Basic Data Privacy Hygiene and AI: Do What You Say and Say What You Do

By: Nicole Kardell

Our Privacy Team has been saying this for years –Do What You Say and Say What You Do.[1]  It’s an enduring maxim and an important basic step that companies need to embrace in their data collection practices.  It also fits in neatly with the concepts of Notice and Consent, which are the hallmarks of almost all data privacy laws.  Remarks made recently in a keynote by FTC Commissioner, Alvaro Bedoya at the IAPP Global Privacy Summit in Washington, D.C. echoed our refrain.  While Bedoya spoke in the context of generative artificial intelligence (a huge buzzword in the privacy community these days), his words underscored how important it is for companies to ensure their privacy policies, data collection notices, and consents reflect their practices.

While privacy experts are prognosticating about how regulators are going to handle AI, Bedoya said that existing law already has it covered: “The reality is AI is regulated (in the U.S.). Unfair and deceptive trade practices laws apply to AI…If a company makes a deceptive claim using or about AI, that company can be held accountable.”  He was referring to Section 5 of the FTC Act, which gives the FTC enforcement authority over companies that make false or deceptive claims (specifically, “unfair or deceptive acts or practices.”).  The FTC has long held—and enforced—that companies’ privacy policies must match their practices.

There is a twist, however, in the context of AI: In order to provide individuals effective notice, you have to have a reasonable understanding of the technology.  In this vein, Bedoya called on companies to be proactive, transparent, and weed out potential risks when using AI.  With new technologies, perhaps especially AI, this means thoughtful adoption and use.  Afterall, if you do not know what the technology can or is likely to do, you cannot provide adequate notice to people.

Perhaps AI skeptics were frustrated that Bedoya did not announce plans for a new and rigorous framework… or perhaps AI adopters felt some sense of relief.  But we would urge companies that are using or exploring AI in their products and services to proceed cautiously and thoughtfully.  As we wrote recently, the FTC has put companies on notice to keep their AI claims in check or potentially face an investigation.  We anticipate an even more careful look at generative AI adoption in the sports betting industry – from federal and state regulators.

AI or no, we further urge companies to give a fresh look at their privacy policies to ensure they are up to date.  If things have changed to your practices, e.g., you have adopted new APIs, started to do data analytics, offer new services that require you to collect new pieces of personal data, your privacy policy should be updated to reflect these developments.  This practice is also a good starting point for compliance with new state privacy laws as they come into effect.  California and Virginia both have privacy laws that impact businesses serving consumers in their states.  Colorado, Connecticut, and Utah privacy laws will take effect in July and December.  And Iowa just passed legislation that will become effective in 2025.  Each of these states has notice and consent requirements, among other compliance obligations.  But all of them require our step one: have a privacy policy in place that clearly and accurately reflects your personal data practices.

[1] See e.g., our blogs at https://www.ifrahlaw.com/ftc-beat/international-data-privacy-day-our-top-10-data-privacy-tips/; https://www.ifrahlaw.com/ftc-beat/ftc-enforcement-reminds-companies-to-live-up-their-promises/; https://www.ifrahlaw.com/ftc-beat/keeping-your-privacy-promises-retail-tracking-and-opt-out-choices/; and https://www.ifrahlaw.com/ftc-beat/facebook-and-the-ftc-a-wake-up-call-for-companies-collecting-personal-data/.