Should You Use AI to Generate Privacy Policy?

Is AI up to the task? 

Imagine an AI smart enough to write an accurate, legally compliant privacy policy tailored to your specific data collection practices. This could save businesses countless hours and legal fees. But should you entrust vital legal safeguards to algorithms? We put the most used generative AI tool, ChatGPT-4 to the test.

Continue reading to find out the results.

We utilized four distinct prompts with ChatGPT’s paid version GPT-4 (accessible through OpenAI’s API for paying customers), refining each prompt to optimize the response.

#1 Generic AI privacy policy

Here is what we found:

• Lacks data collection specifics: The policy does not categorize or enumerate the types of personal information gathered, the methods and sources used to collect it, or the legal bases that permit collection.
• Insufficient transparency: It provides limited insight into data retention schedules, onward sharing practices, and security mechanisms and uses vague, generic language without naming data recipients, retention periods, or encryption methods.
• Lacks clarity: While offering the choice to opt out of communications, the policy does not elaborate on processes for rights requests or detail cookie handling and tracking techniques other than email subscriptions. Even for emails, it isn’t clear the type of emails that will be sent out to the users. It avoids any mention of international data transfers or procedures for breach notification.

By not scoping data practices, third-party dealings, and technological capacities, the policy avoids compliance responsibility, which is risky.

ChatGPT does give a disclaimer in the beginning that this is only a generic template.

Now let’s try to ask for the law-specific privacy policy and see how GPT-4 does.

#2 GDPR-compliant privacy policy

Now let’s try asking ChatGPT AI to generate a GDPR-compliant privacy policy.

Better, but not quite there yet.

Here are some key GDPR requirements missing from the policy content:

Transparency and fairness

Fails standards around outlining specific data collected, processes applied, and third parties shared with – non-compliant with Articles 12-14.

Legal bases & consents

Does not detail legal bases or consent flows for each processing activity as mandated under Articles 6, 7, and 13.

Data minimization

Takes a broad approach to data usage without specific retention periods – conflicts with Article 5 purpose and storage limitation principles.

Data subject rights

Lists rights like access and erasure generically without accompanying fulfillment mechanisms and timelines – Articles 15-22 and Recital 59 non-compliance.

International data transfers

No transparency provided into cross-border data flows and protection mechanisms – undermines Article 13(1)(f).

Security of processing

Sparse details available on security controls like encryption – lack alignment with Article 32 requirements.

In summary, deficiencies around transparency, legal basis linkage, data minimization, rights procedures, overseas transfers, and security protections point to the inadequacy of ChatGPT-generated privacy policy across multiple GDPR statutory expectations. The policy requires significant revision for compliance.

Now, let’s try CCPA.

#3 CCPA-compliant privacy policy

This policy is not CCPA-compliant.

Here’s why:

• Lacks specifics: The level of specificity in providing a detailed list of data types collected and its source is extremely scarce.
• Lacks proper disclosures: It does not address the CCPA requirement to disclose categories of third parties to whom data is sold or the requirement that service providers/contractors maintain reasonable security procedures and practices. With no information provided on security practices and third-party disclosures, it falls short on this aspect. This policy is also completely silent on retention periods. Consumers have no visibility from the policy into how long the website will retain their personal data.
• Omission of opt-out rights: It’s concerning since opt-out rights is one of the cornerstones of CCPA. There is no mention of how users can opt out of the sale or share of their personal information.

In essence, the ChatGPT-generated privacy policy, while covering some high-level CCPA requirements, misses the mark on critically important details around security, service providers, retention, opt-out rights, etc. that would demonstrate CCPA-aligned privacy practices. The content requires significant enhancement to get it to a compliant state.

Since none of these are yielding fruitful results, let’s take a different approach. 

#4 GDPR and CCPA-compliant privacy policy

We tried asking ChatGPT to merge the requirements for privacy policy by GDPR and CCPA to create a compliant privacy policy.

Here is a high-level analysis:

Compliance with CCPA

• Lacks specifics on consumer rights: It does not explicitly mention the right to opt-out of the sale of personal information, right to deletion, or right to non-discrimination which are required under CCPA.
• No contact information for requests: It does not provide any instructions or contact information for consumers to submit requests to exercise their CCPA rights. This is required.
• No retention periods specified: It fails to specify any retention periods for personal data, which should be documented under CCPA.

Compliance with GDPR

• Legal basis for processing: This does not specify the legal basis for processing different categories of data as required under Article 6. 
• Data retention: No specific retention periods were mentioned as required under Article 5(e).
• Right to erasure: It does not describe the right to erasure as detailed in Article 17 even though it is mentioned. 
• International transfers: Very brief mention of international transfers. It requires more details as per Article 44-50.
• Security measures: The policy is light on the specifics of security measures in place as mandated under Article 32.

As on February 2024, ChatGPT-4 showed significant limitations as a policy generator, though we expect AI to continue learning and improving over time.

• Limited information: AI tools may not be able to capture the nuances required for an effective privacy policy across different jurisdictions and use cases. This could result in policies that are generic and fail to address specific privacy practices adequately.
• Legal gaps: As AI tools do not have the same legal training and judgment as human experts, the policies they generate may contain gaps or inconsistencies. This could put an organization at compliance and legal risk.
• Inefficiency: The back-and-forth prompting and corrections often take longer than using a template. Further lawyer review is still advisable given the limitations.
• Potential bias: The datasets used to train AI tools may impart their own biases which will reflect in the generated content. Certain types of practices or vulnerable data uses may not be adequately addressed.

In summary, despite tweaks, ChatGPT-generated policies remained basic and generic with glaring omissions. The policies will require extensive editing and careful legal review. These results are unsurprising since we didn’t provide website-specific details or the ability for ChatGPT to crawl the site to find such data-handling information. You will need to provide each detail of how your website deals with user data, which is a time-consuming process as you will have to spell out everything for the AI to generate a close-to-compliant policy.

Even with very detailed inputs, expert suggestions may still be needed to finalize the policy. While AI tools can aid efficiency by providing draft policies, blindly adopting these documents without careful examination poses significant compliance risks. Take for instance OpenAI’s privacy policy — very detailed and likely vetted by legal experts.

If you are looking to create an outline for your website’s privacy policy, you can go ahead and make use of AI tools. But for website-specific details, you still need human intervention or a tool like CookieYes that will let you input the required specifics through its questionnaire and handle generating the legally compliant policy document.

• Information on company and website: Basic information about your business, such as name, website, and location.
• Collection of data: Information about the kind of personal information that is collected from your users.
• Use and disclosure of data: Disclosure of the purpose for which you collect personal information from your users.
• Tracking technologies: Disclosure of tracking technologies you may use, such as cookies.
• Data protection: Information about how users can contact you for data protection or privacy-related purposes.

These categories have several individual questionnaires under them that will help create comprehensive content for your policy page. And this doesn’t take a lot of time. Once you are done answering them, the platform will generate the required content which you can then copy as text or as HTML and add to your website.

However, as with any autogenerated document, CookieYes policies may still require some review. The benefit is that policies generated by CookieYes provide an excellent starting point and framework that is far more detailed and website-specific than a pure AI-generated policy. You have the technical ease of automated generation paired with human oversight at key checkpoints.

What is AI?

Artificial intelligence (AI) refers to machines demonstrating abilities like learning and language processing traditionally unique to humans. ChatGPT-4 exemplifies this through its convincing human-like conversations. By analyzing millions of texts, it can generate essays, code, and even legal documents like privacy policies.

Can ChatGPT create a privacy policy?

ChatGPT can create a privacy policy based on your provided prompts. However, the effectiveness of the privacy policy generated depends on the clarity and specificity of your instructions. It’s important to review the generated content and consult with legal professionals to ensure that it aligns with your specific business practices and complies with relevant laws and regulations in your jurisdiction.

Does AI have privacy risks?

It is not a hidden fact that AI tools pull data from all corners of the web to train their model dataset. While this is used to generate useful content, especially by the generative AI tool, it raises several privacy risks. Any personal data collected during your interaction with the AI tool may be used by its system to generate sensitive information which may result in privacy violations.

What are the privacy risks of ChatGPT?

OpenAI collects a wide range of personal information through ChatGPT including account information, content/messages, device details, etc. This data could be subject to unauthorized access or misuse.

The company may share personal information with vendors, service providers, affiliates, and other third parties which presents privacy risks.

Additionally, there is a risk that OpenAI’s models could reveal factually inaccurate personal information about users which may be difficult to correct or remove in some cases.

Does ChatGPT store your data?

Yes, OpenAI stores a variety of personal data including account details, messages, content, device information, and usage data when you interact with ChatGPT. Data may be stored by OpenAI for legitimate purposes such as improving services, analytics, legal obligations, etc.

Can people see what I type in ChatGPT?

No, your individual chat sessions in ChatGPT are private and not viewable to any other users or OpenAI. The AI model generates responses based only on the input you provide within an individual session that’s isolated from all other chats.