The EU AI Act and synthetic product video: who has to label AI-generated content, and when

The EU AI Act is the European Union's horizontal law on artificial intelligence, and one slice of it is a transparency rule: when content is artificially generated or manipulated, people generally need to be told. For ecommerce that means AI-generated or AI-edited product video and imagery (including deepfake-style synthetic media) can carry a disclosure obligation when you sell into the EU, regardless of where your company sits.

Plainly: the law splits the duty between the AI system provider (whose model marks its output as machine-generated) and the deployer (you, the brand, who must disclose synthetic content to the audience). Marketing assets you generate and publish are deployer territory. This is general information, not legal advice (see the warning below), but the shape of the obligation is what catches teams off guard.

What does the EU AI Act actually say about AI-generated content?

The transparency obligations live mainly in Article 50. The thrust is that synthetic content should be detectable and, in many cases, disclosed. Providers of generative systems are expected to mark outputs in a machine-readable way so they can be flagged as artificially generated or manipulated, where that is technically feasible. Deployers who produce deepfakes (image, audio, or video content that resembles real people, objects, places, or events and would falsely appear authentic) generally have to disclose that the content has been artificially generated or manipulated.

For a brand running a synthetic-video studio, the practical reading is: if an asset looks like a real recording of a real thing but isn't, lean toward disclosure. An AI-generated "model" wearing your product, a face swap, a scene that never happened, an AI voice reading a script, these are the cases the rule was written for. There are nuances for clearly artistic or obviously fictional work, but "the customer could reasonably think this is a genuine photo or video" is the trigger most ecommerce content fails to consider.

Who does it apply to: providers, deployers, and brands selling into the EU

The Act separates roles, and a single company can wear more than one hat. The model vendor is usually the provider. The brand publishing the output is usually the deployer. If you fine-tune or build your own generation pipeline you may take on provider-style duties too. The reach is extraterritorial: a US or UK brand whose AI-generated ad is shown to shoppers in the EU is in scope, the same way a non-EU site still has to respect EU data rules when EU users arrive.

• Provider duty: mark generated output as machine-detectable (e.g. embedded provenance signals), where technically feasible and proportionate.
• Deployer duty: disclose to people when content they see is an artificially generated or manipulated deepfake, in a clear and timely way.
• Brand-as-both: if you train or substantially adapt a generation model in-house, expect to shoulder provider-side marking obligations as well.
• Geographic test: it is about where the content is used and who sees it, not only where your servers or HQ live.

Does my content need an AI-disclosure label?

Content type to obligation: a quick mapping

When does this take effect, and what about penalties?

The AI Act applies in staggered phases rather than all at once, with different obligations switching on at different milestones after it entered into force. The transparency duties for generated content are part of that phased rollout. Rather than quote a date that may be superseded by guidance or delegated acts, treat the timeline as "as phased in" and check the current European Commission milestone before you set an internal deadline. Penalties are tiered by the severity of the violation; the exact figures are set out in the Act and are best confirmed against the text in force rather than memory.

What does a compliant AI-disclosure label look like?

A label that survives a copy-paste is worth more than one that does not. The strongest pattern pairs a human-visible disclosure (a clear notice a shopper can read or hear) with machine-readable provenance that travels with the file. Content provenance standards such as C2PA give you a way to embed tamper-evident metadata, so the "this is AI-generated" signal does not vanish the moment a CMS re-encodes the video. A caption alone is fragile; provenance metadata plus a visible notice is the durable version.

How this interacts with FTC endorsement rules

EU transparency and US advertising law are different regimes that point the same direction: do not deceive. The FTC's Endorsement Guides and its rule on fake reviews and testimonials make it unlawful to fabricate endorsements or misrepresent that content reflects a real user's experience. An AI-generated "happy customer" testimonial can be a problem on both sides of the Atlantic: a synthetic-media disclosure gap in the EU, and a deceptive-endorsement problem in the US. If you publish globally, design to the stricter of the two.

Where Idukki fits: provenance, consent, and disclosure metadata

Idukki's job is to keep the audit trail intact across two very different content streams: genuine UGC you collect from social and review sources, and synthetic video you generate. For real content, Rights Management automates the consent request and stores the permission and provenance record, so you can prove who allowed what and when (see our UGC rights and permissions guide). For synthetic content, the same audit-trail discipline lets you attach and carry disclosure metadata through to publish.

The synthetic-video feature and genuine UGC are not rivals, they are different evidence with different rules. We have written about the trade-offs in generative AI imagery vs real UGC. The point of governance tooling is that whichever you ship, the disclosure status and consent record ride along with the asset rather than living in someone's memory.