Last updated on 01 August 2022 by Stephen Titcombe (Legal writer at TermsFeed)
With the growing concern for data protection in today's business climate and the consequent proliferation of privacy laws, Privacy Policies are now mandatory for businesses that collect or process personal data, including audio records.
In recent years, the concept of personal information has evolved to include numerous types and configurations of data in order to keep up with the advancements of the digital age.
Additional clauses included may be unique to reflect the actual privacy practices of your business.
Privacy laws generally define personal information as "any type of data that can identify a real person, either directly or indirectly."
Typical examples include but aren't restricted to the following:
Other notable data types that can (in certain instances) be classified as personal information include cookies, web browsing histories, device IDs, images, video or audio recordings, etc.
Collecting audio recordings (aka personal information) from your users puts you within the scope of privacy laws in regions where your users reside.
As a result, you may need to comply with several countries' privacy laws, depending on where your business and users are located. The more prominent ones are as follows:
In recent years, voice assistants like Amazon's Alexa, Apple's Siri, Google Assistant, and Microsoft's Cortana have become increasingly popular thanks to the latest advances in artificial intelligence.
These assistants present plenty of opportunities for developers and their users alike. For instance, integrating a third-party voice assistant in your product can give it a touch of refinement and help you reach a rapidly-growing market of tech-savvy customers.
But with these benefits also comes a potential threat to the privacy and security of personal information if not properly managed.
This can, in turn, lead to higher trust and the opportunity to gain more engagement for your business.
If you capture user audio or voice recordings, you need to disclose that you do this, and how you do it.
In most cases, you either capture audio recordings through customer care phone calls or by integrating third-party voice assistants into your product.
Soundcore, on the other hand, specifies that third parties will collect voice data when users employ one of its voice assistant technology after receiving permission:
In its Privacy Notice for minors, Google addresses its collection of voice and audio information among other categories of information it collects:
If you capture audio recordings, you'll most likely use them to carry out the requested service of users, enhance audio functionality, develop new audio features, conduct research and surveys, and perform related functions.
For example, Spotify published a separate policy that specifically addresses voice data. This is a valid option that, while not necessary, helps detail its collection and use of voice data better.
Here's how Spotify presents this clause in its Voice on Spotify Policy:
Similarly, Amazon outlines its reasons for collecting data, including how it uses voice inputs made through Alexa. Amazon also includes a link to a more comprehensive document detailing its Alexa and Echo devices policy.
Data sharing is virtually inevitable in today's business landscape.
Regardless of your industry, you'll probably share data with your affiliated partners and third parties such as analytics providers, advertising or marketing agencies, and payment processors.
You may even be required to share information with law enforcement or other authorities in certain instances.
In any case, it's important to be as transparent as possible about the categories of third parties with whom you share personal information and your reasons for such.
Spotify, once again, does this well. Here's how it comprehensively details the categories of third parties with whom it shares various types of information (including voice data) and the reasons for such:
Simply put, you should let users know where you plan to store their information, how long you intend to keep it, and why.
Note that most privacy laws specify that you must only keep personal information for as long as is absolutely necessary. In other words, if you don't have reasonable grounds to retain audio recordings, you need to take steps to erase them promptly.
Here's a short but concise example from Pandora that complies with this requirement:
Data breaches are a significant security concern in today's world and can result in costly consequences if preventive measures are not properly implemented.
Such measures include but aren't restricted to:
However, It's worth noting that no security system is infallible, and stating this information can help limit your liability.
In today's privacy landscape, users have more control over their personal information than ever before thanks to privacy laws and regulations.
At the very least, users have the right to access, modify, and delete their personal information (including audio recordings) anytime they wish, and you must bring this to their attention.
Here's an example from ResourceFlex of how you can keep users informed of their legal rights regarding their personal information:
Keep in mind that you may need to include additional user rights depending on the privacy laws of the regions where your users reside. For example, the GDPR grants EU residents eight user rights which all businesses under its scope must observe.
It's a best practice to include several forms of contact details under this clause, such as a physical address, email address, and/or phone number.
Voice assistant technology has gained widespread acceptance despite the potential threats to data privacy. However, collecting and sharing audio recordings with third parties remains potentially invasive.
As a result, many privacy laws, most notably the GDPR, require businesses to obtain user consent before collecting or processing certain types of information (including audio recordings).
Moreover, user consent is also needed to comply with the Terms and Conditions of most third-party services.
A reliable way to obtain consent is to employ a clickwrap method to ensure that your users have read and approved your data processing practices.
Here's an example from Snap Inc:
Here's how Soundcloud does this:
For example, Netflix includes a link to its Privacy Statement in its in-app settings menu, as shown below: