frameworks.

What it looks like in practice:

  • "Hi, I'm an AI assistant — how can I help you today?"
  • A visible "AI" or "Bot" label in the chat window
  • Opening text that makes clear this is automated

What doesn't count: Giving the chatbot a human name (Sarah, Alex) without any AI disclosure. A photo of a smiling human next to the chat window. A biography that implies the bot is a real employee.

The disclosure rule: If a user sincerely asks whether they're talking to a human, the AI must truthfully say it isn't — even if it's been given a human persona. This is explicit in the EU AI Act.

Check your chatbot right now:

Open your website's chatbot. Does the first message make it clear this is AI? If not, that's a gap — and it's one of the first things regulators look for.

Type 2: AI-Generated Content

What it is: Blog posts, product descriptions, news articles, images, audio, or video generated entirely or substantially by an AI system.

What's required: Under the EU AI Act, AI-generated content — particularly synthetic media like deepfakes, AI-generated news, and synthetic audio/video of real people — must be labelled as AI-generated. This applies when a reasonable person might mistake it for authentic human-created content.

The nuance: Product descriptions written with AI assistance in a standard SaaS tool are lower risk than AI-generated news articles or synthetic media. The higher the stakes — and the more realistic the output — the clearer the disclosure requirement.

Where to disclose:

  • On or near the content itself ("This article was drafted with AI assistance")
  • In a site-wide content policy or editorial standards page
  • In your privacy policy or terms, for systematic AI content generation

Type 3: Recommendation Engines

What it is: Systems that show users personalised content, products, or search results based on their profile, history, or inferred characteristics.

What's required: Transparency about the main parameters used to generate the recommendation, and the ability to opt out of profiling-based recommendations. Under GDPR (already in force), users also have rights around automated profiling — this predates the AI Act.

What your privacy policy should say:

  • That you use recommendation or personalisation systems
  • What data they use (browsing history, purchase history, location, inferred interests)
  • Whether this involves profiling under GDPR
  • How users can opt out or adjust their profile

The common gap: Privacy policies that say "we may personalise your experience" without specifying what data is used or that an AI system is making those decisions.

Type 4: Automated Decisions That Affect Users

What it is: AI systems that make decisions with legal or significant effects on individuals — automated account bans, price adjustments based on user profiles, access restrictions, credit decisions, insurance pricing.

What's required: This is the most regulated area. Users have the right to:

  • Know an automated decision was made
  • Understand the main factors behind it
  • Request human review
  • Contest the decision

What this means for your website: If your system can automatically suspend accounts, block access, adjust pricing based on profiling, or restrict features based on AI scoring — you need a visible, working path for users to request human review. A contact email with a stated purpose is the minimum.

Where it goes wrong: Automated moderation that bans users with no human appeal process. Dynamic pricing that can't be questioned. Subscription downgrades triggered by AI scoring that the user has no visibility into.

Type 5: AI That Processes Sensitive Data

What it is: AI systems that process health data, biometric data, financial data, or other sensitive categories as defined under GDPR.

What's required: Explicit consent, clear disclosure of what the AI does with that data, and stricter data minimisation requirements. If your AI processes health-related queries, financial information, or anything biometric, you're in a higher-scrutiny category.

Where All of This Goes: Your Privacy Policy

Most privacy policies written before 2023 need to be updated. The additions aren't complicated — but they need to be there.

Add a section (or update an existing section) that covers:

  • AI systems we use: Name them. Chatbot powered by [provider]. Recommendation engine. Content generation tools.
  • What they process: What personal data these systems access or generate.
  • Decisions they make: Whether any automated decisions affect users, and what those decisions are.
  • Your rights: How users can request human review, opt out of profiling, or contest automated decisions.
  • Third-party AI providers: If you use OpenAI, Google Gemini, Anthropic, or similar APIs, name them — the same way you'd name Stripe for payments.

The One-Minute Audit

Open your website as an outside visitor. Ask these questions:

  1. If there's a chatbot, does the first message disclose it's AI?
  2. Does the privacy policy mention AI, automated decisions, or machine learning?
  3. Is there a visible way to request human review of any automated decision?
  4. Does the cookie policy mention AI personalisation or profiling?
  5. Is AI-generated content labelled as such?

If the answer to any of these is no — that's a gap that's visible to users, regulators, and now, automated scanners.

Run a website trust scan

PolicyGen checks observable public website trust signals such as policy links, cookie and tracking disclosures, CMP detection, SSL/security-lite signals, and customer-facing trust paths.

Run a website trust scan →

Frequently Asked Questions

Do I need to disclose that I use AI on my website?

Yes, in most cases. If your website uses AI that interacts with users (chatbots), makes automated decisions affecting users, or generates content that could be mistaken for human-created content, disclosure is required under the EU AI Act and increasingly under US state laws.

What does AI disclosure on a website look like?

AI disclosure typically includes: a label indicating a chatbot is AI-powered, a privacy policy section explaining what AI systems process user data, and a mechanism for users to request human review of automated decisions. The disclosure must be clear and visible — not buried in a footer.

Does my privacy policy need to mention AI?

Yes, if you use AI that processes personal data. Your privacy policy should name the AI tools you use, explain what decisions they make, what personal data they process, and how users can request human review. Most privacy policies written before 2023 don't include this.

What is an AI transparency signal on a website?

AI transparency signals are publicly visible indicators that a website honestly discloses its AI use — chatbot labels, AI disclosure in the privacy policy, automated decision explanations, and human escalation paths. PolicyGen does not provide an AI compliance assessment or regulatory certification.