AI shopping assistants: Legal requirements for online stores in Germany

Payments
Payments

Accept payments online, in person, and around the world with a payments solution built for any business – from scaling startups to global enterprises.

Learn more 
  1. Introduction
  2. Key takeaways
  3. What is an AI shopping assistant?
    1. How do AI shopping assistants work?
    2. Retailer AI shopping assistants
    3. Generic AI shopping assistants
  4. German and EU regulations on AI applications in ecommerce
    1. EU AI Act
    2. Electronic Commerce Directive
    3. Digital Services Act (DDG)
    4. Civil law regulations
  5. What data protection regulations apply to online stores that use AI?
    1. Lawful basis of processing
    2. Personalisation and profiling
    3. Data security and technical measures
  6. Who is responsible for automated purchase decisions?
    1. Online retailers
    2. Manufacturers and developers
    3. Liability for automated decisions
    4. Can the use of AI exclude retailers from liability?
  7. What are the requirements for consumer protection in online stores that use AI?
    1. Information requirements in online retail
    2. Ban on misleading commercial practices
    3. Transparency in AI recommendations
  8. What are the requirements for payment authorisation and AI-powered transactions?
    1. Legal basis for payment authorisation
    2. Payment application programming interfaces (APIs) for AI shopping assistants
    3. Control mechanisms and risk mitigation
    4. Agentic commerce
  9. FAQs on AI shopping assistants in Germany

Around two in three Germans use AI-powered chatbots or voice assistants at least once per week. For businesses, it’s important to note that many Germans use AI specifically to search for products and services.

That said, many customers still want the option to contact real people for assistance while online shopping, especially if complications arise. According to Bitkom—Germany’s central digital association—only 36% of shoppers want advice from chatbots when they encounter issues, such as missing order confirmations or late deliveries. This shows that chatbots with preconfigured responses frequently have limited usefulness.

AI shopping assistants could help with this issue. They offer more than the simple customer service functions of traditional chatbots and are creating new opportunities for online retail. In this article, we explain AI shopping assistants, including how they work and what legal regulations are enforced in Germany and the EU. We also explain who is responsible for AI-driven purchase decisions and what the requirements are in terms of consumer protection and automated payment authorisation.

Key takeaways

  • AI shopping assistants personalise online shopping and have significantly more capabilities than traditional chatbots.
  • The EU AI Act, General Data Protection Regulation (GDPR) ecommerce laws, and national German law contain comprehensive regulations on the use of AI shopping assistants.
  • Online stores must inform customers of AI-powered interactions and how they work by providing consistent and transparent information.
  • Responsibility for incorrect recommendations or purchases typically lies with the online retailer using the AI system.
  • AI-powered purchase and payment processes require clear legal and technical control mechanisms.

What is an AI shopping assistant?

An AI shopping assistant is an intelligent, context-aware agent that guides customers through the entire purchase process on a website or app. Unlike traditional chatbots—which are based on fixed scripts and static FAQs—AI assistants offer personalised recommendations, can prepare or perform actions, and provide post-purchase assistance.

How do AI shopping assistants work?

AI shopping assistants analyse customer behaviour in real time. They capture preferences, suggest suitable products, and answer questions during the shopping process. They also react to specific situations, instead of simply providing preconfigured responses.

However, they do more than just advise customers. They can also make product recommendations based on purchase history, support customers during checkout, and provide assistance after purchases.

Retailer AI shopping assistants

Online retailers in Germany can deploy AI shopping assistants directly on websites or apps. These assistants can learn from the retailer’s product catalogue, previous chats, customer reviews, and more. That means they can react to requests proactively, adapting to the specific context and engaging in dialogue, rather than sticking to rigid scripts.

AI shopping assistants also guide customers through different phases of the purchase process—from identifying what they want to buy to supporting them after their purchases. The goal is to make the shopping experience more personalised and efficient to strengthen customer loyalty and boost sales. They can also ease the workload on internal customer service teams.

Generic AI shopping assistants

It is important to draw a distinction between AI assistants deployed by specific retailers and generic assistants that customers use. Shoppers use generic assistants to search for offers across the entire web. While these assistants are attractive in theory, they also present challenges, such as reliability issues, payment security, and restricted access to many websites.

German and EU regulations on AI applications in ecommerce

The use of AI systems is heavily regulated. In addition to the existing rules under EU ecommerce law, AI must satisfy additional requirements under data protection law, German national law, and the EU AI Act.

EU AI Act

The primary pillar of AI regulation in the EU is Regulation EU 2024/1689, also known as the “EU AI Act.” This is the first-ever unified legal framework for AI systems in the EU. Work on the EU AI Act began in 2019. It was approved by EU member states in May 2024 and published in the Official Journal of the European Union on July 12, 2024.

According to Article 113, the AI Act will be enforced starting on August 2, 2026. However, certain chapters and sections have already been enacted—first on February 2, 2025 and then on August 2, 2025. However, the European Council and European Parliament agreed on an amendment to the EU AI Act in March 2026 that is intended to simplify some of the provisions and extend some deadlines.

The act takes a risk-based approach, differentiating prohibited AI practices, high-risk systems, and minimal-risk applications. One of the key provisions is Article 5, which lists prohibited AI practices. These include AI systems that use manipulative or deceptive techniques to cause customers to make decisions that cause significant harm to themselves or other persons.

In the context of online stores, this means that AI-powered shopping assistants must not deliberately manipulate customers or employ deceptive techniques to force them into decisions that they would not have made otherwise.

Electronic Commerce Directive

In addition to this new law, online retailers are also bound by EU ecommerce law. For example, German businesses are subject to the EU Electronic Commerce Directive (Directive 2000/31/EC). This is the basic legal framework for ecommerce in the EU. The directive contains regulations on the duties of digital service providers around information, transparency, and liability.

It was later supplemented by the Digital Services Act (EU Regulation 2022/2065), which establishes additional requirements for digital platforms.

Digital Services Act (DDG)

In Germany, EU ecommerce law is complemented by the DDG. The DDG adopted key regulations from the previous German Telemedia Act and contains regulations on provider identification, legal notices, and other responsibilities for digital service providers.

Civil law regulations

AI-powered business models can also be subject to general regulations of civil law in Germany. In particular, this includes the provisions on liability set out in the German Civil Code (BGB), such as for breach of duty (Section 280) and liability (Section 823). Customers can bring claims for damages if AI systems are deployed improperly or if they provide incorrect results.

What data protection regulations apply to online stores that use AI?

AI systems used in ecommerce regularly process personally identifiable information. Therefore, data protection regulations—in particular the General Data Protection Regulation (GDPR)—play a key role in the deployment of AI shopping assistants. Important data points include names, contact details, order histories, customer behaviour, location data, and individual customer preferences.

Lawful basis of processing

The GDPR only permits processing of personally identifiable information that is performed lawfully. One of the key lawful bases is processing conducted for the performance of a contract, according to Article 6 of the GDPR. Processing can also be based on legitimate interests.

In some cases, processing requires the explicit consent of the data subject. For example, explicit consent is necessary if personally identifiable information is being processed for the purposes of personalisation or tracking, and these purposes are not strictly necessary for the performance of a purchase contract.

Personalisation and profiling

With AI shopping assistants, the primary data protection concern is the personalised analysis of customer behaviour. Businesses that evaluate purchase histories, search queries, or click behaviour to generate individual product recommendations must observe the principles of data minimisation, purposefulness, and transparency. Customers must be clearly informed of what data is being processed and for what purpose.

The use of AI systems can also constitute profiling, according to Article 4, No. 4 of the GDPR. This applies to the automated evaluation of personal interests, preferences, and shopping habits. Businesses that conduct these kinds of analyses at scale can be subject to additional information requirements or required to conduct data protection impact assessments, according to Article 35 of the GDPR.

Data security and technical measures

Online retailers must ensure that personally identifiable information is adequately protected. Article 32 of the GDPR requires businesses to take appropriate technical and organisational measures to keep data safe. These measures include access restrictions, encryption, data deletion policies, and regular security audits of AI systems used.

Who is responsible for automated purchase decisions?

The use of AI shopping assistants raises the question of who is responsible for flawed recommendations, incorrect product information, or financial losses. In civil law, the general principle of liability based on areas of responsibility applies: It is not the AI itself that is liable, but the individuals or companies behind it.

Online retailers

In practice, online retailers that integrate AI shopping assistants into their stores are typically the primary parties responsible. They are customers’ contractual partners. Therefore, they must ensure that the systems operate lawfully and as intended. If incorrect recommendations result in damage, contractual liability under Section 280 of the BGB can apply, provided that the retailer has breached an obligation under the sales contract.

The retailer must also be held responsible for the behaviour of the system used. AI can be classified as “persons used to fulfil [the debtor’s] obligations,” within the meaning of Section 278 of the BGB. Therefore, errors made by the AI have the same legal consequences as errors made by the company itself.

Manufacturers and developers

In addition to the retailer, the manufacturer or developer of the AI system can also be liable. If damage results from a technical defect, product liability under the German Product Liability Act (ProdHaftG) can apply. The conditions are that a defective product was placed on the market and that this resulted in personal injury or property damage.

In addition, tort liability under Section 823 of the BGB can apply if duties of care were breached. This includes inadequate security or insufficient risk controls in the system design.

Liability for automated decisions

Liability is particularly complex in the case of fully automated purchasing decisions, such as when AI systems independently select products or place orders as part of agentic commerce. In such cases, the key legal principle is that responsibility lies with the system operator, as the operator initiates and controls the use of the AI.

Relevant provisions include Article 22 of the GDPR, which governs automated individual decision-making. When decisions are made that have a legal effect or significantly disadvantage customers, businesses are subject to special safety and information requirements. The customer in question might also have a right to human intervention.

Can the use of AI exclude retailers from liability?

In principle, EU law does not allow for liability to be fully excluded due to the use of AI. The GDPR and civil law do not allow responsibility to be assigned solely to an automated system. Therefore, even when using highly automated shopping assistants, companies remain legally responsible for their use, training, and outputs.

What are the requirements for consumer protection in online stores that use AI?

In addition to AI and data protection laws, AI shopping assistants are also subject to the regulations of EU consumer protection law. The aim is for customers to be able to access transparent information and make free and informed decisions, even during AI-powered purchase processes.

Information requirements in online retail

The information requirements under Article 5 of the European Electronic Commerce Directive and the Consumer Rights Directive 2011/83/EU are important. Online stores must provide key information—such as business identification, product price, product characteristics, and terms and conditions—in a clear and understandable manner.

With AI systems, recommendations and chat responses cannot replace these information requirements. An AI assistant can convey information, but it is still the legal responsibility of the store operator that this information is complete, understandable, and accessible.

Ban on misleading commercial practices

Articles 5 and 6 of Directive 2005/29/EC prohibit unfair commercial practices and misleading actions. The main issue for online stores that use AI is that recommendations, rankings, and price information must be guided by the interests of the store in a manner that is not manipulative or concealed. Customers must be able to identify automated presettings or prioritisations, if these have an impact on purchase behaviour.

Transparency in AI recommendations

Transparency also plays an important role. Article 50 of the EU AI Act—which establishes transparency requirements for certain AI systems—is particularly relevant for AI shopping assistants. According to this article, customers must generally be informed whenever they are interacting with an AI system. Therefore, online stores that use AI-powered chatbots or AI shopping assistants must make it clear to customers that they are no longer communicating with real people.

What are the requirements for payment authorisation and AI-powered transactions?

The use of AI shopping assistants means that purchase decisions are increasingly made by autonomous or semiautonomous systems and not by customers. This calls for a reexamination of the legal and technical safeguards around payment authorisation.

Payments in electronic commerce are subject to the provisions of the Payment Services Directive (PSD2) EU 2015/2366. According to Article 64 of the PSD2, every payment generally requires effective authorisation by the payer. However, this authorisation can also be given after the transaction has been executed. Consent to one or more payment transactions is given in the form agreed upon between the payer and payment service provider (PSP).

Consequently, AI shopping assistants cannot trigger legally binding payment transactions without sufficient authority. According to PSD2, these transactions must be authorised prior to or after the purchase.

Payment application programming interfaces (APIs) for AI shopping assistants

AI shopping assistants also require standardised APIs so they can securely interact with payment and store systems. PSPs such as Stripe provide APIs for this purpose.

Stripe Payments and Stripe Billing allow you to trigger and process transactions automatically. Stripe is also developing differentiated access controls that establish which products or payment methods an AI shopping assistant can use and which actions require additional confirmation.

Control mechanisms and risk mitigation

From a legal perspective, the interplay of payment law, contract law, and information technology (IT) security requires additional safeguards. These include the following:

  • Budget limits for automated purchases
  • Mandatory approval or confirmation for certain transactions
  • Limited scope and duration of authorisations
  • Options for the right of withdrawal or blocking of automated processes

These mechanisms implement the requirements for valid consent under PSD2, as well as the principles of data and payment security under Article 32 of the GDPR.

Agentic commerce

With agentic commerce, the role of the payment process is increasingly shifting from an active human action to a delegated, rules-based decision made by an AI system. However, the ultimate responsibility still lies with either the customer or the company that deploys the AI assistant.

FAQs on AI shopping assistants in Germany

Below, we provide answers to the most frequently asked questions about AI in personalised shopping and AI shopping assistants in Germany.

The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.

More articles

  • Something went wrong. Please try again or contact support.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.
Payments

Payments

Accept payments online, in person, and around the world with a payments solution built for any business.

Payments docs

Find a guide to integrate Stripe's payments APIs.