A customer came to Air Canada’s website after a bereavement, asked the chatbot about reduced fares for urgent travel, and received a confident answer. The answer was wrong. When the airline was challenged, Air Canada’s position was that the chatbot was a separate legal entity and the airline bore no responsibility for its output. In February 2024, a British Columbia Civil Resolution Tribunal rejected that argument and required Air Canada to honour the fare the bot had described.
That ruling is Canadian law, not British. But the principle it illustrates, that a company deploying a customer-facing chatbot is responsible for what that chatbot tells customers, maps closely onto how UK consumer law treats commercial communications. For owner-managed service firms here, knowing where the liability sits before a problem arrives is the practical starting point.
What does chatbot liability actually mean in UK law?
Under UK consumer law, a business is responsible for the commercial communications it deploys to customers. A chatbot on your website or in your booking flow is treated as your firm’s own statement, not as a third-party opinion. If it gives false or misleading information about price, cancellation rights, or service scope, and a customer relies on that answer and suffers a loss, the liability sits with your firm.
The two most relevant legal frameworks are the Consumer Protection from Unfair Trading Regulations 2008 and, for conduct from April 2025, the Digital Markets, Competition and Consumers Act 2024. The CMA’s published guidance on the DMCCA makes clear that misleading actions or omissions affecting a consumer’s transactional decision can be unlawful, regardless of whether a person or a machine generated the words. Chatbot output is not exempt from that analysis.
The Consumer Protection Act 1987 product liability regime applies to defects in tangible goods, not to service-delivered information, so wrong chatbot answers typically route through consumer law and misrepresentation principles instead. Legal commentary from Ashurst on software and the 1987 Act confirms this. The practical effect for a firm owner is the same either way: if your chatbot said it, your firm is being held to it.
Why does this matter for a firm of 5 to 50 people?
Larger firms have legal teams, compliance functions, and people whose job is to check what any customer-facing system says before it goes live. Smaller firms typically have none of those. A founder running a 20-person professional services practice is just as exposed under consumer law if the chatbot makes a wrong promise to a customer, but has far fewer resources to catch the error before it becomes a complaint.
The exposure is practical rather than theoretical. If your booking or enquiry chatbot states your cancellation policy incorrectly and a customer loses money as a result, you have a complaint and potentially a legal claim. If the bot is part of a pricing or subscription flow and misrepresents what a customer will be charged, the DMCCA 2024 framework applies from April 2025. These situations do not require sophisticated AI deployments to produce. Off-the-shelf chatbot tools, lightly configured, generate the same legal exposure as bespoke systems. The risk scales with the chatbot’s scope, not with the firm’s size.
Where do these situations actually arise in practice?
Customer-facing chatbots create the sharpest legal exposure when they are given too much scope to answer. The risk concentrates around areas where a wrong answer directly drives a financial or contractual decision: price queries, refund and cancellation terms, eligibility for a service, and the specifics of what an agreement includes. A chatbot answering those questions with the confidence of a company representative is operating in the zone where consumer law looks most carefully.
In a typical service business, the live danger zones are pricing and quote generation, cancellation and refund policy, explaining service scope and limitations, and anything related to subscriptions or renewal terms. Lower-risk territory includes bots scoped to appointment booking, internal triage, and routing customers to the right team member, where no binding commitment or factual misrepresentation is likely to follow.
The NCSC has highlighted prompt injection as a real risk for AI systems, where an external input manipulates a chatbot into producing outputs it was never configured to give. For a small firm, this matters because even a correctly configured bot can give a wrong or harmful answer if its prompt boundaries are weak. Regular testing, prompt restrictions, and conversation logs are not optional once the bot is handling customer queries.
When does liability stick, and when does it fall away?
Liability is hardest to escape when a customer can demonstrate they relied on the chatbot’s answer and that reliance caused a real loss. The risk is highest when the bot presented its output as authoritative or specific to the customer’s situation, when the question concerned something financially or legally significant, and when the customer had no obvious reason to question what the bot said.
Liability is less likely to stick when the chatbot is clearly framed as non-binding, when anything with contractual weight is reviewed by a human before anyone acts on it, and when the escalation route to a person is visible and well-used. A disclaimer alone cannot contract out of liability for a genuinely misleading statement under consumer law, but a restricted scope, a visible escalation path, and logs showing the bot could not authorise anything beyond what it was set up to do all change the picture in practice.
The CMA’s DMCCA guidance is useful here. The framework asks whether a commercial practice affected a consumer’s transactional decision. A chatbot scoped to low-stakes triage, with clear signals that it cannot confirm prices or authorise refunds, sits in materially lower-risk territory than one answering definitively about rights and charges.
What other legal areas overlap with chatbot liability?
Consumer law is the most direct concern, but it is not the only regime that applies to a customer-facing chatbot. Depending on what the bot processes and what the firm does, three further areas become relevant: data protection under the UK GDPR, financial conduct rules if the firm is FCA-authorised, and the EU AI Act if the firm serves EU customers.
The ICO’s 2024 AI guidance for organisations makes clear that businesses remain responsible for data protection compliance when using AI tools. If a chatbot processes personal data, whether in conversation logs, in the prompts it receives, or in the responses it generates, the firm needs a lawful basis, must minimise the data it handles, and should have a clear approach to how conversation data is retained and who can access it. A chatbot that stores sensitive customer information without a clear legal basis has created a data protection problem alongside any consumer law exposure.
For FCA-authorised firms, chatbot answers about financial products or insurance can amount to regulated communications. The FCA has flagged AI governance and consumer outcomes as active areas of concern where AI is used in regulated activities. For firms with EU customers, the EU AI Act, adopted in 2024, introduces transparency requirements and a risk-classification framework that may affect how certain chatbot deployments must be governed and disclosed in EU-facing contexts. The practical starting point for any owner-managed firm is a clear question before deployment: which of these regimes applies to us, and which compliance requirements fall to the firm rather than the vendor?
