AI Legal Liability in Your Company: Who Is Responsible?
If your AI misleads a customer, your company is liable, not the model provider. What the Air Canada case means and how to cut your legal risk.
You put an artificial intelligence assistant on your website to handle customers. One day it gives someone the wrong detail about a price, a deadline or a condition, and that customer acts on it. When the complaint arrives, the question is blunt: is your company liable, or is the lab that built the model? The short answer, and the one that stings, is that you are.
This is a common blind spot when a company decides to use customer-facing AI. People think about the savings and the novelty, and they assume that if the tool comes from a big provider, the legal problem is the provider’s too. It does not work that way. Here I explain why the AI legal liability in your company is yours, which real case made it clear, and what you can do to lower the risk without giving up the technology.
One warning before we go on: this is not legal advice. It is an explanation to help you make better decisions and know what to ask your lawyer. For your company’s specific case, talk to a professional.
The short answer: the one who deploys is liable, not the one who builds
Toward your customer, the liable party is the company that puts the AI to work in its name, not the one that trained the model. It helps to separate two roles that get mixed up constantly:
- The model provider is the company that builds the artificial intelligence. The familiar names are OpenAI, Google or Anthropic. They train the model and rent it to you.
- The company that deploys is you: you take that model, connect it to your website or your customer service, and put it to talk with your brand up front.
Your customer never dealt with the lab. They dealt with you. They saw your logo, your website and your name. In practice, the AI works like a brochure you publish or an employee answering the phone: whatever it says in your name commits you. That another company’s model generated the words does not change who put that system in front of the customer.
This is not an exotic legal opinion. It is the normal way a company’s liability for what it communicates works. What is new is the channel, not the principle.
The case that made it clear: Air Canada
In 2024, a Canadian tribunal held Air Canada liable for the wrong information its own chatbot gave, and that case has become the reference for understanding who carries the responsibility. It is worth telling because it sums up the whole argument.
A customer asked the assistant on the airline’s website about bereavement fares, the ones that apply when you travel because a family member has died. The chatbot told him he could request the discount after flying. The company’s actual policy said the opposite. The customer bought following what the AI told him and later claimed back the difference.
The interesting part is the airline’s defense. Air Canada went as far as arguing that the chatbot was, in practice, a separate entity responsible for its own actions. The tribunal rejected that outright: the chatbot is part of Air Canada’s website, and the company is responsible for all the information on its website, whether a person writes it or a machine generates it. The airline had to compensate the customer.
The amount of money was small. The expensive part was something else: a precedent cited around the world was set, and the company carried the reputational wear of having tried to blame its own software. It is a Canadian case, not a Spanish ruling, so do not take it as law that applies here. Take it for what it is: the clearest signal of where the reasoning is heading when a customer-facing AI gets it wrong.
Why the provider contract does not cover you
The contract you sign with the model provider governs your relationship with them, not your liability toward your customer. They are two separate planes worth keeping apart.
When you contract an AI model, you accept terms of use. Without getting into specific clauses, which vary by provider and your lawyer should review, the general logic of those contracts tends to run in an uncomfortable direction for you: the provider limits its own liability and shifts to the customer, meaning your company, the risk of how the tool is used. They give you the engine. What you do with it is your business.
Even if the contract said otherwise, it would still not protect you toward your customer. Your responsibility to them does not arise from your deal with the provider, but from the commercial relationship you have with that person: you sell them something, you give them a service, and you communicate in your name. That bond is yours and you cannot subcontract it to a third party your customer does not even know.
The practical conclusion is simple. The provider gives you technical capability, not a legal umbrella. Before you put an AI to talk with customers, assume its answers count as your company’s answers.
What the European framework says (without being a lawyer)
In Europe there are two rules any company using customer-facing AI should keep on the radar: the GDPR and the AI Act. You do not need to master them, but you do need to know they exist and where they touch you.
The GDPR, the General Data Protection Regulation, governs the use of personal data. The key idea for you: if your AI processes your customers’ data, for example their name, their email or the content of their queries, your company is the data controller. That means you answer to the data protection authority for how that data is collected, stored and used, even if a model from another company does the processing underneath. This point has enough substance to treat on its own, and I develop it in GDPR and artificial intelligence.
The European Union’s AI Act, adopted in 2024 and applied in stages over the following years, sorts AI systems by risk level and asks for more obligations the higher the risk of what the system does. A simple customer service use is not in the same category as an AI that decides on credit or on hiring people. What you want to keep in mind: the rule exists, it distinguishes by risk, and the obligations depend on what you use the AI for, not just on which model you pick.
I repeat the warning, because here it really matters: this is not legal advice. Names, dates and risk levels evolve, and your specific case may fall into a category only a professional will know how to identify. Use this section to know what to ask, not as a ruling.
What you can do to reduce the risk
You can use customer-facing AI with much less risk if you set clear limits before turning the system on. No measure removes your liability, but together they cut the odds of ending up in a complaint like Air Canada’s quite a bit.
- Disclose that it is an AI. The customer has the right to know they are talking to an automated system, not a person. Hiding it adds risk and drains trust.
- Put a human in sensitive decisions. For refunds, special conditions or anything that commits money or customer rights, let the AI propose and a person confirm. I develop this criterion in four questions before using AI.
- Limit what the AI can promise. Set in writing which topics it can handle and which it hands off to a person. A system that cannot invent prices or deadlines is unlikely to land you in a problem like the airline’s.
- Keep a record of the conversations. If a complaint ever comes, knowing exactly what the system said and when gives you something to defend yourself with and something to fix.
- Review what data goes in. Before connecting the AI to customer information, check what personal data it will see and whether you have a legal basis for it. This is where the GDPR is looking at you.
None of these measures is programmer’s work. They are business and judgment decisions, and that judgment, knowing where AI is worth using and where it is not, is exactly what we work on in the AI without hype course.
One new concept every week
If you are weighing bringing AI into your company, legal liability is only one of the pieces worth understanding before you decide. The full picture, with the other risks and how to prioritize them, is in the guide to AI risks for companies.
Frequently asked questions
Who is liable if the AI makes a mistake with a customer?
The company that deployed the AI toward that customer is liable. If you put an AI assistant on your website or in your customer service, its answers count as your company’s answers, even if another company builds the model.
Isn’t the model provider responsible, like OpenAI or Google?
Toward your customer, no. Your relationship is with your customer, and their relationship is with your brand, not with the lab that trained the model. The contract with the provider governs your relationship with them, but it does not shift to them the responsibility you have toward the person you sell to or serve.
Does the Air Canada case affect me if my company is in Spain?
It is not a ruling that applies in Spain, it is a Canadian case from 2024. It still matters because it clearly shows the reasoning that is starting to repeat: the company is liable for what its own AI says and cannot treat it as an independent third party.
Does my website’s legal notice protect me?
It helps, but it is not an automatic shield. A generic notice does not cover you if your AI gives the customer specific and wrong information about a price or a condition. Really reducing the risk means limiting what the system can promise and putting a person in the sensitive decisions.
Do I have to declare that I use AI because of the GDPR or the AI Act?
It depends on what you do with the AI and what data you process. As a general principle, disclosing that the customer is talking to an automated system and being transparent about the use of their personal data is the prudent thing to do. For your specific case, check with a professional, because the obligations change with the use and the risk level.