WHEN THE CHATBOT, THE STAFF MEMBER, AND THE FAQ ARE ALL WRONG.

Publication note: UK-focused legal and governance analysis. This article is not legal advice.

Introduction.

The legal risk in automated customer service is often described too narrowly. The usual story is simple: a chatbot gives the wrong answer, the customer relies on it, and the company then tries to distance itself from the machine. That is only the most visible part of the problem.

The deeper risk arises when the chatbot is not an isolated failure at all. The chatbot gives the wrong information. A customer-service employee then confirms the same position without proper verification. The company’s FAQ, help page, cancellation guide, or refund policy repeats or reinforces the same error. At that point, the consumer is no longer misled by one defective message. The consumer is misled by the company’s own information architecture.

This matters because modern customer service is no longer only a conversation between a consumer and a trained representative. It is a layered system of automated tools, scripts, knowledge bases, self-service portals, AI summaries, internal prompts, outsourced support teams, and legacy documentation. When those layers are wrong together, the business has not suffered a minor chatbot accident. It has created a governance failure with legal consequences.

The central argument is precise. Artificial intelligence is not unlawful merely because it is used in customer service. Automation may be efficient, legitimate, and commercially necessary. But where automation becomes the practical route through which consumers understand their rights, remedies, refunds, cancellations, warranties, complaints, or contractual obligations, governance is no longer optional. It becomes part of the company’s duty of operational competence.

The three-layer failure.

The first layer is the chatbot. A consumer asks a direct question about a product, service, refund, cancellation, warranty, renewal, complaint, or remedy. The chatbot answers in confident operational language. It may not describe itself as legal advice, but that is not decisive. From the consumer’s perspective, it is an official company channel. It sits on the company’s website, carries the company’s brand, and is presented as a route to assistance.

If that answer is false or materially misleading, the company will struggle to argue that the consumer should have treated it as meaningless. The business cannot invite consumers to use an automated support channel and then, when the answer becomes inconvenient, pretend that the same channel had no corporate authority.

The second layer is the staff member. This layer is often more dangerous because it appears to add human assurance. The consumer, uncertain about the chatbot’s answer, contacts customer support. A named employee replies. Yet the employee may not be exercising independent judgement. They may be copying from an internal AI assistant, accepting a chatbot-generated draft, relying on a script, or repeating a knowledge-base summary that has not been checked against the company’s actual legal obligations.

The result is a false human-in-the-loop model. The consumer thinks a human being has reviewed the matter. In reality, the human being may merely have relayed machine output under the appearance of professional confirmation. A human who lacks knowledge, authority, time, training, or permission to override the system is not a meaningful safeguard. They are an operational relay.

The third layer is the published documentation. FAQs, help pages, cancellation instructions, online refund policies, product guides, warranty pages, and complaint-handling notes often remain online long after the law, the company’s terms, or the internal process has changed. This documentation can mislead more powerfully than a chatbot message because it appears more formal and more authoritative.

If the FAQ confirms the chatbot and the staff member, the consumer’s reliance becomes stronger. If it contradicts them, the consumer is placed in an impossible position: three company sources, three possible answers, and no reliable method of knowing which source speaks for the business. The legal and governance problem is therefore not a single bad answer. It is a defective corporate information system.

Why the consumer should not carry the burden.

Consumers should not be expected to conduct forensic triangulation across a company’s chatbot, staff emails, hidden terms, website policies, archived help pages, and internal complaint procedures. The company creates those channels, controls those channels, benefits from routing consumers through them, and decides how easily a consumer can reach a human decision-maker. The burden of coherence must therefore rest primarily with the trader.

This is the practical lesson of Moffatt v Air Canada, 2024 BCCRT 149. The Canadian decision is not binding in England and Wales, and it should not be overstated as a direct statement of UK law. Its value is illustrative. Air Canada’s chatbot gave incorrect information about whether a bereavement fare could be claimed retrospectively. The British Columbia Civil Resolution Tribunal treated the claim as one of negligent misrepresentation and rejected the attempt to distance the airline from the chatbot’s output. The Tribunal’s practical point was blunt: the chatbot formed part of Air Canada’s website, and Air Canada remained responsible for information presented through its own customer-facing system.

The same principle has obvious resonance for UK consumer-law analysis. A business that presents a digital support channel as part of its official customer-service architecture cannot sensibly invite reliance when selling or servicing the product, then deny responsibility when the consumer later relies on what the channel said.

Negligent misstatement and reasonable reliance.

Under English law, negligent misstatement remains a central route of analysis. Hedley Byrne & Co Ltd v Heller & Partners Ltd [1964] AC 465 established the modern foundation for liability where there is an assumption of responsibility and reasonable reliance. In a consumer-support setting, the assumption of responsibility may arise from the company presenting itself as the authoritative source on its own products, processes, policies, and contractual obligations.

The consumer is not asking a stranger for speculation. They are asking the trader itself. That distinction matters. A trader is expected to know its own refund rules, cancellation process, complaint route, warranty limitations, subscription renewal policy, and remedy structure. When the trader answers a consumer through an official channel, the consumer is entitled to attach weight to that answer.

Caparo Industries plc v Dickman [1990] 2 AC 605 is also relevant because it reminds lawyers to consider foreseeability, proximity, and whether it is fair, just and reasonable to impose a duty. In this context, foreseeability is usually strong: companies deploy support systems precisely because consumers will use them to make decisions. Proximity is also strong where the consumer asks a specific question through an official company channel. The fairness analysis will depend on the facts, but it becomes harder for a trader to deny responsibility where it has deliberately channelled consumers into automated or semi-automated support systems.

Esso Petroleum Co Ltd v Mardon [1976] QB 801 reinforces the importance of superior knowledge. Where one party holds itself out as having particular knowledge and supplies information on which another party acts, the law may treat reliance as more defensible. Smith v Eric S Bush [1990] 1 AC 831 is also useful because it emphasises context. Reliance is not assessed in the abstract. It is assessed by looking at the relationship, the nature of the statement, the practical position of the recipient, and whether reliance was reasonable in the circumstances.

The Misrepresentation Act 1967 problem.

Section 2(1) of the Misrepresentation Act 1967 creates a sharp additional risk in the contractual context. Where a person has entered into a contract after a misrepresentation has been made and has suffered loss as a result, the representor may be liable unless they prove that they had reasonable grounds to believe, and did believe, that the facts represented were true.

That structure matters for AI-assisted support. If the representation came from a chatbot, a scripted email, or an AI-drafted customer-service reply, the company may need to show more than commercial optimism. It may need to show that it had a defensible process for producing, checking, updating, monitoring, and correcting the information served to consumers.

This is not an argument that AI can never be used safely. The stronger legal point is narrower and more useful: AI can assist a compliant process only where the company can evidence governance. That includes testing, monitoring, audit logs, escalation routes, staff training, quality assurance, version control, and meaningful human review where the issue is legally or commercially significant.

The Consumer Rights Act 2015 problem.

The Consumer Rights Act 2015 creates a further route of exposure. Section 50 provides that information said or written to a consumer by or on behalf of the trader, about the trader or the service, can become binding where the consumer takes it into account when deciding to enter into the contract or when making decisions about the service.

That is highly relevant to automated customer support. Businesses often treat chatbot messages and support replies as informal assistance. Consumers often experience them as authoritative statements from the trader. If a consumer is told that a refund, cancellation, repair, replacement, renewal change, price adjustment, complaint remedy, or warranty route is available, and the consumer acts on that statement, the issue may become contractual rather than merely operational.

Section 62 also matters because unfair terms and unfair consumer notices are not binding on the consumer. A term is unfair if, contrary to good faith, it causes a significant imbalance in the parties’ rights and obligations to the consumer’s detriment. Director General of Fair Trading v First National Bank plc [2001] UKHL 52 remains an important authority on the contextual assessment of fairness and good faith.

In this setting, a general disclaimer saying that chatbot answers are not binding may not be enough. If the company simultaneously pushes consumers towards the chatbot as the primary or easiest route to assistance, the disclaimer may look less like a fair warning and more like an attempt to receive the efficiency benefit of automation while avoiding the accountability burden that follows from it.

The DMCCA 2024 problem.

The Digital Markets, Competition and Consumers Act 2024 adds a regulatory dimension. The Competition and Markets Authority’s unfair commercial practices guidance explains that the DMCCA replaces and updates the previous Consumer Protection from Unfair Trading Regulations 2008 for relevant commercial practices from 6 April 2025. The regime covers trader-consumer dealings and focuses on conduct capable of affecting the average consumer’s transactional decision.

The three-layer failure maps directly onto several unfair-commercial-practice concepts. A misleading action may arise where a trader provides false or misleading information, or where the overall presentation deceives, or is likely to deceive, the average consumer and causes or is likely to cause a different transactional decision. A misleading omission may arise where material information is omitted, hidden, delayed, obscured, or presented in a way that deprives the consumer of practical understanding.

Professional diligence is especially important. The CMA describes this as the standard of special skill and care reasonably expected of a trader towards consumers, assessed by reference to honest market practice or good faith. A company that deploys a chatbot without accuracy testing, permits staff to repeat AI output without verification, and leaves outdated FAQ pages online may be vulnerable not only because one answer was wrong, but because the support system itself may fall below the required standard of professional care.

Automated decisions and the false human review.

Data protection adds another layer, although it must be handled carefully. Not every chatbot interaction engages automated-decision rules. A chatbot that provides general information is different from a system that determines eligibility, refuses a refund, rejects a complaint, closes a warranty claim, blocks access to a service, or prevents a consumer from obtaining a remedy.

The Information Commissioner’s Office has long treated solely automated decisions with legal or similarly significant effects as legally sensitive. The Data (Use and Access) Act 2025 has changed the UK framework for automated individual decision-making. It should not be described simplistically as making the law stricter in every respect. Government material presents the reforms as simplifying and widening the circumstances in which solely automated decision-making may be used, provided appropriate safeguards apply.

The governance point remains severe. Where an automated or AI-assisted system makes, influences, or effectively determines a significant consumer outcome, the business must ensure that safeguards are real rather than decorative. Consumers must not be trapped behind a nominal human review process in which the reviewer merely repeats the automated conclusion without understanding it, testing it, or having authority to override it.

A purely symbolic human review is not oversight. It is automation wearing a human mask. The practical test is simple: can the human reviewer identify the basis of the decision, interrogate it, correct it, and reverse it where necessary? If the answer is no, the company has not created meaningful human accountability.

Staff use of AI and employer responsibility.

Vicarious liability may also become relevant where employees use AI negligently in the course of their duties. The negligent act is not merely using AI. The negligent act is presenting unverified AI output as authoritative human judgement in a customer-service context.

Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11 remains significant because it developed the close-connection approach to employer liability for employee conduct linked to assigned duties. Customer-support employees are employed to answer customer questions. If they answer those questions negligently while using an AI tool, script, or internal support assistant, the employer may struggle to characterise the conduct as wholly detached from employment.

The better defence is not denial after the event. It is governance before the event. Staff must know when AI may assist, when it may not be copied, when a legal or statutory-rights issue must be escalated, and who has authority to correct a wrong automated answer.

The exposure in plain language.

A company may face negligent-misstatement exposure where it presents an official, branded channel as a reliable source of decision-relevant information and the consumer reasonably relies on it.

It may face Misrepresentation Act exposure where a false statement induces a consumer to enter or continue a contractual relationship and the company cannot show reasonable grounds for believing the statement was true.

It may face Consumer Rights Act exposure where statements made by or on behalf of the trader become part of the contractual framework because the consumer took them into account.

It may face unfair-terms or unfair-notices scrutiny where it uses broad disclaimers to deny responsibility for support channels that it actively encourages consumers to use.

It may face DMCCA regulatory exposure where the overall support architecture misleads consumers, omits material information, obstructs informed decisions, or falls below professional diligence.

It may face data-protection risk where automated or AI-assisted systems effectively determine significant outcomes without transparency, contestability, or meaningful human involvement.

It may face employer-liability risk where staff members present unverified AI output as authoritative judgement in the ordinary course of customer-support work.

The common thread is not technology. The common thread is responsibility. The company designed the system, deployed the system, controlled the channels, trained or failed to train the staff, and profited from the efficiency gains. It cannot plausibly transfer the resulting accountability to the consumer.

This is a management failure, not a technology accident.

A chatbot error is often only the visible symptom. The root cause is usually a defective intelligence-to-decision pipeline inside the company. The business has not mapped the consequences of automated communication. It has not identified which source is authoritative. It has not aligned operational authority with legal accountability. It has not trained staff to verify AI outputs. It has not maintained the documentation that consumers and staff rely upon. It has not created escalation routes for legally sensitive cases.

In decision-making terms, the company has made a cost-saving decision before consequence-mapping. It has increased speed and throughput while reducing institutional judgement. That is not modernisation. It is operational fragility disguised as efficiency.

AI does not remove accountability. It relocates accountability to the people who deploy, govern, monitor, and profit from the system. A company that automates consumer support while failing to govern the surrounding architecture has not solved its customer-service problem. It has scaled it.

The discovery trail will tell the real story.

The commercial consequences will depend on the facts. A single error may lead to a refund, apology, complaint, chargeback, ombudsman referral, or small claim. A repeated pattern may lead to regulatory scrutiny, legal disclosure demands, remediation costs, damages exposure, adverse publicity, and loss of consumer trust.

The more serious risk is the discovery trail. Chat logs may show repeated incorrect answers. Staff emails may show employees copying or confirming those answers. FAQ pages may show outdated policies left online. Internal documents may show that management knew about the issue but did not assign ownership or corrective action. Complaint records may show that consumers repeatedly raised the same problem before the company corrected it.

That trail changes the story. A company can explain one mistake. It is much harder to explain a system in which every consumer-facing layer was allowed to drift away from legal and operational accuracy.

Practical governance lessons for corporate leadership.

The response must be operational rather than rhetorical. A company that deploys automated customer service should adopt clear controls.

First, test chatbot accuracy before deployment and after every significant change in law, policy, product design, pricing, cancellation rules, refund practice, or complaint procedure.

Second, maintain a legally reviewed knowledge base and ensure that chatbot answers, staff scripts, FAQ pages, and public help pages draw from the same current source of truth.

Third, assign accountable owners for each consumer-facing policy page, with fixed review cycles and rapid withdrawal of outdated material.

Fourth, create hard escalation triggers for refunds, cancellations, vulnerable consumers, statutory rights, complaints, warranty disputes, recurring billing, high-value claims, and any decision that may affect access to a remedy.

Fifth, preserve audit logs for chatbot interactions, AI-generated drafts, staff responses, human overrides, escalations, and policy updates.

Sixth, train staff that AI-generated text is a drafting aid, not a substitute for professional judgement. A support employee should never copy unverified AI output into a consumer-facing message where rights, remedies, money, eligibility, cancellation, or liability are at stake.

Seventh, provide a meaningful human appeal route. The human reviewer must have competence, access to the governing policy, and authority to correct the outcome. A human who can only repeat the machine is not a safeguard.

Eighth, audit complaint patterns. Repeated consumer confusion is not noise. It is an early-warning signal that the information architecture may be failing.

Conclusion.

The future risk is not merely AI hallucination. That phrase is too narrow and too technological. The real risk is unmanaged corporate automation: a system in which machine error, human relay, and outdated documentation reinforce one another until the consumer has no reliable route to the truth.

At that point, the company has built something more dangerous than a defective chatbot. It has built a liability machine.

The lesson is simple but severe. A business may automate communication, but it cannot automate away responsibility. When the chatbot speaks, the staff member confirms, and the FAQ corroborates, the consumer hears the company. If the answer is wrong, the legal question will increasingly be not whether the machine made a mistake, but why the company allowed an ungoverned system to speak with corporate authority in the first place.

Selected references and source notes.

- British Columbia Civil Resolution Tribunal, Moffatt v Air Canada, 2024 BCCRT 149. Used as persuasive comparative authority only, not as binding law in England and Wales.

- Bristows, Freya Ollerearnshaw and Naomi Foale, ‘AI Chatbot flies solo and Air Canada foots the bill — Moffatt v Air Canada’, 27 March 2024.

- McCarthy Tétrault, Barry B. Sookman, ‘Moffatt v. Air Canada: A Misrepresentation by an AI Chatbot’, 19 February 2024.

- Misrepresentation Act 1967, section 2(1), legislation.gov.uk.

- Consumer Rights Act 2015, sections 50 and 62, legislation.gov.uk.

- Digital Markets, Competition and Consumers Act 2024, Part 4, legislation.gov.uk.

- Competition and Markets Authority, ‘Unfair commercial practices: CMA207’, GOV.UK, updated 18 November 2025.

- Information Commissioner’s Office, ‘Rights related to automated decision-making including profiling’, ICO guidance.

- Department for Science, Innovation and Technology, ‘Data (Use and Access) Act factsheet: UK GDPR and DPA’, GOV.UK, 27 June 2025.

- Data (Use and Access) Act 2025, legislation.gov.uk.

- Hedley Byrne & Co Ltd v Heller & Partners Ltd [1964] AC 465.

- Caparo Industries plc v Dickman [1990] 2 AC 605.

- Esso Petroleum Co Ltd v Mardon [1976] QB 801.

- Smith v Eric S Bush [1990] 1 AC 831.

- Director General of Fair Trading v First National Bank plc [2001] UKHL 52.

- Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11.

Author workflow disclosure

This article was produced through an AI-assisted but human-directed workflow. AI support was used for accessibility assistance, article structuring, language refinement, source-discovery prompts, revision planning, and conversion of editorial comments into specific amendments. The author retained responsibility for the argument, accepted or rejected suggested changes, checked the logic of the claims, and remained accountable for the final text. AI-generated material was not treated as empirical evidence, and synthetic or illustrative examples were not presented as observed data.

Image note

The image accompanying this article is AI-generated and is intended for illustration purposes only.

CONTACT

© 2026 Dr Danie Adendorff. All rights reserved. Rumbls.com is an independent analytical blog.

TERMS AND CONDITIONS

DISCLAIMER

COOKIE POLICY

PRIVACY POLICY