Back to all blog posts

AI criteria: Notice and Choice

Providing a privacy notice to individuals about  how their data is collected and processed is not a foreign concept to privacy professionals. We need to detail what information is collected, how it is used and shared, what rights subjects have, and provide them some way to ask questions or make comments and provide feedback to us. Artificial Intelligence is no different for us in this regard.

While my previous blogs in this series have been longer than usual, this particular topic is decidedly more simple. If your organization decides to process information of customers or employees using artificial intelligence, then a notice is needed to tell them about that. AI use should be called out specifically and include information about how the algorithm or program works generally. We do not need to provide every detail of every calculation or decision, but subjects should understand at a high-level how it is making decisions.

Most important are the rights you give to data subjects. The General Data Protection Regulation has Article 22 which allows a data subject to request that their data not be processed in such a way that a decision is made without human intervention. To this end, you will need to include language in your notice stating that individuals can opt-out of artificial intelligence being used to process their data. Taking this a step further, you could ask individuals to opt-in to the use of artificial intelligence making sure that only those that are willing have their data processed this way.

This is all meant to consider processing that uses an AI, but what about training that AI? Some people may not want their data touching an AI at all, whether when used to order products or to train that AI to work correctly. In order to be transparent and ensure that any individual’s privacy rights are respected, you should not use their data in any way that they object to and that would include training the AI in this case. This could also help in avoiding issues down the line. Many lawsuits have been launched in response to AI being trained on the intellectual property of writers or songwriters and singers.

If your organization begins using AI, or will be training an AI with personal information, think about an active delivery of a privacy notice specific to that processing. Give data subjects that chance to opt-out of AI processing or at least ask questions if they want. This way, once you begin processing, there are no surprises and everyone was given the chance to withdraw.

When it comes to AI, you will need to notify your data subjects. I would even recommend that you go out of your way to explicitly call out the use of AI on its own, separate from any other processing. This way, you respect not only the privacy of the data subject, but also ensure honesty and integrity of your organization’s own reputation.

Reach out to Privacy Ref with all your organizational privacy concerns, email us at or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.