EU AI Act & Retail / E-commerce: Recommendation Engines, Dynamic Pricing, and Customer Scoring

Retail and e-commerce are among the heaviest users of AI in Europe — recommendation engines, dynamic pricing algorithms, churn prediction models, and customer lifetime value scoring are standard tools at any mid-to-large operator. The good news: most of these systems fall under limited risk or minimal risk under the EU AI Act (Regulation (EU) 2024/1689). The less good news: "limited risk" is not the same as "no obligation," and certain configurations push squarely into high-risk territory.

This article maps the most common retail AI use cases to their risk classification, explains where transparency obligations kick in, and gives you a practical checklist.

How the EU AI Act Classifies Retail AI

The Act uses a four-tier model: prohibited, high-risk, limited-risk, and minimal-risk.

Prohibited AI (Article 5) is irrelevant for standard retail: this tier covers social scoring by public authorities, subliminal manipulation, and real-time biometric surveillance in public spaces — none of which apply to product recommendations or price engines.

High-risk AI (Article 6 + Annex III) is the tier that demands full conformity assessment, technical documentation, human oversight, and registration in the EU database. Retail tools land here only under specific conditions — detailed below.

Limited-risk AI (Article 50) applies to systems that interact with users or generate content. Transparency obligations apply: the system must disclose that the user is interacting with AI.

Minimal-risk AI has no mandatory obligations under the Act. Most inventory forecasting or A/B testing algorithms fall here.

Recommendation Engines

Product recommendation engines (collaborative filtering, content-based, hybrid models) are the backbone of e-commerce personalisation. Under the Act, these are typically limited risk or minimal risk, depending on how they surface recommendations.

Minimal risk: backend engines that compute recommendations without directly interacting with users in a conversational way. No disclosure obligation.
Limited risk (Article 50): AI-generated content presented to users, including personalised promotional text, AI-generated product descriptions, or chatbot-driven recommendations. Here, you must disclose the AI nature of the interaction or content.

When does it shift? If a recommendation engine also performs customer scoring that feeds into credit decisions, insurance offers, or employment (e.g., retail staff scheduling based on predicted performance), it enters high-risk territory under Annex III §5(b) — creditworthiness assessment — or §4 — employment decisions.

A pure "you might also like" engine on an e-commerce site? Minimal risk. A "recommend this customer for a BNPL offer" engine connected to a financial product? High risk.

Dynamic Pricing

Dynamic pricing algorithms adjust prices in real time based on demand signals, competitor data, inventory levels, and customer segments. These are, in the vast majority of cases, minimal risk under the AI Act.

The Act does not regulate pricing as such. There is no provision classifying revenue management or yield optimisation algorithms as high-risk. The relevant overlay is competition law (Article 101 TFEU for collusive pricing) and consumer protection law — neither of which are part of the AI Act framework.

Exception to watch: if your dynamic pricing system incorporates individual customer creditworthiness scores to offer differentiated credit terms (e.g., BNPL rates, instalment offers), the scoring component may qualify as high-risk under Annex III §5(b). The pricing output itself remains out of scope; the credit scoring input is not.

Customer Scoring

This is where classification becomes genuinely nuanced.

Scoring type	Risk category	Applicable provision
Churn prediction / LTV scoring	Minimal risk	No mandatory obligation
Engagement scoring for marketing personalisation	Minimal or limited risk	Article 50 if output-facing
Credit scoring / BNPL eligibility scoring	High risk	Annex III §5(b)
Fraud risk scoring (internal, no individual decision)	Minimal risk	No mandatory obligation
Fraud risk scoring triggering account suspension	Limited or high risk	Depends on consequential impact
Staff performance scoring for scheduling/dismissal	High risk	Annex III §4(a)

The critical principle: the AI Act classifies systems based on intended purpose and likely impact, not on the technical nature of the model. A gradient boosting model used for marketing is minimal risk. The same architecture used to assess creditworthiness for a financial product offered through a retail checkout is high risk.

Article 50 Transparency Obligations

Article 50 imposes three types of disclosure requirements relevant to retail:

Chatbots and conversational AI: users must be informed they are interacting with an AI system, not a human, unless this is obvious from context.
AI-generated content: synthetic images, video, or audio must be labelled as AI-generated (with some exceptions for artistic or clearly fictional content).
Emotion recognition / biometric categorisation: if your system infers emotional state or categorises individuals by sensitive characteristics, users must be informed.

For most e-commerce operators, the practical implication is: if you use an AI-powered chatbot for customer service or sales assistance, you must disclose it. Injecting a brief "This is an AI assistant" statement in the chat interface satisfies the obligation.

High-Risk Obligations: What They Actually Mean

If your system crosses into high-risk territory (e.g., credit scoring within a retail banking or BNPL context), the obligations are substantial:

Technical documentation per Annex IV (risk management system, data governance, accuracy metrics, intended purpose statement)
Conformity assessment (generally self-assessment for Annex III systems not covered by harmonised standards)
EU database registration (for deployers of high-risk systems)
Human oversight measures (Article 14): a responsible person must be able to review, override, and halt the system
Post-market monitoring (Article 72 for deployers): track performance, log incidents, report serious incidents to the national supervisory authority

For retailers acting as deployers of a third-party AI solution (e.g., a BNPL provider's scoring API), Article 26 obligations apply: you must ensure the provider has delivered compliant documentation, implement human oversight, and not use the system outside its intended purpose.

Practical Checklist for Retail and E-commerce Teams

Map every AI system in use: purpose, inputs, outputs, and downstream decisions
Check whether any scoring output feeds a credit, insurance, or employment decision
For AI-powered chatbots and content generators: add mandatory disclosure per Article 50
For high-risk systems (BNPL scoring, staff scheduling AI): begin technical documentation under Annex IV
For deployers of third-party high-risk AI: request conformity documentation from the vendor
Set up a basic incident log even for minimal-risk systems — good practice ahead of any future enforcement
Verify that your dynamic pricing algorithm does not incorporate individual credit scores (or document the separation)

Key Articles to Read

Article 5: Prohibited practices
Article 6 + Annex III: High-risk classification criteria
Article 14: Human oversight
Article 26: Obligations for deployers
Article 50: Transparency obligations for limited-risk AI
Article 72: Post-market monitoring for deployers

Most retail AI is not high-risk. But "not high-risk" is not the same as "nothing to do." Article 50 transparency obligations apply broadly, and any AI touching financial or employment decisions requires a full compliance review.

DILAIG automates the EU AI Act compliance process — from risk classification to technical documentation. Run your audit in minutes at dilaig.com.