Retail and e-commerce in 2026 is among the most AI-saturated sectors of the economy. Personalisation engines drive most product discovery; dynamic pricing optimises margins in real time; recommendation systems determine what customers see; fraud detection AI screens transactions; supply chain AI optimises logistics and inventory. Each of these capabilities sits at the intersection of consumer protection law (ACCC, FTC, CMA, European Commission consumer protection), privacy regulation (GDPR, Privacy Act, CCPA), and competition law. The regulatory framework that governs retail AI is more fragmented than financial services or healthcare, but no less demanding. This guide covers the use cases, the regulatory landscape, and the operating model for retail AI governance.

1. Personalisation

Personalisation AI is the most common retail AI use case and the most sensitive from a privacy perspective. Recommendation engines, personalised search ranking, personalised email and push notifications, personalised pricing displays, and personalised loyalty programs all depend on processing customer data — purchase history, browsing behaviour, demographic data, location, device characteristics, and often inferred sensitive attributes (health interests, financial situation, household composition). The governance considerations: consent — particularly for tracking-based personalisation; data minimisation — using the least data necessary; transparency — explaining how personalisation works to customers; right to opt-out — meaningful customer ability to opt out of profiling-based personalisation, required under GDPR Article 22, the DSA for VLOPs, and increasingly under US state privacy laws. The EU AI Act high-risk category does not generally cover marketing personalisation, but EU AI Act transparency obligations for emotion recognition and biometric categorisation apply where retail AI uses these techniques.

2. Dynamic pricing

Dynamic pricing AI is the most legally sensitive retail AI use case. The accumulating consensus across antitrust regulators: algorithmic pricing that produces coordinated outcomes is a competition concern regardless of whether explicit human coordination occurred. ACCC has investigated multiple cases; the US DOJ has been active particularly in residential rental markets (RealPage cases); the European Commission has issued guidance and the Digital Markets Act addresses related issues. The questions retailers must answer: does our pricing AI use competitor pricing data? Does it converge with competitor pricing in patterns that could be interpreted as coordination? Can we explain how pricing decisions are made? Personalised pricing (different customers seeing different prices for the same product) carries additional consumer protection risk — ACCC, FTC, and CMA have all signalled concern. The Australian Consumer Law misleading conduct prohibition applies. The DSA requires VLOPs to disclose the use of personalised pricing.

3. Recommendation systems and the DSA

The EU Digital Services Act creates specific obligations for recommendation systems. Very Large Online Platforms (VLOPs) — those with 45M+ EU users — must conduct risk assessments covering recommender systems, provide non-profiling-based alternatives, and offer transparency about how recommendations work. Article 27 requires platforms to disclose the main parameters used in recommendation. Article 38 requires VLOPs to provide at least one option not based on profiling. The Commission has named multiple VLOPs in retail-adjacent categories (Amazon, AliExpress, Booking.com, Temu, Shein). Non-VLOP retailers operating in the EU should still treat the DSA approach as a useful framework even where they are not directly captured.

4. Fraud detection and consumer protection

Fraud detection AI must balance accuracy against consumer protection. False positives — legitimate customers blocked from completing transactions or having accounts suspended — create both financial loss and reputational risk. Specific governance considerations: bias and fairness testing across demographic groups (documented patterns of higher false positive rates affecting specific groups have produced regulator attention); appeal and review mechanisms for customers whose transactions are blocked; transparency about why a transaction was blocked (where this can be done without compromising fraud detection effectiveness); GDPR Article 22 considerations where fraud decisions are substantially automated. The Australian Privacy Act ADM transparency obligation (10 December 2026) applies to substantially automated fraud decisions affecting customers.

5. Supply chain and operations AI

Demand forecasting, inventory optimisation, logistics routing, and supplier risk assessment AI generally have lower direct customer-facing risk but specific governance considerations. Supplier risk AI: how is supplier scoring done, what bias might be present, what recourse do affected suppliers have? Logistics AI: worker monitoring implications (where logistics AI directs worker behaviour), safety considerations for autonomous systems in warehouses, GDPR/Privacy Act implications for any AI processing worker data. Demand forecasting: lower direct risk but commercial sensitivity around the AI's accuracy and its role in downstream decisions.

The retail AI operating model

A defensible retail AI operating model includes: AI inventory across personalisation, pricing, recommendations, fraud, and supply chain; consumer-facing AI register with appropriate transparency; privacy programme integration — DPIA for high-risk AI use cases, consent management, data subject rights; competition law assessment for pricing AI; bias and fairness testing particularly for fraud and personalisation; DSA compliance for VLOPs and useful framework for others; customer service and complaints processes that can handle AI-related complaints; incident response for AI-related incidents.

Useful third-party resources

Related reading on AIRiskAware