Is AI up to the task?
Continue reading to find out the results.
We utilized four distinct prompts with ChatGPT’s paid version GPT-4 (accessible through OpenAI’s API for paying customers), refining each prompt to optimize the response.
Here is what we found:
- Lacks data collection specifics: The policy does not categorize or enumerate the types of personal information gathered, the methods and sources used to collect it, or the legal bases that permit collection.
- Insufficient transparency: It provides limited insight into data retention schedules, onward sharing practices, and security mechanisms and uses vague, generic language without naming data recipients, retention periods, or encryption methods.
- Lacks clarity: While offering the choice to opt out of communications, the policy does not elaborate on processes for rights requests or detail cookie handling and tracking techniques other than email subscriptions. Even for emails, it isn’t clear the type of emails that will be sent out to the users. It avoids any mention of international data transfers or procedures for breach notification.
By not scoping data practices, third-party dealings, and technological capacities, the policy avoids compliance responsibility, which is risky.
ChatGPT does give a disclaimer in the beginning that this is only a generic template.
Better, but not quite there yet.
Here are some key GDPR requirements missing from the policy content:
Transparency and fairness
Fails standards around outlining specific data collected, processes applied, and third parties shared with – non-compliant with Articles 12-14.
Legal bases & consents
Does not detail legal bases or consent flows for each processing activity as mandated under Articles 6, 7, and 13.
Takes a broad approach to data usage without specific retention periods – conflicts with Article 5 purpose and storage limitation principles.
Data subject rights
Lists rights like access and erasure generically without accompanying fulfillment mechanisms and timelines – Articles 15-22 and Recital 59 non-compliance.
International data transfers
No transparency provided into cross-border data flows and protection mechanisms – undermines Article 13(1)(f).
Security of processing
Sparse details available on security controls like encryption – lack alignment with Article 32 requirements.
Now, let’s try CCPA.
This policy is not CCPA-compliant.
- Lacks specifics: The level of specificity in providing a detailed list of data types collected and its source is extremely scarce.
- Lacks proper disclosures: It does not address the CCPA requirement to disclose categories of third parties to whom data is sold or the requirement that service providers/contractors maintain reasonable security procedures and practices. With no information provided on security practices and third-party disclosures, it falls short on this aspect. This policy is also completely silent on retention periods. Consumers have no visibility from the policy into how long the website will retain their personal data.
- Omission of opt-out rights: It’s concerning since opt-out rights is one of the cornerstones of CCPA. There is no mention of how users can opt out of the sale or share of their personal information.
Since none of these are yielding fruitful results, let’s take a different approach.
Here is a high-level analysis:
Compliance with CCPA
- Lacks specifics on consumer rights: It does not explicitly mention the right to opt-out of the sale of personal information, right to deletion, or right to non-discrimination which are required under CCPA.
- No contact information for requests: It does not provide any instructions or contact information for consumers to submit requests to exercise their CCPA rights. This is required.
- No retention periods specified: It fails to specify any retention periods for personal data, which should be documented under CCPA.
Compliance with GDPR
- Legal basis for processing: This does not specify the legal basis for processing different categories of data as required under Article 6.
- Data retention: No specific retention periods were mentioned as required under Article 5(e).
- Right to erasure: It does not describe the right to erasure as detailed in Article 17 even though it is mentioned.
- International transfers: Very brief mention of international transfers. It requires more details as per Article 44-50.
- Security measures: The policy is light on the specifics of security measures in place as mandated under Article 32.
As on February 2024, ChatGPT-4 showed significant limitations as a policy generator, though we expect AI to continue learning and improving over time.
- Legal gaps: As AI tools do not have the same legal training and judgment as human experts, the policies they generate may contain gaps or inconsistencies. This could put an organization at compliance and legal risk.
- Inefficiency: The back-and-forth prompting and corrections often take longer than using a template. Further lawyer review is still advisable given the limitations.
- Potential bias: The datasets used to train AI tools may impart their own biases which will reflect in the generated content. Certain types of practices or vulnerable data uses may not be adequately addressed.
In summary, despite tweaks, ChatGPT-generated policies remained basic and generic with glaring omissions. The policies will require extensive editing and careful legal review. These results are unsurprising since we didn’t provide website-specific details or the ability for ChatGPT to crawl the site to find such data-handling information. You will need to provide each detail of how your website deals with user data, which is a time-consuming process as you will have to spell out everything for the AI to generate a close-to-compliant policy.
Website-specific privacy policies via CookieYes
- Information on company and website: Basic information about your business, such as name, website, and location.
- Collection of data: Information about the kind of personal information that is collected from your users.
- Use and disclosure of data: Disclosure of the purpose for which you collect personal information from your users.
- Tracking technologies: Disclosure of tracking technologies you may use, such as cookies.
- Data protection: Information about how users can contact you for data protection or privacy-related purposes.
These categories have several individual questionnaires under them that will help create comprehensive content for your policy page. And this doesn’t take a lot of time. Once you are done answering them, the platform will generate the required content which you can then copy as text or as HTML and add to your website.
for your website
Generate instantlyNo signup required
However, as with any autogenerated document, CookieYes policies may still require some review. The benefit is that policies generated by CookieYes provide an excellent starting point and framework that is far more detailed and website-specific than a pure AI-generated policy. You have the technical ease of automated generation paired with human oversight at key checkpoints.
What is AI?
Artificial intelligence (AI) refers to machines demonstrating abilities like learning and language processing traditionally unique to humans. ChatGPT-4 exemplifies this through its convincing human-like conversations. By analyzing millions of texts, it can generate essays, code, and even legal documents like privacy policies.
Does AI have privacy risks?
It is not a hidden fact that AI tools pull data from all corners of the web to train their model dataset. While this is used to generate useful content, especially by the generative AI tool, it raises several privacy risks. Any personal data collected during your interaction with the AI tool may be used by its system to generate sensitive information which may result in privacy violations.
What are the privacy risks of ChatGPT?
OpenAI collects a wide range of personal information through ChatGPT including account information, content/messages, device details, etc. This data could be subject to unauthorized access or misuse.
The company may share personal information with vendors, service providers, affiliates, and other third parties which presents privacy risks.
Additionally, there is a risk that OpenAI’s models could reveal factually inaccurate personal information about users which may be difficult to correct or remove in some cases.
Does ChatGPT store your data?
Yes, OpenAI stores a variety of personal data including account details, messages, content, device information, and usage data when you interact with ChatGPT. Data may be stored by OpenAI for legitimate purposes such as improving services, analytics, legal obligations, etc.
Can people see what I type in ChatGPT?
No, your individual chat sessions in ChatGPT are private and not viewable to any other users or OpenAI. The AI model generates responses based only on the input you provide within an individual session that’s isolated from all other chats.