Not necessarily. 

Under the GDPR, controllers are required to provide information relating to what personal data they process, and how that processing takes place. 

If the personal data the organization includes in AI prompts has been collected directly from individuals, those individuals should be provided with a copy of the organization’s privacy notice “at the

Under the GDPR, controllers are required to provide individuals with information relating to what personal data is processed, and how that processing takes place. Some supervisory authorities have specifically taken the position that organizations which use personal data to train an artificial intelligence (AI) must draft and publish a privacy notice that provides “data subjects

Data is typically needed to train and fine-tune modern artificial intelligence (AI) models. AI can use data—including personal information—to recognize patterns and predict results.

The GDPR permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:[1]

  1. Consent. A company may process personal information if it collects

When Implementing New Privacy Requirements, Don’t Forget User Perception

Recent events involving famous podcaster and comedian Joe Rogan and fitness device company Polar are a lesson in the delicate balancing act businesses face between privacy compliance and a positive user experience.

Joe Rogan screengrab of Polar Private Notice and Temporary Account Lock

A Backdrop of New Privacy Norms

Considering new and stringent privacy regulations, companies are

Most modern U.S. state data privacy laws exempt from their definition of personal information “publicly available information.” What constitutes publicly available information differs between state privacy laws and may not correlate to the lay definition understood by many businesses and individuals. For example, while some businesses may consider information that is available on the internet

Probably not.

Under the European GDPR, if the personal information that an organization is going to use as part of training an AI has been collected directly from individuals, then those individuals should be provided with a copy of the organization’s privacy notice “at the time when personal data are obtained.”[1] If the personal

Categorizing data as “sensitive” is a common feature in U.S. state privacy law, as well as the EU’s GDPR (which uses the term “special category” for similar personal data).[1] What is considered sensitive data varies from state to state, as well as the obligations that come with it. Colorado, Connecticut, Florida, Indiana, Montana, Oregon

On Aug. 30, 2023, GT Data Privacy & Cybersecurity Practice Shareholders David Zetoony, Lily McNulty, and Tyler Thompson will present the session “Artificial Intelligence in the Workplace and HR and Data Protection: Safeguarding Company, Customer, and Employee Information” at the Arizona Society for HR Management (AZSHRM) 2023 Annual State Conference. The conference

On Aug. 9, 2023, a tutoring company agreed to pay $365,000 to settle an artificial intelligence (AI) lawsuit with the Equal Employment Opportunity Commission (EEOC). The settlement comes on the heels of multiple EEOC warnings to employers about potential discrimination associated with the use of AI for hiring and workplace decisions.

Continue reading the full