When synthetic media triggers advertising law obligations
How Liability Is Attributed When AI Systems Cause Harm
When AI causes financial, reputational, or operational damage, liability does not disappear into the model. It is attributed through control, foreseeability, and benefit — and can escalate from the deploying company to vendors, developers, and even directors. This guide maps the liability chain in practical terms and shows how EU and US exposure differs in real life.
Introduction — AI Cannot Be Sued
Artificial intelligence is not a legal subject. It cannot be fined, prosecuted, or held liable. When AI systems cause financial, reputational, or operational harm, responsibility always attaches to a company — and sometimes to individual decision-makers.
The legal question is not “What did the AI do?”
Courts and regulators ask a different question: Who controlled the system? Who approved its deployment? Who benefited from its output? Liability follows control and economic advantage — not technical complexity.
- “The model made the mistake, not us.”
- “We used a third-party API — liability is theirs.”
- “AI is autonomous, so responsibility is diluted.”
- “There is no specific AI law, so exposure is limited.”
- Who selected and deployed the system
- Whether risks were foreseeable
- Whether monitoring and controls existed
- Who economically benefited from AI-driven decisions
1. When AI Causes Harm: How Liability Is Actually Attributed
When AI causes financial, reputational, or operational damage, liability is rarely decided by the question “what did the model do?” The real question is: who controlled the system, who could foresee the risk, and who economically benefited from deploying it.
“AI did it” is not a defense. Liability follows governance: ownership, approvals, controls, and evidence.
1) Attribution principles (how decision-makers will look at your case)
Control
Who selected the model/vendor, integrated it, set thresholds, approved deployment, and controlled updates? Control is the fastest route to responsibility.
Evidence: owners, approvals, change logsForeseeability
Was the risk predictable (bias, hallucinations, privacy leakage, unsafe outputs)? If yes, the next question is: what controls existed — and why they failed.
Evidence: risk register, testing, monitoringEconomic benefit
Who benefited from speed, cost reduction, or higher conversion? Liability often follows the party that captured the upside while externalizing risk.
Evidence: KPIs, incentives, governance reporting2) Who can be held responsible (common exposure map)
| Potentially liable party | Why they get pulled in | Typical “bad fact” | What reduces exposure |
|---|---|---|---|
| Deploying company | Controls the use case and decision pathway | AI used in production without formal approvals/controls | Governance, monitoring, incident handling, evidence |
| Developer (in-house) | Builds/maintains model logic and integration | No logging, no testing, uncontrolled updates | Lifecycle controls, change management, QA evidence |
| Vendor / SaaS provider | Only if fault + contract allow allocation | Broken warranties, security gaps, misrepresentation | Warranties, audit rights, SLAs, incident duties |
| Joint liability (multiple parties) | Shared control or shared benefit | Ambiguous responsibilities between vendor + deployer | Clear allocation in contracts + documented ownership |
3) Real-world examples (what “bad governance” looks like in practice)
short case studiesAmazon recruiting tool (bias failure)
- What happened: automated screening learned biased signals from historical data and penalized certain candidates.
- Where liability risk sits: the deploying company owns hiring outcomes; “model learned it” does not remove accountability.
- Governance miss: insufficient bias testing + weak oversight on decision impact.
COMPAS risk scoring (contested fairness & impact)
- What happened: algorithmic risk scores influenced justice outcomes and triggered public/legal scrutiny over fairness and transparency.
- Where liability risk sits: institutions relying on the score need defensible oversight; vendors rarely carry the full outcome risk.
- Governance miss: weak contestability and unclear accountability for decisions based on scores.
Clearview AI (data sourcing & privacy exposure)
- What happened: facial recognition built on scraped images triggered enforcement actions and bans in multiple jurisdictions.
- Where liability risk sits: both vendor and deployers face exposure if they cannot justify lawful basis and safeguards.
- Governance miss: procurement without a compliance file (lawful basis, DPIA-style assessment, contract controls).
Generative AI defamation claims (content harms)
- What happens: outputs can produce false statements about real people or companies; the harm often arises at the point of publication/use.
- Where liability risk sits: the party that used/published the output is exposed if they lacked review and safeguards.
- Governance miss: no approval gate for high-risk content and no logging of prompts/outputs used in decisions.
2. EU vs US: Two Different Liability Environments
“Liability risk” looks very different depending on where you operate. In the EU, the default threat is regulator-driven enforcement. In the United States, the default threat is plaintiff-driven litigation. Same AI incident — two completely different failure modes.
Why this matters for founders, developers, and investors
In the EU, you can often model your downside (fines + remediation + compliance costs) — but you must be ready for strict, structured expectations. In the US, the downside is harder to model: discovery, class actions, reputational shock, and legal defense costs can snowball even when the underlying incident looks “small”.
European Union
regulator-driven- Primary exposure: administrative enforcement (AI Act + GDPR + sector regulators).
- Risk is structured: duties, documentation, controls, and audit expectations.
- Boards want evidence: inventories, approvals, monitoring logs, incident records.
United States
plaintiff-driven- Primary exposure: lawsuits (tort claims, consumer claims, employment claims) + sector rules.
- Discovery risk is massive: internal emails, Slack, model docs, decision logs can become evidence.
- Outcomes are volatile: judge/jury dynamics + settlement pressure + PR damage.
| Factor | European Union | United States |
|---|---|---|
| Regulatory Model | EU AI Act + GDPR | Tort law + sector regulation |
| Primary Risk | Administrative fines | Civil litigation & class actions |
| Maximum Penalties | Up to €35M or 7% turnover | No statutory cap |
| Data Violations | GDPR: up to €20M or 4% turnover | FTC actions + privacy lawsuits |
| Enforcement Style | Regulator-driven | Plaintiff-driven |
| Discovery Risk | Limited | Extensive (internal emails, documents) |
| Predictability | Structured but strict | Less predictable, jury-based |
Penalty & exposure reality check (numbers decision-makers care about)
risk sizingEU AI Act: up to €35M / 7% turnover for prohibited practices or certain data-related non-compliance; and up to €15M / 3% turnover for other non-compliance.
GDPR: up to €20M / 4% turnover for serious violations (separate from AI Act exposure).
US litigation exposure: multi-million settlements are possible — and even before that, legal defense + discovery can be a major financial event on its own.
Practical pain point: in the US, internal messages and “we knew this could happen” documents often matter as much as the model itself.
3. Personal Liability and Board-Level Risk
AI risk is increasingly treated as board-level risk because it is not “a model problem” — it is a control problem. When AI causes damage, regulators and plaintiffs tend to ask the same question: who knew, who approved, who benefited, and who failed to oversee?
The director risk pattern (what gets people exposed)
Directors rarely get “punished for AI”. They get exposed for governance failures: missing oversight, ignoring known risks, weak controls, or investor communications that overstate compliance readiness.
Failure of oversight
No clear approvals, no reporting line, no monitoring evidence — and nobody can explain “who signed off” on the AI use case.
Typical trigger: incident → board asks for evidence → there is noneBreach of fiduciary duty
Risk was foreseeable, but leadership treated it as “technical detail” instead of governance: no controls, no escalation, no review cadence.
Typical trigger: predictable harm + no documented decision processIgnoring known AI risks
Teams flagged bias, privacy, security, hallucinations, or decision impacts — but the company scaled anyway without control intensity.
Typical trigger: “we knew” artifacts (tickets, emails, audit notes)Misleading investor disclosures
Marketing or investor materials describe AI as “compliant, safe, controlled” while internal reality is shadow AI, weak monitoring, and unclear accountability.
Typical trigger: fundraising / M&A diligence finds gaps → trust collapsesEU focus
systemic compliance failure- Exposure concentrates around system-level governance: documentation, controls, monitoring, and corrective actions.
- When compliance fails, leadership is often judged on control design and oversight adequacy — not on technical intent.
- Board risk increases when “high-risk” AI is treated like a normal product feature.
US focus
litigation + scrutiny- Derivative lawsuits can target directors if plaintiffs argue oversight failures harmed the company.
- SEC scrutiny becomes relevant when disclosures and actual controls diverge (especially around risk, security, and compliance posture).
- Discovery exposure is a multiplier: internal emails, chats, and drafts can become the main battlefield.
Board-level trigger test (when personal exposure becomes realistic)
practical scan- 1 AI impacts eligibility, pricing, ranking, or access If AI changes outcomes for people/customers, oversight becomes an accountability duty — not a tech choice.
- 2 There is no “who approved what” audit trail If you can’t reconstruct approval decisions, you can’t defend them.
- 3 Known risks were documented but not acted on Tickets, memos, internal reviews can become “foreseeability” evidence.
- 4 Investors rely on compliance-ready claims If disclosures outpace reality, liability risk becomes a governance issue fast.
- 5 Vendor AI is in production with weak contractual controls “It’s the vendor” is not a defense without due diligence + monitoring + allocation clauses.
4. IP, Likeness Rights & Consent Frameworks
Using a real person's appearance, voice, or recognizable identity in synthetic advertising content — without consent — creates exposure that operates entirely independently of FTC disclosure rules. Right of publicity, copyright, and biometric data law form a separate legal layer with their own remedies.
Why this matters even when disclosure is made
Disclosing that an ad uses AI does not cure the absence of consent. If a real person's likeness, voice, or identity was used without permission, the disclosure that "this is AI-generated" may be accurate — but the underlying right-of-publicity claim or GDPR violation remains fully intact. These are separate causes of action requiring separate compliance steps.
United States — Right of Publicity
state law (most states)- Most US states recognize the right of publicity — the right to control commercial use of name, image, likeness, and voice.
- California's ELVIS Act (2024) and similar statutes specifically extend protection to AI-generated voice and likeness cloning.
- The Lanham Act §43(a) provides a federal false endorsement claim when AI suggests a person endorses a product they do not.
- A dead person's likeness can still be protected — celebrity estates in several states hold publicity rights posthumously.
European Union — Biometric & Personal Data
GDPR + AI Act- Voice prints and facial geometry are biometric data under GDPR Article 9 — special category data requiring explicit consent.
- AI-synthesizing a real person's voice or face for commercial use without consent is a GDPR violation, independent of any advertising law breach.
- The EU AI Act prohibits certain biometric categorization and real-time identification uses; commercial synthetic media involving real persons must be assessed against both frameworks.
- Member state personality rights (e.g., Germany's "allgemeines Persönlichkeitsrecht") provide additional civil law remedies.
| Use of real person in synthetic ad | US exposure | EU exposure | Minimum consent requirement |
|---|---|---|---|
| AI-cloned celebrity voice | Right of publicity + Lanham Act false endorsement | GDPR biometric data violation | Explicit written consent specifying AI use, commercial purpose, and scope |
| Deepfake of known public figure | Right of publicity + defamation risk + Lanham Act | GDPR + AI Act + personality rights | Explicit written consent — generally not obtainable for adverse portrayals |
| AI face modeled closely on real person | Right of publicity if sufficiently identifiable | GDPR if face can identify the individual | Distinct enough from any real person to avoid identifiability threshold |
| AI-generated composite model (no real person basis) | Generally no right-of-publicity exposure | No GDPR biometric exposure if no real person identifiable | No consent required — but document the generative process |
| Real actor consented to AI post-production | Consent defense available if scope covered | Consent defense available under GDPR if explicit and specific | Written consent must name: AI use, specific campaigns, duration, revocation rights |
5. Strategic Conclusion — Building a Compliant Synthetic Media Workflow
Synthetic media is not a compliance-free zone. The legal obligations already exist — they sit in FTC endorsement law, consumer protection statutes, EU AI Act labeling requirements, right-of-publicity doctrine, and GDPR biometric data rules. What is new is not the law, but the scale and speed at which synthetic content can now create violations across all these frameworks simultaneously.
In the EU, the risk is structured but mandatory: the AI Act creates direct labeling obligations for synthetic media in commercial content, and failure to comply is a regulatory infringement — not a gray area. In the US, the risk is litigation-driven and volatile: a single high-profile AI voice misuse or fake review campaign can trigger FTC action, class litigation, and reputational damage simultaneously.
Synthetic media compliance workflow — before any AI ad goes live
operational checklist- 1 Inventory every AI-generated or AI-altered element Document which elements are synthetic before the campaign goes for review — you need this record if questions arise later.
- 2 Apply the materiality test to each element Would a reasonable consumer's decision be affected by knowing this element is AI-generated? If yes, disclosure is required.
- 3 Check whether any real person's likeness, voice, or identity is involved If yes: get written consent specifying AI use and scope — or redesign the asset to remove the identifiability.
- 4 Apply jurisdiction-specific rules (EU AI Act for EU audiences; FTC rules for US) For cross-border campaigns, the EU AI Act currently imposes stricter mandatory labeling — apply it as the baseline.
- 5 Make disclosures clear, conspicuous, and early "AI-generated" in small text at the end of a video does not meet FTC or EU AI Act standards — disclosures must be noticeable to the average consumer.
- 6 Maintain a compliance file for each campaign Document: what was AI-generated, what disclosures were made, what consent was obtained, and which legal review approved the asset for publication.
