AI Marketing Compliance Checklist 2026: 30 Points to Use AI Without Breaking the Law

Before You Start — Define Your Scope

Not all 30 points carry equal urgency for every business. Before running through the full list, answer three questions that determine where your actual risk sits: Do you have EU or UK clients, or do your ads reach EU/UK audiences? How much personal data do you process monthly? Are you using AI in chatbots, email automation, or ad creative generation?

Three questions to find your level:

• Do I target ads to — or receive organic traffic from — EU or UK audiences?
• Do I process email addresses, phone numbers, or behavioural data for more than 500 people per month?
• Do I use AI in chatbots, email automation, or ad creative production?

For the legal context behind each level — see the AI regulation overview. For data on how businesses are actually using AI — see the AI adoption statistics article.

Content Production — Points 1–5

These five points apply to every marketer regardless of scale. Content production with AI has the lowest barrier to entry — and the most grey zones: copyright, image rights, and disclosure obligations for EU audiences. For a detailed breakdown of AI content marking standards, see the article on C2PA and SynthID.

1. Does AI-generated content go through meaningful human editing before publication? The US Copyright Office Part 2 guidance (February 2025) confirmed that pure AI output is not copyrightable — sufficient human creative selection and arrangement is required. UK law (CDPA s.9(3)) grants 50-year protection to computer-generated works, but only where a human author made the arrangements. Without genuine human input, you do not own the result.
2. Do you have written consent from the real person if an AI image reproduces a recognisable face? Image rights apply across jurisdictions regardless of whether an image is AI-generated or photographed. In the EU, this is grounded in data protection and personality rights. In the UK, it derives from privacy and misuse of private information frameworks. “It’s AI, not a real photo” is not a defence — the likeness is what matters.
3. Do you know which AI tools in your stack automatically embed a C2PA (Content Credentials) signature in the output file? Adobe Firefly and DALL-E 3 sign automatically — Midjourney and Stable Diffusion do not. Not knowing the state of your own stack means you cannot confirm provenance, cannot close a compliance gap proactively, and cannot answer a client who asks. Detailed tool comparison: AI content marking article.
4. Are you ready to disclose AI-generated content to EU audiences from 2 August 2026? EU AI Act Article 50 obliges deployers — anyone using AI in a commercial context — to inform audiences when content is AI-generated. If your ads or content reaches any EU country, this applies to you. Penalties reach up to €15 million or 3% of global annual turnover, whichever is higher.
5. Does your prompt reproduce a specific protected work verbatim or near-verbatim? Style is not protected by copyright — specific text, melody, or design is. “Write in the style of X” is generally fine. “Reproduce the opening paragraph from book X” is infringement. The distinction is between inspiration and reproduction, and it is a line worth knowing before a client brief sends you across it.

Advertising — Points 6–10

Ad platforms have moved faster than regulators on several of these requirements. Meta has required disclosure of AI-generated elements in ad creatives since February 2025 — auto-marking from Meta’s own GenAI tools — and extended the disclosure requirement to all AI ad creatives in March 2026. TikTok has a separate toggle. Google has its own requirements for synthetic media in election and realistic AI-human ads. These are not theoretical risks: a flagged creative means a blocked account or stopped campaign.

1. Do you mark AI-generated elements in Meta Ads creatives? Meta requires “Made with AI” / “AI Info” labelling for realistically altered or fully AI-generated material. Meta auto-marks creatives from its own GenAI tools (since February 2025) and continues to expand this to broader AI ad creatives — check current policy before each campaign. Non-compliance risks ad rejection or account restriction.
2. Does your advertising contain deepfakes of real people without written consent? Deepfakes of real people without consent are explicitly prohibited by Meta, Google, and TikTok policy — and carry legal exposure under personality and image rights frameworks in the EU and UK. Account suspension and civil claims are both live risks, not hypotheticals.
3. For election ads or realistic AI-human creatives in Google Ads — are you adding the required disclosure? Google requires clear disclosure when ads contain synthetic images or voices of real people, particularly in sensitive categories. Google also requires IPTC DigitalSourceType TrainedAlgorithmicMedia metadata for AI-generated images. Missing this step can result in campaign suspension during a live flight.
4. Have you checked whether your stock image licence permits AI editing for commercial use? A number of standard stock licences — including some Getty and iStock tiers — do not permit AI transformation of the source file. Using an AI-edited version of a licensed image in a commercial campaign can constitute a licence breach, which is a separate issue from platform policy.
5. On TikTok, are you enabling the “AI-generated content” toggle for AI video or AI audio? TikTok auto-reads C2PA from some files and marks them automatically — but for content without C2PA metadata (Midjourney, ElevenLabs, and most audio tools), the responsibility for flagging sits with you. Failing to disclose leads to video removal; repeated violations affect account standing.

Client Data and AI Providers — Points 11–15

This is the most common blind spot for marketing freelancers. When you paste an email list or CRM data into a ChatGPT prompt, you are transferring personal data to a third party. Without a signed DPA (Data Processing Agreement — a contract defining how the processor handles data on your behalf), that transfer has no legal basis under GDPR, even if your intent was simply “write a personalised email”. Current guidance from the European Data Protection Board: edpb.europa.eu.

1. Do you have a signed DPA with OpenAI? OpenAI’s Data Processing Addendum is available self-serve for API, Team, and Business plan users. Free and Pro accounts do not have DPA coverage — which means they are non-compliant for processing EU personal data. This is a hard line, not a grey area.
2. Do you have a signed DPA with Anthropic? Anthropic’s DPA is available for the Claude Team plan and above through Commercial Terms. Free and Pro plans do not include a DPA — they don’t cover GDPR subprocessor requirements. If you use Claude.ai free for tasks involving client personal data, you are operating without a legal transfer basis.
3. Do you have the Google Cloud DPA active for Workspace or Vertex AI usage? The Google Cloud DPA must be activated through Admin Console under Legal and compliance — it is not automatic. Without this step, processing EU data through Google AI services formally lacks a legal subprocessor basis even if you have a standard Google Workspace subscription.
4. Do you anonymise or pseudonymise client personal data before passing it to an LLM? GDPR’s data minimisation principle (Article 5) requires that only data necessary for the task is transferred. For most content tasks, “client John, B2B segment, product category X” does the job — full name, phone number, and purchase history rarely add value to the prompt but substantially increase your risk exposure.
5. Is your subprocessor chain documented in your ROPA (Records of Processing Activities)? If you process data belonging to EU data subjects, you are required to maintain Records of Processing Activities and list all subprocessors — OpenAI, Anthropic, Google, ElevenLabs, and any other AI tool that touches personal data. Enterprise clients request this documentation with increasing regularity.

Not sure whether your current stack has all DPAs in place and your ROPA up to date? I run AI compliance audits in one day — message the bot: @adastra_assistant_bot

Chatbots and Automation — Points 16–20

A chatbot is an AI system within the meaning of the EU AI Act if it interacts with people in natural conversation. From 2 August 2026, the requirement to disclose AI interaction at first contact becomes mandatory for EU audiences. Separately, GDPR Article 22 governs automated decisions that produce legal or similarly significant effects on individuals — and this applies to AI-based lead scoring if it determines who gets served, offered a discount, or deprioritised.

1. Does your chatbot inform users at first contact that they are talking to an AI, not a human? EU AI Act Article 50 requires deployers of conversational AI systems to notify users — even if the bot sounds natural and human-like, the first message or a persistent footer must make the AI nature clear. This is mandatory from 2 August 2026 for EU-facing deployments.
2. Is there an active opt-in (not a pre-ticked box) before collecting email or phone through a bot form? GDPR requires freely given, specific, informed, and unambiguous consent. A pre-ticked checkbox or “by continuing this conversation you agree” formulation is not valid consent under GDPR. This applies to any EU-resident user regardless of where your business is registered.
3. Is every AI tool in your stack named in your privacy policy — with provider name and processing purpose? A privacy policy is a legal document, not a formality. If ChatGPT or Anthropic is not listed as a subprocessor with a described purpose, you are processing data without a transparent legal basis — even if you have a DPA signed. Both documents are required.
4. If AI automatically makes decisions with legal or significant effect on a person (rejection, pricing, access restriction) — is there a human review procedure? GDPR Article 22 applies to decisions with legal or similarly significant effect (credit, employment, insurance) — typical marketing lead scoring usually does not trigger it if scoring is recommendatory and a human approves. But if AI auto-rejects without human review, add a human review path to be on the safe side.
5. Do you store the minimum necessary data in your CRM and delete old contacts on a defined retention schedule? GDPR’s storage limitation principle (Article 5) prohibits keeping personal data longer than necessary for the original purpose. A CRM full of inactive contacts from 2020 with no documented retention basis is a compliance exposure — even if you never email them. Set a schedule and document it.

Email, AI Copyright, and Automation — Points 21–25

Email marketing is where personal data most commonly enters an LLM without the marketer realising what they have done. Pasting a subscriber list into a prompt to personalise a campaign sequence is a data transfer to a third-party subprocessor — without a DPA and without the data subjects’ awareness. For a broader look at AI automation for small businesses, see the AI automation article. For AI in e-commerce email flows, see the Shopify and ChatGPT article.

1. Do you have explicit consent for email marketing — not “they agreed to the Terms of Service at some point”? GDPR, CAN-SPAM, and CASL each require clear consent specifically for marketing communications. General ToS acceptance is not a valid legal basis for sending marketing emails. If your consent records cannot demonstrate opt-in to marketing, your email list has a legal basis problem — regardless of open rates.
2. Is every AI tool in your email workflow (generation, personalisation, subject line testing) documented in your privacy policy? Klaviyo AI, Mailchimp Content Optimizer, and similar tools are subprocessors in your email chain. Each must be named in your privacy policy with a described purpose. Adding a new AI feature to an existing platform is a change to your subprocessor list — it requires a privacy policy update, not just a click to enable.
3. Have you reviewed the GDPR compliance position of your email provider — Mailchimp, Klaviyo, Brevo — before enabling new AI features? Providers add AI features regularly: predictive sending, AI subject lines, send-time optimisation. Each new capability may add new subprocessors or change data transfer terms. Compliance review should happen at each significant platform update, not just at onboarding.
4. Are you passing real client personal data — names, emails, purchase history — into a ChatGPT or Claude prompt without anonymisation when generating emails? Even when the task is simply “write a personalised follow-up email,” a real name and real purchase data in the prompt constitute a personal data transfer to a subprocessor. Without a DPA and without a minimisation discipline, this is a GDPR breach on data minimisation grounds — regardless of how routine the task feels.
5. Is there a working unsubscribe link in every automated email — one that processes the request without manual intervention? A functional unsubscribe mechanism is a legal requirement under CAN-SPAM, CASL, and GDPR. “Email us to opt out” is not compliant — unsubscribes must be processed automatically and honoured within 10 business days at most. This is one of the easiest compliance failures to audit and one of the costliest to defend.

IP, Transparency, and Vendor Due Diligence — Points 26–30

This block covers the things most freelancers and small agencies ignore until the first dispute: client contracts, provider terms, and subcontractor vetting. If you subcontract AI work to another freelancer or agency, their compliance gaps become your liability — you remain the data controller and the party with the client relationship. For detailed guidance on AI content attribution and marking standards, see the C2PA and SynthID article.

1. Do your client contracts include a clause disclosing the use of AI tools in delivering the work? Without this clause, a client can challenge ownership of deliverables, dispute the basis of your fee, or raise copyright questions — particularly if they later discover the work involved AI generation. Disclosure protects both parties and removes ambiguity about who owns what. Adding a clear AI-use clause is a one-time contract update, not an ongoing cost.
2. Does your commercial use of AI outputs comply with the provider’s Terms of Service — for example, not training competing models on OpenAI output, and not using commercial voice clones under a non-commercial licence? Most LLM Terms of Service prohibit using outputs to train competing models. Several voice synthesis platforms carry non-commercial restrictions on specific licence tiers. Violations can result in account termination and licence claims. Reading the ToS once per provider per year is not excessive — platforms update them.
3. If registering IP in the US — are you disclosing AI-generated components in the copyright application? The US Copyright Office Part 2 guidance (February 2025) requires disclosure of AI-generated elements when registering copyright. Omitting this can invalidate the registration. In the UK, CDPA s.9(3) provides 50-year protection for computer-generated works. In both jurisdictions, transparency at registration is cleaner than a dispute after the fact.
4. Have you reviewed an AI provider’s compliance posture before adding them to a client stack — SOC 2, ISO 27001, subprocessors list, data residency? When an AI tool processes your clients’ data, you are responsible for vendor selection and must demonstrate due diligence. Enterprise clients ask for this documentation as part of vendor onboarding. Being able to point to a reviewed compliance posture is the difference between a smooth procurement conversation and a lost contract.
5. When subcontracting AI work to freelancers — do you verify that they have their own DPAs in place and understand the compliance requirements? Under GDPR, if you engage a subcontractor who transfers client personal data to an LLM without a DPA, you bear liability as the data controller — not them. Compliance in your supply chain is your responsibility to verify. A short pre-engagement checklist (three to five questions) closes this gap before it opens.

Quick Summary — 30 Points by Priority

You do not need to do everything at once. Here is the breakdown by urgency — from “do this today” to “review quarterly.”

Frequently Asked Questions

Disclaimer. This checklist is operational hygiene, not legal advice. Laws and their interpretations change: the final Code of Practice under EU AI Act Article 50 had not been published at the time of writing. For contracts, claim management, and situations with legal consequences, consult a lawyer specialising in IT, IP, or data protection. Legal context and jurisdiction overview in the AI regulation article.