What the EU AI Act means for individuals, not just enterprises

The EU AI Act enters main enforcement in August 2026.

Most coverage so far has been written for compliance teams at large enterprises. Reasonable, given that the largest fines and most complex obligations land there.

But the Act also changes what individuals using AI products day-to-day can expect from them.

Fewer guides exist for that audience.

This is one.

UK readers, the same logic largely applies. The UK has not adopted the AI Act directly. UK companies serving EU users must comply. And the UK's own AI regulation is converging toward similar transparency principles.

Four obligations are most likely to surface in tools you already use.

Obligation one: transparency about being AI

Article 50 requires that AI systems interacting with people make clear they are AI.

The user must know they are talking to a model. Not a person.

This sounds obvious. The applications are not.

It covers chatbots. Automated customer service agents. AI writing assistants embedded in tools. AI features in social apps.

Anywhere the function might pass as human, disclosure is required.

Watch for products quietly removing the "I'm an AI" label or burying it. That is now a regulatory issue. Not just a polish issue.

If you find yourself unsure whether you are talking to a person or a model, that itself is a sign the product is not where it should be.

Obligation two: explanation of AI decisions that affect you

Article 86 gives individuals the right to explanation for AI decisions that significantly affect them.

Initially aimed at high-risk AI systems (employment, credit, education, justice).

The principle is spreading.

Tools that make recommendations affecting your finances, your health, or your work are under increasing pressure to explain how they reached the answer.

Look for products that surface the basis of their suggestions, not just the suggestions.

When a product tells you "we recommend X" and you cannot find out why, that is a gap you can ask about.

In 2026 the answer "the AI just decided" is not acceptable.

In 2027 it will be regulatory non-compliance.

Obligation three: clearer consent for personal data use

The AI Act layers on top of GDPR.

The combination means consent must be granular. And informed.

Bundled consent ("I agree to everything in the terms") is increasingly indefensible.

Products that use your data for multiple purposes need separate consents for each.

This is appearing in tools where individual data flows through:

Model training.

Behavioural personalisation.

Third-party sharing.

Each one now needs its own opt-in.

The next time you sign up for an AI product, watch how the consent is structured.

If you tick one box that authorises five things, the product is behind the regulation. Some products will fix this. Some will not. The ones that do not will start to feel uncomfortable to use over the next twelve months.

Obligation four: limits on biometric and emotional inference

The Act prohibits some categories of AI outright.

Including emotion recognition in workplace and educational contexts. And certain biometric categorisation systems.

This is more relevant than it sounds.

Some popular AI products in 2026 use voice or video analysis for "tone coaching", "engagement scoring", or "personality assessment".

The legal status of these features is now constrained.

If your employer or your child's school is using a tool that scores emotional state or engagement from video or voice, that tool is now in regulatory territory.

The right question is not "is this allowed" but "what is the legal basis the provider is relying on".

If they cannot answer, that is the answer.

What to look for in a vendor's trust page

A good trust page should answer three things in plain English.

Are you AI Act compliant, or pursuing readiness, or out of scope, and which?

Where does my data live and which legal regime applies?

What is your formal position on training, consent, and explanation?

If a vendor's trust page does not answer these clearly, that is itself a signal. About how they are approaching the Act.

The companies that are taking the Act seriously have been working on these answers for two years. The companies that have not will spend the next twelve months scrambling.

You can see which is which from the language they use.

Where this leaves you

The AI Act will not, by itself, make AI products trustworthy.

Regulations rarely do.

What it will do is raise the floor on what individuals can expect.

And give regulators a framework for forcing the worst products to clean up. Or close.

The companies that take the Act as a floor and build well above it will earn trust faster.

The ones that treat it as a compliance task to retrofit at the last moment will spend the next two years explaining themselves.

Worth knowing which kind your tools are.

That is the test for this category, repeatedly. Worth running it on the AI products you already use.

More soon.