EU AI Act Full Effect August 2: What Privacy Rules Change

What Takes Effect on August 2, 2026?

August 2, 2026 is the date on which the remaining general-purpose provisions of Regulation (EU) 2024/1689 become applicable to AI systems already on the EU market. The Act entered into force on August 1, 2024, and has proceeded through staggered deadlines: prohibited AI practices and AI literacy obligations applied from February 2, 2025; general-purpose AI (GPAI) model obligations applied from August 2, 2025; and the full transparency framework under Article 50 completes that sequence on August 2, 2026.

Critically, the August 2 applicability date is not limited to new products placed on the market after that date. Draft guidance published by the European Commission on May 8, 2026 confirms that all AI systems within the scope of Article 50 must comply irrespective of when they were first deployed. There is no legacy carve-out for systems built before the regulation took force.

What Does Article 50 Require?

Article 50 of the EU AI Act establishes four distinct transparency obligations that apply across a wide range of AI deployments — not only high-risk systems:

• AI interaction disclosure. Providers of AI systems designed to interact directly with natural persons must ensure those persons are informed they are communicating with an AI. The disclosure must occur at the point of contact, not buried in terms of service. An exception applies only where the AI nature of the interaction is obvious from context — interpreted narrowly.
• Emotion recognition and biometric categorization disclosure. Deployers of systems that analyze facial expressions, voice tone, physiological signals, or behavioral cues to infer emotional states must inform every person exposed to these systems that the processing is occurring. This obligation falls on the deployer, not only the provider.
• Deepfake and synthetic media disclosure. AI-generated or AI-manipulated images, video, and audio must be labeled as artificially generated. The label must be machine-readable, not only visible to the human eye.
• AI-generated text disclosure. AI-generated text published to inform the public on matters of public interest must be labeled as AI-generated. A narrow exemption covers text subject to human editorial review and responsibility.

One nuance from the AI Act Omnibus: generative AI systems already on the EU market before August 2, 2026 have until December 2, 2026 to meet the machine-readable marking requirement under Article 50(2), giving existing deployments a four month grace period on that specific sub-obligation.

What Was Deferred to December 2027?

The most operationally complex obligations — governing high-risk AI systems listed in Annex III — are not arriving on August 2. On May 7, 2026, negotiators from the Council, Parliament, and Commission reached a provisional political agreement on the Digital AI Omnibus, deferring these obligations by 16 months.

Gibson Dunn's analysis of the Omnibus agreement identifies the key deferral: standalone Annex III systems — including those used in biometric identification, education admission decisions, employment screening, access to credit, and critical infrastructure management — move from August 2, 2026 to December 2, 2027. AI embedded in regulated products under Annex I (medical devices, machinery, vehicles) moves further still, to August 2, 2028. What was not deferred: Article 5 prohibitions (already active since February 2025), GPAI model obligations (active since August 2025), and Article 50 transparency requirements due August 2.

How Do AI-Powered Email Tools Factor In?

This is where Article 50 becomes directly relevant to communication workflows that compliance teams may not have classified as AI deployments. AI tools that generate draft email replies, score leads based on message sentiment, analyze customer support conversations for emotional cues, or send automated outreach sequences on behalf of human senders are within scope.

A customer receiving an AI-drafted response through a company's support inbox is entitled to know they are interacting with an AI under Article 50(1). A customer support platform that runs sentiment or emotion scoring on incoming emails — detecting frustration, urgency, or satisfaction to route tickets — triggers the emotion recognition disclosure under Article 50(3). Contact center platforms that had classified emotion recognition as a peripheral feature may find that August 2 transforms it into a disclosure-bearing obligation overnight.

AI-generated marketing emails and newsletters may trigger the synthetic content labeling requirement under Article 50(4) where they address matters of public interest. Most B2B outreach sequences are unlikely to qualify — but companies blending AI-generated regulatory updates or public communications into their email programs should review the boundary carefully with legal counsel.

The Penalty Structure and Italy's Early Enforcement

The EU AI Act's Article 99 penalty framework establishes three tiers. Violations of prohibited AI practices under Article 5 carry up to €35 million or 7% of global annual turnover. Violations of Article 50 transparency obligations sit in the second tier: up to €15 million or 3% of global annual turnover. Providing incorrect information to regulators carries €7.5 million or 1%.

Italy moved first on national implementation. Law No. 132/2025, in force since October 2025, established administrative fines up to €774,685 for AI-related violations at the national level, with criminal liability for unlawful dissemination of AI-generated deepfakes (one to five years custodial). Italy's Garante has already demonstrated enforcement appetite by issuing a €15 million fine against OpenAI for GDPR deficiencies in personal data handling. This trajectory mirrors the GDPR enforcement curve after 2018 — slow initial ramp, followed by landmark cross-border cases. GDPR has now accumulated €7.1 billion in total fines as of 2026, and AI Act enforcement is expected to follow the same pattern.

The parallel EDPB crackdown on email transparency disclosures under GDPR signals the same direction: European regulators are synchronizing enforcement across data protection and AI law. August 2 is a convergence point, not an isolated deadline.

What Should Compliance Teams Do Before August 2?

Six concrete actions for the five-week window:

• Inventory AI-interactive touchpoints. Map every customer-facing or employee-facing interface where an AI system interacts with natural persons. This includes LLM-powered chatbots, generative email tools, sentiment analysis platforms, and automated outreach systems.
• Implement interaction disclosures. For each AI-interactive touchpoint in scope under Article 50(1), build a disclosure mechanism that appears at the start of the interaction. Disclosure must be prominent and timely, not buried in footer text.
• Audit emotion recognition and biometric categorization tools. Any platform analyzing text, audio, or behavioral data to infer emotional states must surface a disclosure to individuals being analyzed. This includes ticket routing systems and call center sentiment tools.
• Label synthetic content. Review outbound content workflows for AI-generated material requiring machine-readable labeling. Confirm whether vendor tools output content with C2PA or equivalent provenance markers.
• Request vendor compliance documentation. Deployers remain accountable if the tools they use are non-compliant. Request Article 50 compliance confirmation from AI vendors before August 2.
• Review GPAI model integration chains. If your products integrate GPAI model APIs (OpenAI, Anthropic, Google DeepMind, and equivalents), verify that your integration does not create downstream transparency gaps.

The ISACA State of Privacy 2026 report found that privacy teams are already stretched across simultaneous regulatory obligations. August 2 is a forcing function for building durable AI governance infrastructure — not a one-time disclosure patch. Organizations that treat it that way will be better positioned when the Annex III clock runs out in December 2027.