
The EU AI Act's Article 50 Deadline Lands August 2, 2026: What Privacy and Transparency Actually Require
The most concrete regulatory deadline for any AI product touching EU users is now weeks away. On August 2, 2026, Article 50 of the EU AI Act becomes fully applicable, and the European Commission's draft guidelines make the privacy and transparency requirements far more specific than most teams realize. This is not a high-risk-only provision. It applies to chatbots, image generators, emotion-recognition systems, deepfake tooling, and, notably, agentic AI that might interact with a human even if you did not design it to. If your product generates content or talks to people, you are probably in scope.
Key Takeaways
- Article 50 applies broadly: it is not limited to high-risk AI systems. Any AI system that interacts with humans, generates synthetic content, performs emotion recognition, or produces deepfakes triggers transparency duties, regardless of risk classification.
- Three of the four Article 50 obligations (sub-articles 1, 3, and 4) have no transition period. They apply from August 2, 2026. Only the machine-readable marking requirement under Article 50(2) gets a grandfathering extension to December 2, 2026, and only for systems already on the market before the deadline.
- Fines for non-compliance reach up to €15 million or 3% of worldwide annual turnover, whichever is higher.
- The Commission's draft guidelines shift the disclosure standard for agentic AI from "disclose where human interaction is certain" to "disclose where it is plausible," a significant expansion that most commentary has not caught up with.
- GDPR obligations stack on top of Article 50, not behind it. Products handling biometric or emotion-recognition data must satisfy both regimes simultaneously.
What does Article 50 actually require?
Article 50 contains four distinct transparency obligations, each triggered by a different use case. They are not alternatives; a single product can trigger more than one.
Article 50(1) requires that AI systems designed to interact directly with natural persons disclose their artificial nature to those persons. The canonical example is a chatbot. If a user could reasonably believe they are talking to a human, you must tell them otherwise. This applies regardless of risk tier.
Article 50(2) targets providers of AI systems that generate synthetic audio, image, video, or text. You must ensure outputs are marked in a machine-readable format as artificially generated. This is the watermarking and metadata obligation. The Commission's draft guidelines are explicit: the marking must be embedded in the content itself, not merely declared in a separate manifest or API response.
Article 50(3) covers deployers of emotion-recognition or biometric-categorization systems. You must inform the natural persons exposed to the system and process their personal data in conformity with applicable law, meaning GDPR, the ePrivacy Directive, and national implementations.
Article 50(4) addresses deepfakes specifically. Deployers who publish or distribute AI-generated or manipulated image, audio, or video content that appreciably resembles existing persons, objects, places, or events must disclose that the content has been artificially generated or manipulated. There is an artistic/satirical carve-out, but it explicitly excludes content serving a primarily informative or commercial purpose. So: no, your AI-generated product demo featuring a realistic human spokesperson does not qualify for the exemption.
Which deadlines actually apply on August 2?
Three of the four obligations apply with no transition whatsoever on August 2, 2026. Articles 50(1), 50(3), and 50(4) are live from that date for every system in scope, whether it launched last week or three years ago.
The only relief is for Article 50(2), the machine-readable marking requirement. On May 7, 2026, EU co-legislators agreed on a targeted grandfathering rule: generative AI systems already on the market before August 2, 2026 get until December 2, 2026 to implement machine-readable content marking. The Commission had originally proposed February 2027, so the final date is actually tighter than expected.
If you launch a new generative system after August 2, 2026, you must comply with all four sub-articles from day one. No grace period.
How big are the fines?
Non-compliance with Article 50 can trigger fines up to €15 million or 3% of worldwide annual turnover, whichever is higher. For context, this is the same tier as GDPR's lower band, and it applies to transparency violations specifically. You do not need to be operating a high-risk system to face these penalties.
What did the Commission's draft guidelines actually clarify?
The 40-page draft, published May 8, 2026 by the AI Office, went well beyond restating the statutory text. Several points matter more than others for builders.
Is a single disclosure at the start of a conversation enough?
Not necessarily. The guidelines introduce a timing test that applies per person and per output. A disclosure buried in terms of service, shown once on first login, may be insufficient. For interactive systems where users may form emotional attachments (companion chatbots, therapeutic tools, persistent assistants), the guidelines suggest that periodic reminders of the system's artificial nature may be required. This is a UX architecture question, not a legal footnote. If your chatbot runs a multi-day conversation and never re-identifies itself as AI, you have a compliance gap.
Does the source-code exemption cover documentation generated by coding tools?
Partially. The draft guidelines exempt source code proper from the Article 50(2) machine-readable marking requirement, including inline comments and docstrings. But standalone documentation, README files, natural-language explanations, or tutorials generated by the same tool re-enter the obligation as ordinary text output. If your coding assistant generates both code and prose, you need to handle them differently.
How does Article 50 interact with the Digital Services Act?
The guidelines address this overlap directly. For deepfake labelling under Article 50(4), where a very large online platform provides labelling tools (as several already do under DSA obligations), deployers may rely on those platform-provided tools to satisfy their Article 50(4) disclosure duty. This is helpful for deployers who distribute through established platforms, less helpful if you are the platform.
Why is agentic AI the sleeper compliance risk?
Because the Commission's draft guidelines expand the disclosure trigger from certainty to plausibility, and most teams building autonomous agents have not internalized this shift.
Under a strict reading of Article 50(1), you might argue that an AI system only needs to self-identify when it is "designed to interact" with a natural person. An autonomous scheduling agent, an outreach bot, or a browsing agent might not be designed for human interaction per se. It interacts with APIs, calendars, email servers. Humans are incidental.
The draft guidelines close that gap. Where a provider cannot reliably determine whether an autonomous agent will interact with a human, the agent must self-disclose its artificial nature whenever such interaction is "reasonably foreseeable." The standard is not "designed to interact" but "might plausibly interact."
If your agent sends emails, makes phone calls, posts messages in shared channels, or otherwise communicates in a medium where a human might be on the other end, self-disclosure is required. This applies even if 95% of the agent's communications are machine-to-machine. The 5% matters.
Most Article 50 commentary focuses on chatbots and deepfakes. If you are building agentic tooling, schedulers, autonomous browsing, multi-step task agents, this is the paragraph in the guidelines you should read first.
How does GDPR stack with Article 50?
It does not replace it. It runs alongside it. This is one of the most under-discussed compliance burdens for products that handle personal data and generate content simultaneously.
Consider a generative AI widget embedded on an e-commerce site. Under Article 50(1), you must disclose its artificial nature to users. Under Article 50(2), you must mark its text outputs as AI-generated in a machine-readable format. Under GDPR, if the widget sets non-essential cookies, processes user inputs for profiling, or uses conversation data for model improvement, you need lawful basis and likely explicit consent. These are separate obligations with separate enforcement mechanisms.
Research from compliance analysts suggests that GDPR compliance covers roughly 40% of the AI Act's data-handling requirements, leaving approximately 60% in AI-specific obligations like risk classification, transparency disclosures, and content marking. Being GDPR-compliant gives you a head start. It does not get you across the line.
For systems performing emotion recognition or biometric categorization under Article 50(3), the stacking problem is especially acute. The AI Act requires you to inform exposed persons. GDPR requires a lawful basis for processing their biometric data, which under Article 9 is special-category data demanding explicit consent or one of a narrow set of exceptions. You cannot satisfy one and ignore the other.
What does the Code of Practice on Transparency add?
The final Code of Practice on marking and labelling of AI-generated content, published June 10, 2026, is voluntary. But "voluntary" in EU regulatory parlance tends to mean "voluntary until it becomes the benchmark enforcement authorities measure you against."
The Code introduces uniform EU icons and text labels for AI-generated content, including specific label designs for deepfakes. It provides a reference framework for what "machine-readable" marking should look like in practice. The Commission encouraged stakeholders to submit signatory forms by July 22, 2026.
Signing the Code does not guarantee compliance with Article 50. Not signing it does not excuse non-compliance. But in a regime where enforcement uncertainty is high and no single marking technology is yet considered universally reliable, having adopted the Code's recommendations gives you a defensible position. That is the practical value.
What marking technologies actually exist today?
This is where honestly matters more than optimism. No single marking technology currently meets all Article 50(2) requirements with full reliability. Policy analysts have flagged that forensic detection mechanisms are not considered dependable enough for enforcement purposes, common evaluation benchmarks for marking robustness have not emerged, and significant uncertainty remains about how market surveillance authorities will interpret compliance.
For text, C2PA metadata and SynthID-style watermarking represent the most developed approaches, but both have known limitations: metadata can be stripped, and statistical watermarks can be degraded by paraphrasing or editing. For images and video, C2PA provenance data is more mature, but adoption across the distribution chain remains uneven.
The practical implication: you should implement the best available marking, document your implementation choices, and be prepared to explain why your approach is reasonable. Perfection is not the standard. Good-faith, state-of-the-art implementation probably is.
How does this affect products built with privacy as a constraint?
Products that were designed from the start to minimize data retention and maximize user control have a structural advantage here, but it is not absolute.
We build Selina as a privacy-first AI assistant. Content is encrypted at rest. Files and transfers through SelinaSEND are end-to-end encrypted. Memory is NOT end-to-end encrypted; a slice of each request reaches a frontier provider at inference, and we state that plainly rather than obscuring it. Non-content operational metadata is kept for a short retention window, not indefinitely.
That architecture gives us a head start on the GDPR side of the stacking problem. Data minimization by design, encrypted storage, explicit user controls for deletion (delete means gone, actually gone). But Article 50 adds obligations that are orthogonal to data protection. We still need to ensure our assistant self-identifies as AI to every user it interacts with. We still need to mark generated text in machine-readable formats. Privacy architecture helps with roughly 40% of the compliance surface. The remaining 60% requires separate engineering.
We think this is an honest framing. Products that claim GDPR compliance covers their AI Act obligations are underestimating the gap. Products that built nothing for GDPR and now face Article 50 have twice the work.
What should you actually do before August 2?
If your product uses AI and serves EU users, here is a concrete checklist, not exhaustive, but a reasonable starting point.
- Audit your Article 50 triggers. Map each AI feature in your product to the four sub-articles. Does it interact with users (50(1))? Generate text, images, audio, or video (50(2))? Perform emotion recognition or biometric categorization (50(3))? Produce content that resembles real people, places, or events (50(4))? Most generative products trigger at least 50(1) and 50(2).
- Implement runtime disclosure for interactive systems. Every user-facing AI interaction must include a clear, timely disclosure that the system is AI. "Timely" means before or at the point of interaction, not buried in a settings page. For persistent conversations, consider periodic re-disclosure.
- Add machine-readable content marking. If you generate synthetic text, images, audio, or video, implement C2PA metadata, watermarking, or equivalent marking. If your system was on the market before August 2, you have until December 2 for this specific obligation. If you launch after August 2, it must be there from day one.
- Review your agentic features. If any AI component in your product might communicate with a human, even incidentally, build self-disclosure into its communication layer. The standard is "reasonably foreseeable," not "intentionally designed."
- Map the GDPR overlap. For every Article 50 trigger, confirm you also have the GDPR compliance in place: lawful basis, consent mechanisms for special-category data, data subject rights. These are separate and must both be satisfied.
- Document your choices. In an environment where enforcement standards are still emerging, a well-documented rationale for your implementation decisions is itself a compliance asset.
Is compliance theater enough?
Probably not. And this is where the draft guidelines are more demanding than most summaries suggest.
The easy version of Article 50 compliance is: add a banner that says "This is AI," embed some metadata, move on. The guidelines push further. Disclosures must be "clear, meaningful, and provided at the right moment." A disclosure that a user never sees, or sees only once and forgets, or that is technically present but practically invisible, may not satisfy the obligation.
The compliance-checker data from artificialintelligenceact.eu shows that transparency obligations are the second most common compliance trigger after AI literacy requirements, affecting roughly 33% of respondents surveyed. This is not a niche concern. For many organizations, Article 50 is the primary compliance challenge.
The difference between compliance theater and real transparency is roughly the difference between a cookie banner nobody reads and a genuinely informed consent flow. The first satisfies the letter. The second satisfies the intent. The guidelines suggest the Commission is aiming for the second, even if enforcement in the first year may be pragmatically closer to the first.
What remains uncertain?
Several things. The draft guidelines were open for consultation until June 3, 2026, and as of recent reporting, final guidelines had not been formally adopted. They remain non-binding. How market surveillance authorities in individual member states will interpret and enforce these obligations in practice is unknown. Whether the current crop of watermarking and metadata technologies will be deemed sufficient is an open question.
None of this uncertainty is a reason to wait. The statutory text is clear. The fines are real. The deadline is not moving. The uncertainty is in the details of enforcement, not in the existence of the obligation.
If you are building an AI product that talks to people, generates content, or runs autonomous agents, and any of your users are in the EU, August 2 is your date. Prepare accordingly.
If you want to see how we handle transparency and privacy in practice, start a free 7-day trial, no card required.
Frequently Asked Questions
What is the deadline for Article 50 of the EU AI Act, and does it apply only to high-risk systems?
Article 50 becomes fully applicable on August 2, 2026, and it is not limited to high-risk systems. It applies to any AI system that interacts with humans, generates synthetic content, performs emotion recognition, or produces deepfakes, regardless of risk classification.
Is there any grace period for complying with Article 50's requirements?
Only Article 50(2), the machine-readable marking requirement, gets a grandfathering extension to December 2, 2026, and only for generative AI systems already on the market before August 2, 2026. Articles 50(1), 50(3), and 50(4) have no transition period and apply from August 2, 2026 for every in-scope system.
What are the penalties for non-compliance with Article 50?
Fines can reach up to €15 million or 3% of worldwide annual turnover, whichever is higher, and this applies to transparency violations specifically, not just high-risk system failures.
How do the Commission's draft guidelines change disclosure requirements for agentic AI?
The draft guidelines shift the disclosure standard from requiring self-identification only when human interaction is certain to requiring it whenever such interaction is 'reasonably foreseeable' or plausible. This means agents like schedulers or outreach bots must self-disclose their artificial nature if there's any plausible chance a human is on the other end, even if most interactions are machine-to-machine.
Does being GDPR-compliant satisfy Article 50 obligations?
No, GDPR runs alongside Article 50 rather than replacing it, and compliance analysts estimate GDPR only covers about 40% of the AI Act's data-handling requirements. Products handling biometric or emotion-recognition data, or generating content while processing personal data, must satisfy both regimes simultaneously.
Sources & References
- The EU AI Act’s Transparency Rules: A Practical Guide to Article 50 | EU Artificial Intelligence Act
- EU AI Act Transparency Obligations: Preparing for Compliance by 2 August 2026 | Data Matters Privacy Blog
- Article 50: Transparency Obligations for Providers and Deployers of Certain AI Systems | EU Artificial Intelligence Act
- Code of Practice on marking and labelling of AI-generated content | Shaping Europe’s digital future
- AI Act: The Commission provides guidance on the transparency obligations under Article 50 | Plesner
- EU AI Act Transparency Obligations: Preparing for Compliance by 2 August 2026 - Lexology
- Part 1: AI Act Articles 50(1) and 50(2) Transparency Obligations. - WILLIAM FRY
- One Month to Go: EU AI Act Transparency Compliance
- The EU's AI Transparency Code of Practice, Explained | TechPolicy.Press
- Taking the EU AI Act to Practice Reading the Commissions Draft Article 50 Guidelines - Bird & Bird
- Draft of the guidelines on the implementation of the transparency obligations for certain AI systems under Article 50 of the AI Act | Shaping Europe’s digital future
- Consultation on the draft guidelines on transparency obligations under the AI Act | Shaping Europe’s digital future
- the-european-commission-issues-draft-guidelines-on-the-transparency-requirements-under-the-ai-act
- 10 Takeaways: European Commission Draft Guidelines on AI Transparency under the EU AI Act
- European Commission Publishes Draft Guidelines on Transparency Obligations under the EU AI Act[
- Taking the EU AI Act to Practice The Final Transparency Code of Practice - Bird & Bird
- Draft Guidelines on the implementation of the transparency obligations for certain AI systems - EvalCommunity Academy
- Article 50 of the EU AI Act: Transparency Obligations Explained
- GDPR and AI Act: Similarities, Differences, and Overlaps
- Article 50 AI Act: chatbot, deepfake and AI content labels
- AI Act – Article 50: transparency for chatbots and deepfakes by 2026 — Luxgap
- Navigating Article 50 of the EU AI Act - Sedicii
- EU AI Act Chatbot Compliance for E-Commerce - Qualimero
- AI Act Transparency: Article 50 and Deepfake Rules - Legalithm
- AI Act transparency obligations live 2 August | Zyphe
