Not necessarily. 

Under the GDPR, controllers are required to provide information relating to what personal data they process, and how that processing takes place. 

If the personal data the organization includes in AI prompts has been collected directly from individuals, those individuals should be provided with a copy of the organization’s privacy notice “at the

When Implementing New Privacy Requirements, Don’t Forget User Perception

Recent events involving famous podcaster and comedian Joe Rogan and fitness device company Polar are a lesson in the delicate balancing act businesses face between privacy compliance and a positive user experience.

Joe Rogan screengrab of Polar Private Notice and Temporary Account Lock

A Backdrop of New Privacy Norms

Considering new and stringent privacy regulations, companies are

Under the GDPR controllers are required to provide information relating to what personal information they process, and how that processing takes place.[1] Data is typically needed to train and fine-tune modern artificial intelligence models. If that training data contains personal information, an organization is required to include a description of that processing in its

Under the GDPR, controllers are required to provide individuals with information relating to what personal information is processed, and how that processing takes place.[1] Some supervisory authorities have specifically taken the position that companies which use personal information to train an artificial intelligence (AI) must draft and publish a privacy notice that provides “data

Modern data privacy statutes require that organizations inform individuals about the organization’s privacy practices by creating a privacy notice (sometimes referred to as a privacy policy or a notice at collection). Some data privacy statutes provide specific directions regarding how the privacy notice must be distributed. For example, the California Consumer Privacy Act and the

The CCPA requires businesses that sell personal information to explain that consumers have a right to opt-out of the sale[1] and provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information” that takes the consumer to a mechanism that permits them to exercise their opt-out right.[2] If

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”[1] The regulations provide as an example matching three pieces of personal information provided by the consumer with three pieces of personal information maintained by the business

The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the speed with which they respond to the data subject requests that they received in the previous calendar year. Among other things, businesses must report the average or

The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the quantity of data subject requests that they received in the previous calendar year. Among other things, businesses must publicly report the number of access and deletion requests

The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the quantity of data subject requests that they received in the previous calendar year. Among other things, if a business offers a do not sell my personal information