Skip to content

Probably not.

Under the European GDPR, if the personal information that an organization is going to use as part of training an AI has been collected directly from individuals, then those individuals should be provided with a copy of the organization’s privacy notice “at the time when personal data are obtained.”[1] If the personal information that the organization is going to use as part of training an AI has been collected from a third-party source (e.g., scraped from the internet or received from another controller), then the GDPR generally permits the controller (with a few exceptions) to provide a copy of its privacy notice “within a reasonable period, but at latest within one month” after the data is collected.[2] The latter requirement is memorialized within GDPR Article 14.

Modern U.S. privacy laws also generally require that a privacy notice be distributed to data subjects from whom information is directly collected. Modern U.S. privacy laws do not, however, have a direct equivalent to GDPR Article 14 and, therefore, ambiguity exists whether an organization must distribute its privacy notice to data subjects with whom it has no direct connection.

The CPRA is one of the only modern statutes that appears to directly address the situation of indirectly collected data. The regulations implementing the CPRA specifically state that an organization is not required to distribute its privacy notice when information is collected indirectly (e.g., scraped from the internet) so long as the organization that collected that data does not attempt to sell it or share it for cross-context behavioral advertising.[3] If selling or cross-context behavioral advertising is envisioned, the organization is still not required to distribute its privacy notice to data subjects so long as it registers with the state of California as a data broker.[4]

Other modern U.S. privacy statutes simply state that a controller is required to “provide consumers with a reasonably accessible, clear, and meaningful privacy notice,” but draw no distinction between direct information collections and indirect information collections; nor do those statutes explain what it means to be “reasonably accessible.”[5] Although it has not addressed the topic directly, Colorado has implied in the regulations implementing the Colorado Privacy Act that the “reasonably accessible” requirement is met where a controller publishes its privacy notice online.[6]

[1] GDPR, Article 13(1).

[2] GDPR, Article 14(3)(a).

[3] CPRA Regulation 7012(h) (2023).

[4] CPRA Regulation 7012(i) (2023).

[5]See, e.g., Va. Code 59.1-578(C); C.R.S. 6-1-1308(1)(a); Del. Code 12D-106(c).

[6] 4 CCR 904-3, Rule 6.02(E)(1) (2023).