AboutBlogBusiness First AIFounder FreedomBook a conversation

When AI-generated content needs disclosure to clients

May 17, 2026
A person reviewing printed documents at a desk with a laptop open beside them
TL;DR

UK SMEs have no universal legal obligation to label every AI-generated output, but three circumstances create real disclosure duties: when AI processes personal data about clients, when content could reasonably be treated as professional advice, and when the format implies human authorship it does not have. A short internal AI policy specifying which outputs require disclosure is the cheapest governance step available and far less costly than defending a client dispute.

Key takeaways

- UK GDPR's transparency principle requires disclosure when AI processes personal data about clients or informs decisions with significant effects on them. - Professional liability does not shift to the AI tool: if a client relies on AI-drafted advice and suffers loss, the firm that sent it remains responsible. - AI-generated testimonials, reviews, or case studies presented as human-authored carry enforcement risk from the CMA and ASA under existing consumer protection law. - The CMA can impose fines of up to 10% of global annual turnover for serious consumer law breaches, including misleading AI-generated marketing content. - An internal AI policy specifying when disclosure is required typically takes a few days to draft and costs far less than defending even a minor client dispute.

A founder running a small professional services firm asked me a question I’ve been hearing more often: “We use AI to draft client reports and proposals. Do we need to tell them?”

The honest answer is that it depends on what those reports contain and how clients might use them. UK law currently has no universal rule requiring AI labels on every piece of content you produce. The obligations that do exist are anchored in data protection, consumer protection, and professional liability, and they apply unevenly depending on what you’re producing and for whom. Knowing exactly where the lines fall is more useful than a blanket yes or no.

What’s the actual choice here?

The choice is between a clear disclosure policy and treating AI as an unremarked operational tool. UK law does not currently mandate AI labels on every output, but specific circumstances create genuine obligations. Three things move content from the discretionary zone into something closer to a formal duty: the involvement of personal data, the risk of professional reliance, and the impression of human authorship where there isn’t any.

The regulatory terrain relevant to UK SMEs here centres on three bodies. The Information Commissioner’s Office sets expectations on data protection and transparency. The Competition and Markets Authority enforces consumer law and has signalled that misleading AI marketing will attract scrutiny under existing powers. The Advertising Standards Authority governs what counts as misleading in advertising and promotional content, including testimonials and endorsements.

None of these bodies requires you to add an AI disclaimer to every newsletter or client proposal. The regulatory concern across all three is accuracy, the transparency that data protection law already requires, and not making content look like something it isn’t. That framing is more useful than a blanket yes or no, because it tells you precisely which outputs need attention and which are fine as they are.

The Digital Markets, Competition and Consumers Act 2024 gave the CMA powers to fine businesses up to 10% of global annual turnover for serious consumer law breaches. Misleading AI-generated content sits within that territory when it is systematic and material.

When does disclosure become non-negotiable?

Three circumstances push the decision past discretion. First, when AI processes personal data about clients to profile them or inform decisions with significant effects. Second, when the output reads as professional advice that clients might act on financially or legally. Third, when the format signals human authorship, as with testimonials, bespoke reports, or case studies. In each case the regulator’s concern is reliance and deception, not the specific tool used.

UK GDPR’s transparency principle applies whenever personal data is processed by AI. If your firm uses AI to analyse client data, score accounts, or produce personalised recommendations, the ICO’s “Explaining decisions made with AI” guidance requires that clients know AI was involved, understand what it does, and know how a human has overseen the outcome. Individuals whose data is processed in this way have rights to explanation and to request human review under UK GDPR Articles 13-15 and 22.

The professional liability question is direct. Anderson Strathern’s briefing on AI-generated content notes that businesses remain fully responsible for any advice or analysis they send to clients, regardless of whether AI drafted it. If AI produces an inaccurate financial commentary and a client acts on it, the fact that a tool wrote the sentence does not shift the liability. Disclosure alongside documented human review is the practical protection.

For content that implies independent human authorship, the CMA’s foundation models report and the ASA’s influencer marketing rulings both signal that AI-generated testimonials, reviews, or client stories presented as real carry genuine enforcement risk. If a client would feel deceived to learn the content was AI-generated, disclosure is the safer path.

When is selective disclosure sufficient?

A large share of business content sits outside the high-risk categories. Blogs, newsletters, social posts, proposal boilerplate, and internal drafts typically involve no personal data and carry no professional reliance risk. UK law does not currently require AI labels on these. The practical question shifts from legal obligation to client expectation: what would a reasonable client assume, and what does your reputation for honesty require of you?

Many founders adopt a general statement approach for this type of content. A note in your website footer, a line in your standard terms, or a brief AI use policy on your services page stating that you use AI in producing some written material typically covers the expectation without tagging every piece. The RAi UK transparency toolkit describes this as proportionate for low-risk outputs: honest at the policy level, not exhaustive at the instance level.

Internal AI drafts of proposals or team communications don’t trigger disclosure duties under current UK law unless they contain personal data. Labelling them “AI-assisted draft” as a matter of internal practice is useful for a different reason: it signals to colleagues that the document needs a proper human review pass before it goes anywhere near a client.

Design assets and illustrations carry IP ownership and licensing considerations rather than deception risks in typical use, and a general policy statement handles those adequately.

What does it cost to get this wrong?

The cost of under-disclosing sits in three areas: regulatory fines, contract liability from a client who relied on inaccurate AI-generated content, and reputational damage when clients discover AI use that was never mentioned. All three are concrete risks for a firm of any size. The first two have specific numbers attached, which makes the calculation easier to run than many founders expect.

The ICO can fine up to £17.5 million or 4% of global annual turnover for serious data protection failures, including transparency violations. The CMA’s powers under the Digital Markets, Competition and Consumers Act reach 10% of global annual turnover for serious consumer law breaches involving misleading content. Neither outcome is the typical result for a small firm acting in good faith, but both numbers clarify what regulators consider proportionate when something goes wrong.

At the contract level, UK legal commentary points out that standard B2B agreements often cap liability at 100% to 150% of annual fees. For a professional services firm with a client on £500,000 in annual fees, a misrepresentation claim arising from AI-generated advice that a client relied on can easily exceed the firm’s annual profit on that relationship.

Drafting an internal AI policy with legal review typically takes a few days and a modest legal fee. A small firm defending even a minor client dispute in a professional negligence context will spend considerably more before it reaches any resolution.

What to ask before you decide

Five questions that work as a practical gate before any AI-assisted content goes to a client. They aren’t a substitute for legal advice, but they convert a vague anxiety about disclosure into a specific decision with a defensible rationale. If any of the five lands in the yes column, treat disclosure as the working default rather than the exception to argue your way out of.

Does this output involve personal data about an identifiable client or individual? If yes, UK GDPR transparency duties are likely engaged and a clear explanation of AI involvement is the practical response.

Will the client reasonably rely on this to make a financial, legal, health, or significant business decision? If yes, treat it as advice, disclose the AI assistance, and document the human review steps you applied before sending.

Would a reasonable client feel misled if they found out AI had generated all or most of this? Testimonials, bespoke analysis, and reports prepared specifically for that client sit firmly in this zone.

Is the client in a regulated sector? Finance, health, and public sector clients face stricter governance expectations and are more likely to ask about AI use directly. Being prepared with an honest, considered answer matters.

What do your contract and internal AI policy say? If both are silent, that is the gap to close. A short policy specifying which outputs require disclosure, what a human review step looks like, and who signs off is the cheapest governance investment available to a professional services firm. If you’d like to think through what that policy needs to cover for your particular firm, Book a conversation.

Sources

- ICO & The Alan Turing Institute (2023). Explaining decisions made with AI. ICO guidance setting transparency and explanation requirements for AI-assisted decisions affecting individuals, including rights to human review. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/explaining-decisions-made-with-artificial-intelligence - ICO (2023). Rights related to automated decision-making including profiling. UK GDPR guidance on Articles 13-15 and 22, covering when organisations must disclose and explain automated decisions with significant effects. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/rights-related-to-automated-decision-making-including-profiling - CMA (2023). AI foundation models: initial report. Warns that generative AI used to produce deceptive content, fake reviews, or misleading marketing will attract CMA enforcement under existing consumer protection powers. https://www.gov.uk/government/publications/ai-foundation-models-initial-report - UK Government (2024). Digital Markets, Competition and Consumers Act 2024. Sets out CMA powers to fine businesses up to 10% of global turnover for serious consumer law breaches, including misleading AI-generated marketing. https://www.gov.uk/government/publications/digital-markets-competition-and-consumers-act-2024 - Anderson Strathern (2024). AI-generated content: the hidden legal dangers for SMEs. Notes that businesses remain fully liable for any advice they present regardless of whether AI drafted it, and flags hallucination risks in professional outputs. https://www.andersonstrathern.co.uk/insights/ai-generated-content-the-hidden-legal-dangers-for-smes/ - ASA (2023). Influencer marketing: our year in review. Rulings confirming that undisclosed promotional content is misleading; principles extend directly to AI-generated testimonials and endorsements. https://www.asa.org.uk/news/influencer-marketing-our-year-in-review.html - RAi UK (2025). AI Transparency for SMEs. Practical toolkit recommending proportionate disclosure labels for client-facing AI tools and policy language, noting EU AI Act obligations for UK SMEs with EU customers. https://rai.ac.uk/wp-content/uploads/2025/02/Transparency-toolkit-Report-2.1.pdf - LawyerLink (2024). AI and your contracts: 10 essential clauses every UK SME needs. Covers disclosure obligations, IP assignment for AI outputs, and contract warranty requirements for AI-related claims. https://lawyerlink.co/blog/ai-contracts-10-essential-clauses-every-sme-needs - ICO (2024). FAQs on the data protection fines. Sets out ICO penalty powers: up to £17.5 million or 4% of global annual turnover for serious data protection failures including transparency violations. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/enforcement/faqs-on-the-data-protection-fines/ - UK Government (2018). Data Protection Act 2018. Primary legislation embedding the transparency principle and individuals' rights in relation to automated processing, including by AI systems. https://www.legislation.gov.uk/ukpga/2018/12/contents

Frequently asked questions

Do I legally have to tell clients when I use AI to write their reports?

UK law has no universal rule requiring you to label every AI-generated output. Specific obligations apply in defined circumstances: if the report processes personal data or informs a significant decision about the client, UK GDPR transparency duties are engaged. If content implies human authorship it does not have, CMA and ASA standards on misleading content apply. Outside these categories, disclosure is good practice rather than a legal requirement.

What happens if AI-generated advice in a client deliverable turns out to be wrong?

Professional liability stays with the firm, not the tool that drafted the content. Anderson Strathern's AI legal risk briefing notes that businesses are fully responsible to clients for any advice or analysis they present, regardless of how it was produced. If a client suffers loss from acting on inaccurate AI-generated content and the firm neither disclosed AI involvement nor applied adequate human review, negligence and misrepresentation claims become considerably stronger.

Can a general AI disclaimer on my website cover all disclosure obligations?

A general policy statement handles routine marketing content and design assets reasonably well. It does not satisfy obligations where personal data is processed, where content constitutes professional advice, or where the format actively implies human authorship, such as testimonials or bespoke reports prepared specifically for that client. Those circumstances need explicit disclosure at or before delivery, not a policy buried in a website footer.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd