If your business uses AI to make decisions about people, like screening job applicants or approving loans, you must disclose this in your Privacy Policy or Privacy Notice. The EU AI Act, GDPR, and CCPA all require transparency about automated decision-making, with penalties up to €35 million for non-compliance under the EU AI Act.
This means you must disclose when a user is interacting with an AI system, that content is AI-generated or manipulated, what data the system uses and how users can exercise rights. In this article we explain what business owners must do now, what legal risks arise, and how to update your privacy notices accordingly.
This article covers what the EU AI Act, GDPR, and CCPA are, what automated decision-making and user profiling mean, what high-risk AI systems are, and what you need to disclose. This article also provides drafting tips for your Privacy Policy, common pitfalls, and preparation steps you can take now.
You need to prepare now for these regulations, even if you are not EU-based, as both the EU AI Act and the GDPR can apply outside of the EU.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is the EU AI Act?
- 1.1. Are You a Provider or a Deployer Under the EU AI Act?
- 1.1.1. Provider (Developer of the AI System)
- 1.1.2. Deployer (Business User of the AI System)
- 2. What is the GDPR?
- 3. What is the CCPA?
- 4. How Does the EU AI Act Intersect with the CCPA and GDPR?
- 5. What Types of AI Systems Require Disclosure?
- 5.1. What is Automated Decision-Making?
- 5.2. What is User Profiling?
- 5.3. What are High-Risk AI Systems?
- 6. What Must Be Disclosed Under the EU AI Act, GDPR, and CCPA?
- 6.1. EU AI Act
- 6.2. GDPR
- 6.3. CCPA
- 7. How to Draft AI Transparency Disclosures in Privacy Policies and Privacy Notices
- 7.1. Include a Separate AI Section
- 7.2. Use Clear, Plain Language
- 7.3. Be Specific About What the AI Tool Does
- 7.4. Explain Human Oversight
- 7.5. Explain Individual User Rights
- 7.6. Provide Your Contact Information
- 8. Common Pitfalls and How to Avoid Them
- 9. Preparation Steps for Businesses
- 10. Summary
What is the EU AI Act?
The EU AI Act is a law that was passed in Europe to regulate artificial intelligence (AI) systems. It became law in 2024.
The EU AI Act takes a risk-based approach to AI systems. Lower-risk systems are those that pose little or no risk to humans. High-risk systems could be dangerous to human rights or human life.
Lower-risk or no-risk AI systems have fewer regulations and restrictions than high-risk systems. The purpose of the Act is to make sure that systems are transparent, and that any AI systems are regulated with a lot of human oversight.
Some of the provisions of the EU AI Act are already in force, while others do not come into force until 2027.
Are You a Provider or a Deployer Under the EU AI Act?
Understanding whether your business is a provider or a deployer of an AI system is essential, because the EU AI Act assigns different transparency obligations to each role.
Provider (Developer of the AI System)
A provider is the organisation that develops, trains, or places an AI system on the EU market under its own name. Providers must create technical documentation, perform risk assessments for high-risk systems, ensure the quality of training data, and supply transparency information to their customers.
Deployer (Business User of the AI System)
A deployer is the business that uses an AI system in its operations. For example, to screen job applicants, support customer service, or analyse user behaviour. Deployers must inform individuals that they are interacting with AI, label AI-generated content, provide human oversight, and update their Privacy Policy or Privacy Notice to disclose how AI systems use personal data.
Most transparency duties that affect your Privacy Policy, such as notifying users, explaining logic, and providing human review, apply to deployers, not providers. This means that even if your business did not build the AI tool, you are still legally responsible for the transparency obligations when you use it.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a privacy law that was passed in Europe in 2018. It regulates how personal data is collected, processed, and stored, as well as what rights individuals have to their personal data.
You need to disclose to individuals when and how their personal data is being collected, for what purposes, and tell users what their rights are.
The GDPR also includes some sections that relate to automated decision-making. This includes Articles 13, 14, and 22. These sections require you to let people know when their personal data is used for automated decisions that can have significant effects, such as hiring or medical decisions.
The GDPR applies even if you are not based in the EU. This is because it applies to the collection of data from EU residents. If you are a company based in Florida, but you collect the data of European customers, you'll have to comply with the GDPR.
Under GDPR, you must tell users:
- That automated decision-making or profiling takes place,
- How the logic works in simple terms,
- The consequences for them,
- And how users can request human intervention. These disclosures must appear at the point of data collection and in your Privacy Notice.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a California state law that protects the privacy of California residents. The CCPA requires businesses to disclose how they collect, use, and share personal information.
Like the GDPR, the CCPA gives California residents rights to their personal data that they can enforce (such as the right to have their data deleted).
The CCPA also has sections that cover automated decision-making. Under section 1798.185 (a) (15) of the California Privacy Rights Act (CPRA), which amended the CCPA, regulations were made in relation to business' use of automated decisionmaking technology, including profiling.
These regulations have only been recently finalised, and the CCPA Board is still reviewing whether the current draft will be adopted.
You'll need to comply with the finalised regulation by January 1, 2027. Broadly, you'll have to disclose when you use personal information for automated decision-making or profiling that could have significant effects on consumers.
How Does the EU AI Act Intersect with the CCPA and GDPR?
The EU AI Act, GDPR, and CCPA work together and often overlap, especially when AI systems process personal data to make decisions about individuals. The table below lists many of the common differences and similarities between these laws:
| Law | EU AI Act | GDPR | CCPA |
| Requires transparency? | Yes | Yes | Yes |
| Automated decision-making allowed? | Yes | Yes, but may not be a solely automated decision other than in specific circumstances | Yes, but there is a right to opt-out and contest certain decisions, such as hiring decisions made by automated means |
| Human oversight required? | Yes | Yes | Yes |
| Does the law require disclosure of AI or automated decision-making? | Yes, persons must be informed that they are interacting with an AI system | Yes, should be disclosed in Privacy Policy | Yes, should be disclosed in a Pre-use Notice |
| Does the law require disclosure of profiling? | Yes, persons must be informed that they are interacting with an AI system | Yes, should be disclosed in Privacy Policy | Yes, should be disclosed in a Pre-use Notice |
| Right to know the logic of the AI model? | Yes, right to a clear and meaningful explanation of the role of the AI system | Yes, right to meaningful information about the logic involved | Yes, right to meaningful information about the logic involved |
| Applies to? | Anyone releasing AI onto the EU market | Anyone collecting or processing the data of EU citizens and residents | Businesses collecting the data of California residents |
| Extraterritorial effect? | Yes, if your company is outside of the EU but releases AI onto the EU market | Yes, if your company is outside of the EU but collects the data of EU residents or citizens | Yes, if your business is based outside of California but collects significant data from California residents |
| Applies specifically to personal data? | No, applies to AI tools using any data, not necessarily personal data | Yes, applies to personal data | Yes, applies to personal data |
| Applies only to AI tools? | Yes | No, applies to any process of collecting personal data | No, applies to any process of collecting personal data |
| Includes requirements for high-risk AI? | Yes | No | No |
| Requires clear and simple language? | Yes | Yes | Yes |
| Content labelling | Required for synthetic or manipulated content | Not required | Not required |
| General-purpose AI (e.g., ChatGPT-style models) | Transparency summaries required | ||
| Provider vs Deployer obligations | Both roles have distinct duties | Only controllers/processors | Only businesses (controllers) |
Depending on where your users are based, it's likely that you'll need to comply with all three of these laws. This is particularly the case if your business has international reach. This means your Privacy Policy and Privacy Notice would need to cover GDPR, CCPA, and EU AI Act requirements.
What Types of AI Systems Require Disclosure?
Your use of AI systems, whether or not they use personal data to make decisions about people, need to be disclosed transparently. This includes systems that carry out automated decision-making, user profiling, or general-purpose AI systems such as chatbots, analytics software, and more.
If you use general-purpose AI systems (such as chatbots, text generators, or internal copilots), transparency obligations still apply even if the system does not make decisions about people. Businesses must disclose when these systems influence content, recommendations, or user interactions.
Let's take a look at what each of those terms mean.
What is Automated Decision-Making?
Automated decision-making is when a decision about a person is made by automated systems like AI, without real human involvement.
Under the GDPR, automated decision-making is not explicitly defined, although "profiling" is.
GDPR Article 22 gives individuals the "right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
If an automated decision could have a big effect on an individual, such as hiring or firing decisions, lending decisions, or medical decisions, people have the right to have the decision made in a different way (without automated processing).
You'll need to let your users know about these rights in your Privacy Policy. We'll go into that in more detail below.
Automated decision-making technology is also covered by the CCPA's new regulations, which include disclosure requirements in the new section 7220.
Automated decision-making technology is defined in the new CCPA draft as "any technology that processes personal information and uses computation to replace human decisionmaking, or substantially replace human decisionmaking."
You can see this in the CCPA definitions section below:
This section also includes a definition about what it means to "substantially replace human decisionmaking", as you can see here:
Substantially replacing human decisionmaking means when "a business uses the technology's output to make a decision without human involvement."
Human involvement means the reviewer needs to know how to interpret the technology, be able to review and analyse the output, and have the authority and ability to change the decision that the technology has made.
If you don't have human involvement like this, your AI system could be "substantially replacing human decisionmaking", and will be considered an automated decisionmaking technology under the CCPA.
What is User Profiling?
User profiling is when automated systems analyse personal data to evaluate, predict, or categorize people based on their characteristics, behavior, preferences, or interests. This can be done by AI systems.
Under the GDPR, profiling means "automated processing of personal data … to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements."
You can see this in the GDPR definitions section below:
The CCPA new update states in the definitions section that ADMT (automated decision-making technology) includes profiling.
Profiling is also separately defined as "automated processing of personal information to … analyze or predict aspects concerning that natural person's intelligence, ability, aptitude, performance at work, economic situation, health, (including mental health), personal preferences, interests, reliability, predispositions, behavior, location, or movements."
You can see this in the CCPA draft definitions section below:
It's important to remember that this is just a draft of the new CCPA regulation, and it still needs to be approved and put into force.
What are High-Risk AI Systems?
High-risk AI systems are systems that could create a significant risk to the health, safety, or fundamental rights of people. Under the EU AI Act, these high-risk systems have the most regulations that apply to them, and require the most human oversight.
The EU AI Act sets out specific categories of AI systems depending on what their use is. For example, if AI systems are used for safety components of products, they will be considered to be high risk by the EU AI Act.
You can see this in Article 6 of the EU AI Act:
In addition, AI systems set out in Annex III are also considered to be high-risk. You can see this in the second part of the section below:
Annex III includes AI systems used for sectors including education, promotions at work, creditworthiness decisions, law enforcement, critical infrastructure, and border control, as well as in relation to decisions about governance and judicial issues.
If your AI system is a safety product or falls into Annex III, you need to conduct different conformity and risk assessments before deployment. You'll need to set aside time and money for this process. It can take months and can be costly.
What Must Be Disclosed Under the EU AI Act, GDPR, and CCPA?
All three laws require transparency about the use of AI. The GDPR and CCPA also require the disclosure of what information is collected, what for, and what the automated system or AI does with this data. You also need to disclose what rights users can exercise in relation to automated decision-making technologies.
Let's take a look at each of these laws in more detail.
EU AI Act
Under the EU AI Act, you need to disclose information to consumers that they are interacting with an AI system. You also need to provide this information clearly and obviously.
In the EU AI Act text, Article 50(1), you can see that users or consumers need to be "informed that they are interacting with an AI system unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect ...".
The question of whether a person is "informed", or whether interaction with an AI system would be obvious, depends on the circumstances and the context of use.
In addition, information that a person is interacting with an AI system must be provided in a "clear and distinguishable manner", as you can see in section 5 of Article 50:
For high-risk systems, additional information must be provided to developers and deployers (the entity using/operating the AI system) about the use of the AI system. This is not information that is disclosed to consumers or for their benefit in relation to privacy, however.
If your business generates images, audio, video, or text using AI, you must clearly label the output as AI-generated or AI-manipulated unless it is obvious to an average user. This is a synthetic content disclosure.
If you use AI for emotion analysis or biometric categorization, you must inform the user at the time of interaction and obtain any legally required permissions under national law.
GDPR
Under GDPR Articles 13 and 14, when you collect data, you have to tell individuals if their data will be used for automated decision-making or profiling. You also need to explain how these automated decisions are made, their significance, and let users know they have a right to contest the decision.
In Article 13 below you can see part of what needs to be disclosed to users:
The text from Article 13 is repeated in Article 14. The sections are different only in that Article 13 relates to personal data being obtained from data subjects, while Article 14 is when no personal data is obtained.
In both cases, you need to explicitly state that automated decision-making or profiling is taking place, and provide meaningful information about the logic involved in the decision-making process.
You also need to explain the significance and consequences for the individual. For example, if an AI system is used to reject a loan application, you need to explain that this decision could affect their access to credit.
Article 22 also states that data subjects have the right not to be subject to a decision based solely on automated processing.
Later in the section, it also states that data controllers must "implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision."
When the data subject has these rights, you should also disclose them in your Privacy Policy and create a process for the data subject to enforce them.
In addition, like for all uses of personal data, you need to disclose under the GDPR what personal data is being used, how it's collected, and the lawful basis for processing the data (such as consent, legitimate interests, or contractual necessity).
Finally, you have to tell users about their rights in relation to automated decision-making under the GDPR. This includes:
- the right to human intervention in the decision-making process
- the right to contest automated decisions
- the right to obtain an explanation of the decision.
These rights are alongside users' other GDPR rights, such as the right to access their personal data, the right to erasure, rectification, and data portability.
CCPA
Under the most recent update to the California Privacy Rights Act (CPRA) and CCPA, businesses must disclose the use of automated decision-making technology (ADMT), its purpose, as well as consumer rights in relation to the technology (e.g. the right to opt out or contest)..
Under the current draft (page 20) section 7010 states that businesses using ADMT must provide a privacy policy, and must "provide consumers with a Pre-use Notice" about the use of ADMT.
The Pre-Use Notice also needs to disclose consumers' rights to opt-out of ADMT and to access ADMT. You can see this in the section below:
Section 7220 also states that the Pre-use Notice must be "presented prominently and conspicuously to the consumer at or before the point when the business collects the consumer's personal information that the business plans to process using ADMT."
As stated in 7220(c) of the CCPA new draft (page 103), the Pre-use Notice must contain:
- A plain language explanation of the purpose for the ADMT
- A description of the consumer's right to opt-out of ADMT and how the consumer can submit a request to opt-out of ADMT
- A description of the consumer's right to access ADMT and how the consumer can submit their request to access ADMT to the business
- That the business is prohibited from retaliating against consumers for exercising their CCPA rights
-
Additional information about how the ADMT works to make a significant decision about consumers, including:
- How the ADMT processes personal information to make a significant decision about consumers, including the categories of personal information that affect the output generated by the ADMT
- The type of output generated by the ADMT, and how that output is used to make a significant decision
- What the alternative process for making a significant decision is for consumers who opt out
You need to make sure your Pre-use Notice is ready, and covers all of these points, before January 1, 2027.
Under section 7150, you'll also need to review the risk level of your ADMT. This risk assessment is to determine whether "the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public."
If you find that your ADMT is very high risk, you might need to stop using it completely.
How to Draft AI Transparency Disclosures in Privacy Policies and Privacy Notices
Your Privacy Policy or Privacy Notice must contain a dedicated section that clearly states (1) what AI systems you use, (2) what they do, (3) what data they process, (4) whether human oversight exists, and (5) what rights users can exercise. These disclosures must be written in simple language and placed prominently.
Each of the below sections can help to make sure you meet your obligations under the law.
Include a Separate AI Section
In your Privacy Policy you should include a separate section that specifically describes the purpose you have for using AI, automated decision-making, or profiling technology. Including this information in a separate section makes sure that users can find it easily.
If you are releasing an Artificial Intelligence Privacy Notice, this is a dedicated notice on this particular topic. You can still include a clear section at the beginning that states what technologies you use, and why you use them. You should be explicit that AI or automated decision-making is involved.
In this example below from the Privacy Notice of Lancashire City Council you can see a clear, explicit section about what AI is used for and why it is used. It directly states that AI is used by the council, so that citizens know their data is being processed in this way.
You can see in the Lancashire City Council example that it refers to the use of Microsoft Copilot. Here's an example from Microsoft's policy on the use of AI and Copilot, and their privacy practices in relation to the tool:
In the Microsoft policy it also states that AI is used, and that the use of AI is in line with its privacy statement.
In this example from Slack, you can see there is also a separate section dealing with AI and data protection. It explicitly states that AI and machine learning are used to improve product features, but that customer data is not used for this purpose.
It also states that customer data is used for certain features, however, and refers to the Privacy Policy.
Approaches like this (that split information into different documents) can help to organise information better if your business is large and has a lot of information to disclose.
On the other hand, referring customers from document to document can end up burying important information. For your business you need to decide individually when references to other documents make sense.
Use Clear, Plain Language
In your Privacy Policy or Privacy Notice you should always use clear, plain language. Under the GDPR, CCPA, and EU AI Act, you are required to provide information in a clear and obvious way.
You can see in this example from Essex County Council that their use of AI is simply stated in clear, simple language:
The section uses short sentences without complicated information. This makes it easier for users to read and understand.
This section from Azets also clearly explains that the company does not perform profiling or automated decision-making using personal data. The sentences are also short and basic, and it is clear to users what the section is saying.
In this example from Adjust, you can also see clear, simple language.
This section also refers specifically to Article 22 of the GDPR, and makes it obvious what it is addressing (legally).
Using language like this makes sure your users and customers understand, and also that you meet your legal obligations.
Be Specific About What the AI Tool Does
You should be specific in your Privacy Policy or Privacy Notice about what any AI tool actually does, and what data it collects. Or, if you are using automated decision-making, explain what type of decision-making takes place, and what the effects on the consumer or user will be.
In this example from the Be My Eyes tool, the Privacy Policy outlines what the artificial intelligence tools are used for. You can see that the description is very direct: AI tools are used to analyze and describe photos and videos that users submit. Personal information contained in these will also be processed and stored.
Here's another example from Worknest in its Artificial Intelligence Privacy Notice. This explains that the AI-powered chat tool helps visitors learn about the product and services. It explains that conversations are logged and analyzed for different purposes.
When you clearly explain what the AI tool is used for, this can help to inform your users and meet your obligations under laws like the EU AI Act and CCPA.
Explain Human Oversight
Human oversight for your AI tools is necessary for meeting your legal obligations, and you should also explain in your Privacy Policy or Notice what type of human oversight takes place.
In the section below from the West Oxfordshire District Council Privacy Notice you can see the section briefly notes human review and oversight. It states that there is always a human intervention to review and approve outputs from AI tools. It also explicitly states that decisions are not made solely by automated means.
In this example from the Derby City Council Privacy Notice, you can see that AI is used for small-scale automated decision-making. However, this is also subject to human oversight. The process of human oversight is explained more thoroughly in the section so that users can understand.
In the section above you can see a clear example of a business disclosing the existence of automated decision-making. However, it is also clear that it is not "solely" automated, because human intervention and oversight is explained.
In the example from Risemat you can also see similar information provided in its Privacy Policy below:
You can see in this example that Risemat has also included in the same section the user's right to challenge the use of AI tools.
Explain Individual User Rights
In the EU AI Act, GDPR, and CCPA, you have obligations to fulfil, and consumers or users have rights. Users have rights to know whether automated decisions or profiling are happening, what is being done with their data, who it is shared with, rights to access it, rights to opt out, and rights to have data deleted, among other things. You need to explain these rights and how users can enforce them.
You can see in the example from Salesforce below that the data subject's right not to be subject to a decision based solely on automated decision making is clearly explained.
In this example from the German Federal Government website, you can see that the data subject has the right to know if automated decision-making and / or profiling exist when the website processes user data. In addition, data subjects also have the right to know the logic involved, as well as the significance and consequences.
In the example from the Derby City Council Privacy Notice you can see a full list of rights that the data subject has, including access, rectification, deletion, portability, right to object or restrict processing, and the right to prevent automatic decisions.
Sections in your Privacy Policy or Privacy Notice on user rights should be clear and direct about what rights users have. Importantly, users can only exert their rights to their data if they can get in contact with you.
Provide Your Contact Information
The GDPR and CCPA require you to provide your contact information to users if you are going to use their personal data. You need to include a section in your Privacy Policy or Privacy Notice that contains contact information for your business, as well as the Data Protection Officer, if there is one.
This example from the German Federal Government website includes contact details as the first section:
Here's another example from Salesforce. You can see it provides multiple different ways to contact Salesforce, including a form, email, a telephone number, or an address.
In this example from the Lancashire City Council Privacy Notice, you can also see the contact details of the data controller and the DPO:
Now let's take a look at some common pitfalls and preparation steps you can take.
Common Pitfalls and How to Avoid Them
There are a number of common pitfalls that your business should avoid, including burying AI disclosures in your Privacy Notice, being too vague about AI tools, not regularly updating Privacy Policies, only taking GDPR compliance steps without considering the EU AI Act, and misclassifying your AI system as lower risk than it is, among other things.
Here are some of the most common pitfalls, and how to avoid them:
- Hiding AI disclosures in complicated text: Your AI disclosures should not be hidden in complex documents. Avoid this pitfall by creating a dedicated Artificial Intelligence Privacy Notice, or include clear sections in your Privacy Policy that your users can find.
- Being too vague: Don't be vague about what you are using AI for. In the examples above you can see many examples of clear descriptions of AI tools. You should describe what the AI does, what purposes you use it for, what data it collects, and whether any information will be passed on to third parties.
- Not updating your Privacy Policy or Privacy Notice regularly: Many businesses are adopting AI technologies rapidly and may implement tools without enough oversight of policy documents that relate to them. Make sure you update your Privacy Policy or Privacy Notice any time that you begin using a new tool.
- Only addressing GDPR without considering the EU AI Act: Privacy Policies and Privacy Notices primarily relate to the GDPR, CCPA, or other privacy laws. But don't forget the impact of the EU AI Act. This means you need to consider the risk level of your AI system, and make sure users know they're interacting with AI. You need to be transparent about what AI systems under your control are doing.
- Misclassifying AI systems: When classifying your AI system, be careful not to misclassify it as lower risk than it is. This can leave you open to penalties, and leave your users open to harm. Use tools such as this EU AI Act Compliance Checker to decide the risk level of your AI system. When in doubt, seek legal advice.
- Incorrect application of human oversight: AI systems need to have human oversight. Be careful that you don't let AI systems make significant decisions without sufficient human oversight, as you could end up breaching both the GDPR and the EU Act.
- Leaving out ways for users to exercise legal rights: Your users have rights under the GDPR and the EU AI Act. Make sure you include a clear explanation of their rights in your Privacy Policy or Privacy Notice, and give them a way to contact you so that they can assert their rights if they want to.
- Assuming the vendor is responsible for transparency: Even if the AI provider supplies documentation, you, as the deployer, must update your Privacy Notice and user-facing disclosures.
Preparation Steps for Businesses
Finally, let's take a look at a few preparation steps that you can take now, to ensure your business is compliant with both the GDPR, CCPA, and EU AI Act when it comes to AI transparency.
- Check and classify your AI Systems: If you are using AI systems or automated decision-making systems in your business, check and classify them with the appropriate risk level. Determine whether your AI systems are legally classified as automated decision-making systems, and keep track of any new systems that are set up or are about to be.
- Review your current Privacy Policy and Privacy Notice: Some of the provisions of the EU AI Act and CCPA are yet to come into force, or have a preparation phase in which you can get compliant. Check now whether your Privacy Policy and Privacy Notice are compliant with these laws, and if you are using any AI or automated decision-making software, update your policies to comply.
- Inform your employees and contractors: All of your employees and contractors need to be aware of what is required when working with AI tools in your business. No new tools should be installed or used without disclosure in your Privacy Policy and Privacy Notice.
- Create ongoing monitoring and review processes: Set up ongoing monitoring and review processes, so that policies are updated accordingly when AI tools are procured. Tools should be carefully checked for what data they collect and process, and monitoring needs to keep track of whether any of these details have changed. This is especially the case with newer AI tools, as many of these programs are updated frequently and in rapid phases of development.
Summary
AI transparency is increasingly required by law. The EU AI Act, GDPR, and CCPA all require you to disclose how you use AI systems to make decisions about individuals. These requirements apply even to businesses outside the EU and California if your customers live in those places.
To make sure your business is compliant, you should create clear, dedicated sections in your Privacy Policy or Privacy Notice that explains AI use in plain language. Don't bury your disclosures, be too vague, or claim human oversight that doesn't really exist. Start preparing now, and remember that AI transparency requirements are changing quickly, so it's important to set up processes for ongoing monitoring and updates as well.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.