Of all the AI rules arriving, disclosure is the easiest to comply with and the easiest to get wrong by neglect. The obligation is intuitive: do not let a machine pass for a human, and do not let synthetic media pass for real. The failure mode is equally simple: a product that quietly lets users believe the character is a person, or that an image is a photograph, because nobody got around to saying otherwise.
This piece walks the main disclosure regimes, the synthetic-media angle, and a practical pattern you can ship. It is general information, not legal advice.
The principle behind all of it
Every disclosure rule rests on the same idea: informed interaction. A user who knows they are talking to AI behaves differently (and is protected differently) than one who has been led to believe there is a human on the other end. The law is not trying to stop you from building convincing bots. It is trying to stop you from being deceptive about it. Convincing is fine; covert is not.
You can build a bot that feels remarkably human. You cannot build one that lies about being human.
California's bot-disclosure rule
California pioneered the explicit version of this in the US. Its bot-disclosure law makes it unlawful to use an automated account to mislead people about its artificial nature in order to influence a commercial transaction or a vote, without clearly disclosing that it is a bot. The scope is narrower than people assume (it centres on commercial and electoral deception) but it established the template that later rules built on: disclosure must be clear, conspicuous, and reasonably designed to inform.
The EU AI Act's transparency duty
The EU AI Act generalises the principle into a broad transparency obligation. Where an AI system is intended to interact directly with people, those people must be informed that they are interacting with AI, unless it is obvious to a reasonable, reasonably observant user from the context. There are sensible carve-outs, but the default is disclosure. For most consumer chat products, "obvious from context" is a risky thing to rely on, so the safe path is to simply say it.
The Act pairs this with a duty around generated content: synthetic audio, image, and video must be marked as artificially generated or manipulated in a machine-readable way, so downstream systems and people can tell. That moves provenance from a nice-to-have into a design requirement.
Synthetic media and deepfakes
Disclosure law increasingly distinguishes conversation from content. Telling a user they are chatting with AI is one duty; labelling the media that AI produces is another. The content side has its own fast-moving rules, especially around two sensitive cases:
- Likeness and impersonation. Generating a real, identifiable person's face or voice without consent is increasingly restricted, with specific rules where it is used to deceive.
- Non-consensual intimate imagery. Synthetic intimate images of real people are a focus of new criminal and civil rules, with little tolerance and serious penalties.
The defensible posture for any generation product is twofold: mark what you produce as synthetic, and refuse to produce the categories that are off-limits in the first place. Provenance plus a hard refusal list, not one or the other.
Companion bots: disclosure with repetition
Companion and relationship chatbots draw an extra requirement: disclosure that does not just happen once at sign-up and then disappear. Because the entire point of a companion is to feel like a continuous, personal relationship, the risk of a user (especially a minor or someone vulnerable) losing track of the fact that it is software is higher. The emerging expectation is periodic reminders within the experience that the companion is AI. Awkward for the fantasy, perhaps, but it is becoming a legal line for this product class.
A practical disclosure pattern
You can satisfy the spirit and most of the letter of these rules with a layered approach. Each layer is cheap; the combination is robust.
- At entry. State plainly, in onboarding and on the interface, that the user is interacting with AI. Not buried in terms, on the screen.
- Persistently. Keep a lightweight, always-visible signal (a label, a badge) so the AI identity is never more than a glance away.
- Periodically, for companions. For relationship-style products, surface an occasional in-conversation reminder that the companion is not a person.
- On the content. Mark generated images and video as AI-created, ideally with machine-readable provenance, not just a visible note.
- Never impersonate. Don't let the bot claim to be a specific human, and don't generate real people's likenesses to deceive.
- Keep proof. Retain a record of what disclosures the user saw and when, so you can demonstrate compliance if challenged.
Why this is the easy one to get right
Compared with building age assurance or a moderation subsystem, disclosure is mostly copy, a badge, and a labelling step in your pipeline. The teams that get caught out are not the ones that found it hard; they are the ones that found it trivial and therefore never scheduled it. Treat it as a first-day product decision and it costs almost nothing. Treat it as a someday item and it becomes the easy violation a regulator or plaintiff points to first.
Frequently asked
Do I have to disclose if it's obvious it's a bot?
Some laws have an "obvious from context" carve-out, but relying on it is risky because what feels obvious to you may not be to a regulator or a vulnerable user. For consumer products the safe default is to disclose explicitly.
Is one disclosure at sign-up enough?
For many products, a clear entry disclosure plus a persistent on-screen signal is reasonable. For companion or relationship bots, expect to add periodic in-conversation reminders, which is becoming a specific requirement for that category.
What counts as labelling synthetic media?
A visible note that content is AI-generated helps, but the direction of the law (notably in the EU) is toward machine-readable provenance so other systems can detect it automatically. Plan for both a human-visible and a machine-readable signal.
Can I generate a real person's face if I label it?
Labelling does not cure consent. Generating an identifiable real person, and especially intimate imagery of one, raises separate and serious legal issues regardless of any "AI-generated" tag. The safe rule is to refuse those categories outright.
Generation that refuses what it should
Multi-tier moderation that blocks the off-limits categories before they're ever produced. 25 free credits, no card.
Start Generating →This article is general information, not legal advice. AI transparency and synthetic-media rules vary by jurisdiction and are evolving quickly; confirm the current requirements for your product with qualified counsel before relying on anything here.