Categorizing data as “sensitive” is a common feature in U.S. state privacy law, as well as the EU’s GDPR (which uses the term “special category” for similar personal data).[1] What is considered sensitive data varies from state to state, as well as the obligations that come with it. Colorado, Connecticut, Florida, Indiana, Montana, Oregon
Personal information
Aug. 30 EVENT | Arizona SHRM 2023 Bold Annual Conference
On Aug. 30, 2023, GT Data Privacy & Cybersecurity Practice Shareholders David Zetoony, Lily McNulty, and Tyler Thompson will present the session “Artificial Intelligence in the Workplace and HR and Data Protection: Safeguarding Company, Customer, and Employee Information” at the Arizona Society for HR Management (AZSHRM) 2023 Annual State Conference. The conference…
EEOC Secures First Workplace Artificial Intelligence Settlement
On Aug. 9, 2023, a tutoring company agreed to pay $365,000 to settle an artificial intelligence (AI) lawsuit with the Equal Employment Opportunity Commission (EEOC). The settlement comes on the heels of multiple EEOC warnings to employers about potential discrimination associated with the use of AI for hiring and workplace decisions.
Under the GDPR, do companies that transmit personal information to an AI need to minimize the amount of time that data is retained?
The term “data minimization” generally refers to two requirements within the GDPR: (1) a company should only collect and process personal data that is “necessary” in relation to its purpose, and (2) a company should keep data for “no longer than is necessary for [that] purpose[].”[1] Put differently, a company should only collect what…
Under the GDPR, what information should an organization put in its record of processing activities if it is processing personal data using an AI (i.e., putting personal information into AI prompts)?
Data is typically added to an AI to explain a problem, situation, or request (“input data”). Some popular AI models refer to input data by the term “prompt” as the user is prompting the AI to initiate an action, or to create additional information. Prompts can take different forms such as text prompts or image…
Under the GDPR, what lawful purposes can an organization rely upon when processing personal information with an AI (i.e., putting personal information into an AI prompt)?
Data is typically added to an AI to explain a problem, situation, or request (“input data”). Some popular AI models refer to input data by the term “prompt” as the user is prompting the AI to initiate an action, or to create additional information. Prompts can take different forms such as text prompts or image…
Under the GDPR, is an organization required to distribute its privacy notice to every individual whose information is used to train an AI?
Under the GDPR controllers are required to provide information relating to what personal information they process, and how that processing takes place.[1] Data is typically needed to train and fine-tune modern artificial intelligence models. If that training data contains personal information, an organization is required to include a description of that processing in its…
California Privacy Regulators Move Forward with Enforcement of the CCPA
Following on the heels of a California Superior Court’s last minute ruling that stayed enforcement of the revised California Consumer Privacy Act (CCPA) regulations, as previously discussed on this blog, California’s data privacy regulators have responded in ways that confirm they are more committed than ever to holding businesses accountable for alleged violations…
Managing Personal Information Roles in the Franchise Relationship: New Privacy Laws Mean Ensuring the Right Processing Roles Is More Important than Ever
Personal information in the franchise relationship is an asset now more than ever. Whether the personal information is customer data, employee data, device data, loyalty, and rewards data, or otherwise, and regardless of the method of collecting the data, managing such personal information once collected is a crucial part of the franchise relationship.
Under the GDPR, does a company that uses personal information to train an AI need to allow individuals to request that their information be removed from the training data?
Europe’s General Data Protection Regulation (GDPR) allows individuals to request that their information be deleted in the following situations:[1]
- Companies must delete data upon request if the data was processed based solely on consent. The GDPR recognizes that companies may process data based on six alternate lawful grounds.[2] One of these is where