Yes — if any customer in the EU chats with a WhatsApp AI bot your India business runs, the EU AI Act can reach you, because its obligations are extraterritorial: they follow the AI system's output into the EU, not your company's address. The two duties that actually bite a chatbot are Article 50 transparency (a user must be told they are talking to an AI, and AI-generated content must be labelled) and, if you run your own general-purpose model behind the bot, the GPAI obligations. This is a reaction guide for Indian D2C, SaaS and services exporters: what changed, whether it applies to you, and a 7-step readiness checklist — with every date and figure hedged "verify current EU guidance", because the AI Act's phased timeline and Commission codes are still settling.
Why an India-run WhatsApp bot can fall under the EU AI Act
The instinct is "we're an Indian company, EU law can't touch us." The AI Act's scope provision says otherwise. It applies to providers and deployers established outside the EU where the output produced by the AI system is used in the EU — so a support or sales bot answering an EU-based customer on WhatsApp is squarely in range, the same extraterritorial logic that already made GDPR apply to Indian exporters. You do not need an EU office, an EU entity, or an EU server; you need an EU user whose conversation your AI drives. If your WhatsApp catalog ships to Germany, your SaaS onboards French users, or your travel desk books EU tourists over chat, assume the Act is in scope and verify against the current text rather than hoping distance protects you.
This is the extraterritorial twin of India's own regime. Where the AI Act governs EU-facing output, India's AI-disclosure and labelling expectations govern the domestic side — a bot serving both markets inherits both, and the disciplined move is to build to the stricter of the two once.
The two obligations that actually bite a chatbot
Most of the AI Act — the high-risk conformity regime, the CE-marking machinery — does not apply to an ordinary customer-service or commerce bot. Two things do, and they are the ones to design for:
- Article 50 — AI transparency. A person interacting with an AI system must be informed they are dealing with an AI, unless it is obvious from context. Content that is AI-generated or manipulated (text the bot writes, synthetic images, audio) must be marked as such in a machine-readable way where the rule applies. In practice: a clear "you're chatting with our AI assistant" disclosure at the top of the thread, and a human-handoff path when asked.
- GPAI (general-purpose AI model) duties. If you merely call a third-party model's API, the model provider carries most GPAI obligations. If you bring your own model — fine-tune, self-host, or otherwise act as the model provider — technical documentation, a training-data summary and copyright-policy duties can land on you. This is the compliance cost that rides alongside the token-cost tradeoff in BYOK LLM cost governance: owning the model saves per-token spend but adds provider-side paperwork.
Get these two right and an EU-facing WhatsApp bot is compliant on the surfaces regulators and users actually see, without dragging your whole stack into the high-risk regime.
The EU AI Act timeline you are reacting to
Verify each of these against the official EU timeline before you rely on it — the Commission has issued guidance and codes on a rolling basis and dates have shifted. Directionally: the Act entered into force in 2024; prohibited-practice and AI-literacy provisions began applying in early 2025; general-purpose-AI-model obligations from mid-2025; and the broader transparency and high-risk obligations phase in through 2026 into 2027. The reason to act in 2026 rather than wait is that transparency is the cheapest duty to retrofit and the most visible one — a missing AI-disclosure on a live bot is the kind of thing a single EU customer complaint surfaces. Penalties scale to global turnover (the prohibited-practice tier reaches tens of millions of euros or a mid-single-digit percentage of worldwide turnover — verify current figures), so the exposure is not notional for a growing exporter.
Do these 7 things if any EU user touches your bot
- Add the AI disclosure. Open every AI-handled WhatsApp thread with a plain-language "you're chatting with our AI assistant — type agent to reach a person." Obvious, early, unmissable.
- Map who your users are. Confirm whether EU-based customers actually reach the bot; if yes, treat the Act as in scope and document that finding.
- Classify your model role. Decide whether you are only a deployer (calling someone else's model) or also a provider (BYOK/fine-tuned) — the GPAI paperwork hinges on this.
- Label AI-generated content. Where the bot sends synthetic images, audio or drafted text into the EU, mark it as AI-generated per Article 50.
- Guarantee human handoff. Keep a reliable, quick escalation from bot to a human agent — both a transparency good-practice and a customer-trust win.
- Keep records. Retain your disclosure wording, model-role assessment, and (if a provider) technical documentation and training-data summary.
- Dual-consent with GDPR + DPDP. Run consent and data-handling to satisfy both the EU GDPR and India's DPDP Act — build to the stricter standard once.
Where WhatsApp itself sits — a 5-stage compliant bot lifecycle
Stage 1 — first contact + AI disclosure
The moment an EU customer opens the thread, the bot introduces itself as AI and offers the human-handoff keyword. Baking disclosure into the greeting template means Article 50 compliance is automatic on every conversation, not a thing an agent might forget.
Stage 2 — consent + purpose capture (WhatsApp Flow)
A WhatsApp Flow captures the query and the specific consent for processing — clearly stating the purpose and that an AI assists — so both GDPR lawful-basis and DPDP notice requirements are met before any personal data is used. No sensitive data is coaxed into the open thread.
Get the DPDP WhatsApp checklist
A founder-led WhatsApp reply with the DPDP consent + audit-log checklist for WhatsApp Business messaging. India-hosted. No spam.
Stage 3 — AI-assisted answer with a guardrail
The model answers within a scoped knowledge base, with the AI-content labelling rule respected for anything synthetic. Quality here is a compliance issue, not just UX — an under-tested agent hallucinating regulated claims to an EU user is a risk. This is why you evaluate the AI agent before it faces cross-border traffic.
Stage 4 — human escalation on demand
Any "agent" request, sensitive topic, or low-confidence answer routes to a human in a shared inbox with the full thread context. The handoff is logged, giving you the record that transparency and escalation actually worked.
Stage 5 — retention, opt-out + audit trail
Conversation data is retained only for its stated purpose and window; opt-out is honoured for non-essential messaging while genuine transactional notices continue. Every disclosure, consent and handoff is logged — the evidence trail that answers a regulator or a customer's GDPR/DPDP request.
The automation stack you actually need
- A disclosure-first greeting template so every AI thread self-identifies — Article 50, automated.
- WhatsApp Flows for scoped consent and purpose capture before any personal data is processed.
- A scoped, evaluated AI agent — you can build a GenAI LLM agent on a defined knowledge base rather than an open-ended model.
- A one-tap human-handoff into a multi-agent shared inbox with full context.
- A logging + retention layer capturing disclosures, consent and escalations for the audit trail.
GDPR + India DPDP: the dual-consent carve-out
An EU-facing WhatsApp bot answers to two data-protection regimes at once, and the lazy-but-correct approach is to build to the stricter of the two:
- Lawful basis + notice. GDPR needs a lawful basis; DPDP needs clear notice and consent. A single well-worded consent step in the Flow can satisfy both if it states purpose, AI involvement and retention.
- Purpose limitation. Data captured to answer a support query is not silently repurposed into EU marketing — that would breach both regimes.
- Data-subject rights. Honour GDPR access/erasure and DPDP correction/erasure requests; your DPDP Act compliance checklist maps most of this directly.
- Minimisation. Keep the thread to what communication needs; sensitive processing stays off the open chat.
Market context: who this actually hits
India's IT and business-services export engine is a multi-hundred-billion-dollar sector, and a large and growing slice of D2C brands, SaaS products and service firms count EU customers among their WhatsApp audience (directional — verify against current export and sector data). You do not need to be a large exporter to be in scope: a Jaipur handicraft D2C shipping to EU buyers, a Bengaluru SaaS onboarding EU trials, or a Goa travel desk booking European tourists over WhatsApp all plausibly trigger the extraterritorial test. The population of affected Indian businesses is therefore far wider than the "AI companies" the AI Act is imagined to target — anyone running an AI-assisted chat for even a handful of EU customers should run the 7-step check.
What compliant WhatsApp AI costs on RichAutomate
The WhatsApp platform layer on RichAutomate is ₹0 setup, ₹0 monthly, ₹0 platform fee. You choose how the per-message cost works:
- Client Pay: ₹0.10 per message, with Meta's conversation charges billed directly to you at cost (Meta's India rates run around ₹0.8631 marketing / ₹0.115 utility per conversation — verify current card).
- SaaS Pay: all-inclusive ₹1.20 marketing / ₹0.30 utility per message on one INR GST invoice, tiered down with volume — no separate Meta bill to reconcile.
- 14-day free trial + 100 free credits to wire the disclosure greeting, consent Flow and human-handoff before you commit. GST registration is effectively required to run a live WhatsApp Business API sender in India.
For how these per-message numbers compare against platform and BSP fees, see the WhatsApp Business API cost breakdown.
7-day EU-AI-Act readiness rollout
- Day 1: Confirm whether EU-based customers reach your WhatsApp bot; document the in-scope finding.
- Day 2: Classify your model role — deployer (third-party API) vs provider (BYOK/fine-tuned).
- Day 3: Rewrite the bot greeting to carry the AI disclosure and the human-handoff keyword.
- Day 4: Build the consent + purpose-capture Flow to satisfy GDPR and DPDP at once.
- Day 5: Wire the one-tap human-escalation into a shared inbox and log every handoff.
- Day 6: Set retention windows, opt-out handling and AI-content labelling for synthetic outputs.
- Day 7: Evaluate the agent against a test cohort and verify disclosure, consent and escalation end-to-end.
Make your EU-facing WhatsApp bot compliant
RichAutomate gives Indian D2C, SaaS and services exporters a WhatsApp AI stack built for cross-border rules — a disclosure-first greeting, GDPR+DPDP consent Flows, an evaluated AI agent and one-tap human handoff — at ₹0 setup, ₹0 monthly, ₹0 platform fee. Client Pay is ₹0.10/message plus Meta's rates billed direct at cost; SaaS Pay is ₹1.20 marketing / ₹0.30 utility all-inclusive. Start with a 14-day free trial and 100 free credits, or book a 30-minute walkthrough. This is a readiness guide, not legal advice — verify the current EU AI Act text and consult counsel before you rely on it.
Start your 14-day free trial → · Book a 30-min walkthrough · See India's AI-disclosure rules