AI: Basic Contractual & Privacy Issues

And no, ChatGPT did not write this for me

Artificial Intelligence, or as I like to call it “Big Data plus Machine Learning plus Awkward Chat at the Level of a Well-Read College Junior,” keeps popping up in my privacy practice. Here are a few AI & Privacy issues I've dealt with lately:

1.     AI as Content Creator

If your business involves content creation, whether multimedia or text, the FTC has its eye on you. In this report submitted to congress last June, the FTC gave guidance on how a business should present the fruits of AI’s labor. The FTC is specially concerned with companies using their customer data to feed AI’s content creation.

In short, tell your audience your content involves or was generated by AI, do not represent that the content you generate is created by a real person, and be as transparent as possible about your sources, process, and uses of AI.

More importantly, disclose and get consent for all of the above in your Privacy Policy and Terms of Use, respectively. If you’re going to use customer data to train your AI, get affirmative express consent from your customer for ALL uses of their data, lest the FTC decide your general consent is not sufficient. The FTC has indicated that a lack of transparency regarding AI’s functions, or misrepresentation about the authenticity of AI-generated content, may constitute unfair competition and/or deceptive trade practices.

While full algorithmic transparency is not federal law. yet, the ADPPA before the senate is a strong indicator that the U.S. will eventually follow the EU’s Digital Services Act in regulating AI decision making. Even the California AG has gotten in on algorithmic transparency, asking California hospitals for information on possible AI biases. More on algorithmic transparency in my next post.

2.     AI as Third Party Data Processor

Plugins to AI from a SaaS offering or cloud service have become popular, one idea being that bolting on an AI will help customers leverage their data for efficiency and data insights. But if you enable your customers to share their personal information with OpenAI, you might violate your own privacy policy and/or your customer contracts.

OpenAI’s Privacy Policy is does not directly address plugins, but the nature of AI is process data to improve its algorithm and weighting (“We may use Personal Information . . . to provide, administer, maintain and/or analyze the Service”). In other words, OpenAI will use any personal data that you provide it. This is not news, but if your customers agree to provide their data to ChatGPT, what’s the harm?

A.    Privacy Policies. Many privacy policies contain clauses to the effect of “we will not share your personal information with third parties except with your consent or for the purpose of providing services to you.” The issue here with respect to ChatGPT is that it does not just use your personal information to provide services to you, it incorporates your data into its own service and sells it, making privacy policy clauses like the above misleading at best, misrepresentation at worst. Therefore, check your privacy policy and update it accordingly before you give your customers the ability to process data using a third party AI.

B.    Many enterprise contracts contain similar clauses prohibiting a service provider, especially SaaS, from giving third parties access to their data without prior written consent. Therefore, enabling AI to process customer data without your customer’s consent would breach such a clause. The fix is not difficult in concept: an amendment to your contract carving out sharing for AI purposes and indemnifying your business from your customer’s use of the AI. The difficulty arises implementing this change at scale; renegotiating large contracts is sensitive, and the bigger the counterparty the longer it will take.

C.     Sharing customer data with an AI may also be considered a data breach under the terms of many data processing addenda (each a “DPA”) because many data protection addendums define “breach” as “any accidental or unauthorized third-party access, acquisition, use, modification, disclosure, loss, destruction of or damage to Personal Information.” Similar to editing your privacy policy and main contracts, editing your DPA will be crucial before implementing an AI plugin; furthermore, the stakes are higher with data breaches because most large company DPA’s do not have limitations of liability for data breaches.

 If you need help with AI contracts or privacy by design, email me at Codevilla@skandslegal.com.