AI Privacy Policy Examined: Should You Use ChatGPT?
written by Etienne Cussol CIPP/E, CIPM June 16, 2023
Artificial intelligence (AI) can do a lot — it runs internet search engines, turns our houses into smart homes, and filters out spam emails from our inboxes. But can it write your privacy policy for you?
As Termly’s Compliance Analyst, I’ve been working in the data privacy industry for several years, and rumors about businesses using ChatGPT to make privacy policies started to pique my curiosity.
Are the final documents actually legally sound? What prompts do these businesses use to ensure the final clauses reflect their data processing activities? Are they being honest?
So I put ChatGPT to the test and asked it to generate a compliant privacy notice using three different prompts. The results? Shocking. And I’m not just saying that as a cliffhanger to get you to keep reading.
Come along on this AI experiment with me, and by the end, you can tell me if you think AI has replaced the need for humans in the world of data privacy or if privacy policy generators are here to stay.
Key Takeaways
I’ll come right out with it — after testing a few different privacy policy prompts with ChatGPT, I’ve determined that these are the key takeaways:
- Right now, you can’t reliably use AI (ChatGPT) to make a compliant privacy policy. Even if you use a specific prompt, a human should still read through, edit, and reformat the document. It’s also necessary to double-check it for legal and consistency errors.
- An AI can’t generate some elements specific to your company. Specifically, it cannot know the legal requirements applicable to your company, the purposes for which you process personal information, the categories of personal data your company is processing, the categories of third parties you use to process personal information, or details about any International transfers of personal information and their modalities.
- AI does not keep up with the evolution of data protection laws. If a law gets amended or a new one enters into force, ChatGPT can’t update your pre-existing policy for you or keep it compliant with new rules. You’d need to enter an entirely new prompt accounting for those changes or manually add the information.
- The time and effort to even get close to doing it right is significantly higher. The amount of effort you’ll need to exert to continuously go back and forth with ChatGPT with prompts, corrections, and information to get close to a legally sound privacy policy is monumentally higher than the few minutes it takes a privacy policy generator to do all that work for you. Even after all that, you’ll always be unsure whether you have a legally sound policy.
However, you can use it to make a draft of a privacy policy if you:
- Clearly identify in the prompt which data protection laws your company is subject to and list out all of their requirements.
- Provide all necessary information and details relevant to your privacy policy.
- Keep up with the evolution of data protection laws and manually edit the document.
I work in the world of data privacy every day and know the ins and outs of relevant laws like the back of my hand.
But companies whose sector of activity is not in data protection are very unlikely to have the information and resources necessary for an AI to write a compliant privacy policy.
What Is AI & ChatGPT?
Before I reveal the privacy policies that ChaptGPT made for me, let’s cover some basics.
We’ll start by defining intelligence. In its simplest form, this is the cognitive process that allows humans to learn, reason, understand concepts, and recognize patterns.
Artificial intelligence, or AI, refers to when a machine can demonstrate intelligence — it can perceive, synthesize, make inferences, and even problem-solve.
To put it another way, a machine with artificial intelligence can do things on its own that typically require a human, like creating art, driving autonomous cars, or even fighting cyberattacks.
ChaptGPT is an artificially intelligent chatbot developed by a group called OpenAI. The ‘GPT’ stands for generative pre-trained transformer, which refers to a series of large language models or LLMs.
The LLMs that train ChatGPT use deep learning (machine learning that closely mimics how humans process information) to recognize things like complex patterns, texts, syntax, and diction. It has access to a data set filled with millions, if not billions, of written-word examples that come from textbooks, online articles, websites, and other sources.
Because of this, it can use natural-sounding language and have human-like conversations. It can even create different types of written content, like social media posts, essays, codes, and emails.
But can it write a compliant privacy policy for you? Today, you and I will definitively answer this pressing question.
Can You Use ChatGPT For a Privacy Policy?
Imagine asking an AI to make your business a unique, accurate, legally compliant privacy policy. What a dream! While we may get there one day, it seems like a human is still very necessary, especially if you want to avoid violating any data privacy laws.
When I messed around with ChatGPT in an attempt to create an accurate privacy policy, I quickly noticed that even when it gave me decent results, I still needed to review every part of the final document carefully.
Every iteration required multiple edits, revisions, and updates.
You may be saying, Etienne, doesn’t this mean I can use ChatGPT to at least create a rough draft for me?
This is a valid point, and you absolutely can.
But I’d still suggest using a free privacy policy generator or template instead, especially one like ours, which is vetted by a legal team and data privacy experts.
You see, your privacy policy must inform website users about your data privacy practices. It should also help you comply with all applicable data privacy laws.
Our Generator already does this for you, and you don’t have to write as much as you do to get a similar but still imperfect result from our AI friend. Plus, with ChatGPT, there’s no guarantee that your final policy will be as legally sound or accurate.
But I’m getting ahead of myself — first, let’s look at the ChatGPT test results.
ChatGPT Privacy Policy Testing
This is the fun part! I asked ChatGPT to make a privacy policy using three different prompts (okay, I asked it way more than three times, but these were the three best versions).
My prompts got more specific each time, which I’ve put for you in the table below.
Test | ChatGPT Prompt |
#1 | “Please write a privacy policy for https://staging.termly.io/” |
#2 | “Write a privacy policy for https://staging.termly.io/ that is GDPR compliant” |
#3 |
“Write a privacy policy for https://staging.termly.io/ that includes the following information:
For EEA/UK users:
For Californian users:
|
Ready to see what our AI friend created based on these three prompts? Let’s go over each one in detail together.
Test 1: Write a Privacy Policy For Termly
Initially, I kept the prompt request very broad and simple by asking ChatGPT to write a privacy policy for Termly. To me, this prompt is like the “control” of the experiment.
The result? The privacy policy does not apply to Termly’s legal scope.
See what ChatGPT provided below:
Right away, I noticed that the AI couldn’t define the legal scope of the privacy policy, so the privacy policy it generated is not compliant.
Usually, the first step of writing a privacy policy is to identify which data protection laws apply to your business. This depends on things like your company location, where your customers come from, and your sector of activity.
But because ChatGPT doesn’t ask questions, it can’t identify what laws or regulations apply to your company.
If you tried to make a privacy policy this way, you’d still need to read through the data privacy laws and identify which ones affect your business. Then you’d need to go back into the privacy policy and add all relevant clauses and missing pieces to ensure it complies with those laws.
Essentially, you’d be writing the whole thing yourself. You’d be better off using a privacy policy template, which is properly formatted for you already and would at least have the added benefit of saving you time.
Test 2: Write a Privacy Policy For Termly That’s GDPR Compliant
I was a little more specific with my prompt for this next test. Let’s imagine we’ve identified that our company is only subject to the General Data Protection Regulation (GDPR) — can ChatGPT write a privacy policy that complies with it?
The result? The privacy policy is missing necessary GDPR requirements and is NOT compliant.
Take a look at what ChatGPT gave me below:
Unfortunately, this is not a GDPR-compliant privacy policy.
If you posted it on your site, you could get fined for violating the Regulation. Nobody wants that.
In the table below, let’s compare the requirements of the GDPR to the privacy policy generated by ChatGPT so you can see precisely what parts of the Regulation this policy breaks.
GDPR Article | GDPR Requirements | ChatGPT Generated Privacy Policy |
Articles 13 1(a)
|
Identity and contact details of the Company. |
Partially Compliant
|
Article 13 1(b) | Contact details of the data protection officer (DPO). | Not Compliant |
Article 13 1(c) | Purposes of the processing and your legal basis. |
Partially Compliant
|
Article 13 1(d) | Third parties or categories of third parties processing the personal information. | Yes |
Article 13 1(f) | International transfers, which safeguards are used for the transfer, and how to obtain information on these safeguards. | Not Compliant |
Articles 13 2(a) | Retention period of the personal information you collected. | Yes |
Articles 13 2(b) +(c) | The existence of rights to access, rectify, erase, and restrict the processing of personal information and the right to withdraw consent. | Yes |
Articles 13 2(f) | The existence of automated decision-making, including profiling. | Not Compliant |
Articles 13 2(d) | Right to lodge a complaint with a supervisory authority | Not Compliant |
Articles 13 2(e) | If the provision of personal data is a statutory or contractual requirement or necessary to enter into a contract. | Not Compliant |
Article 14 1(d)
|
The categories of personal data. | Yes |
Article 14 2(f) | From which source the personal data originates. | Not Compliant |
As you can see from the red text in the table above, the ChatGPT privacy policy is far from complying with every requirement of the GDPR.
Moreover, the information generated is not guaranteed to be correct.
For example, if you read through Section 2, ‘How We Use Your Information’, many purposes legally applicable to Termly are simply missing.
This is because ChatGPT is generating text using other pre-existing policies as a reference — it’s not based on any of our actual business practices.
We’re back to the original issue we experienced with the first test. ChatGPT needs to be provided with all of the correct information directly in the prompt because our AI friend can’t ask us for any specifications or corrections.
Test 3: Write a Privacy Policy For Termly That Includes The Following Information…
Now that we’ve established that ChatGPT needs specific information provided to it to write a compliant privacy policy let’s see if it can combine the requirements of several privacy laws if you feed it all of the necessary information.
This time, I’ve added details about the California Consumer Privacy Act (CCPA) and the GDPR.
In theory, this should finally give us a proper privacy agreement ready to be published online.
The result? The Privacy Policy includes all the requested elements but lacks clarity and formatting. It still needs human-applied edits.
As a reminder, here is the very thorough and specific prompt I fed to ChatGPT:
Below, read through the privacy policy that ChatGPT generated based on these long instructions:
I am pleasantly surprised by these results. But I am also aware that it took a lot of time, effort, and writing on my part for us to get here. And, if I’m not mistaken, the hope is that using AI to make a privacy policy would lead to doing less work, not more.
The privacy policy that ChatGPT generated is satisfactory in that it includes all the requested elements. It even stated the privacy laws in the header without us asking for it:
‘If you are in the European Economic Area (EEA) or the United Kingdom (UK), please note that we comply with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. If you are a resident of California, please note that we comply with the California Consumer Privacy Act (CCPA).’
In our prompt, I also distinguished between the EEA/UK and Californian requirements, and our AI friend replicated it in the privacy policy.
As such, it can be considered a compliant privacy policy, and we can conclude that it’s possible to combine the requirements of different privacy laws so long as you provide the AI with a detailed and organized request.
However, a human is still needed to finalize this privacy policy.
The text that ChatGPT generated is more of a listing of our requirements than a logically crafted privacy agreement. It was able to include all of the information I asked for, but it didn’t organize it in any way.
A company using AI to generate its privacy policy would still need to review the content and potentially rewrite parts to make it more readable, coherent, and transparent (laws like the GDPR and the CCPA legally require this).
Why You Have To Be Careful With ChatGPT
So, where do these experiments leave us?
You must be careful with ChatGPT, especially if you think it can make you a compliant privacy policy. Right now, the technology simply isn’t there.
Because the AI pulls from pre-existing content, it’s not making a unique or individualized policy for your company. Instead, it’s a combination of all privacy policies on the internet.
It also tends to leave out legally required elements necessary for achieving full compliance — details you might not know are missing if you’re not a data privacy expert or lawyer.
You must also provide ChatGPT with a particular, specific set of directions. Writing these takes time, effort, and legal knowledge about business requirements and privacy policy obligations.
This is the same amount of effort needed to fill out a free privacy policy template (and those have a higher chance of being compliant on the first try).
Additionally, it’s significantly more complicated than using a free privacy policy generator, which requires very little to no writing at all.
Better Solution For Your Privacy Policy
If you’re a business owner who must follow data privacy laws, using a generator to make your privacy policy will be your best solution.
Our Generator provides you with a final draft that you can trust is legally sound and unique to your business because it uses the answers you provide to create the agreement.
Designed by product engineers and data privacy experts, it includes the appropriate clauses to follow seven different data protection laws, and we update it regularly whenever those laws change or if new ones enter into action.
Plus, you can easily make changes to it in real-time as needed directly from your Termly dashboard.
And trust me, the questions it asks you are easy to answer. See an example in the screenshot below:
If you require a basic privacy policy, you don’t process any user data, or if your business doesn’t fall under any data privacy laws, I suggest using a free privacy policy template instead of relying on an AI like ChatGPT.
Honestly, templates are easier and faster to fill out manually than writing the detailed prompt required to get our AI friend to create an acceptable privacy policy.
See an example of our template in the screenshot below:
Summary
We’ve concluded the experiment, and I think it’s safe to say that AI is currently not the most efficient or affordable way to write a compliant privacy policy.
For ChatGPT to present a legally sound privacy agreement, it requires several inputs from the user that could result in hours of work for any non-privacy-initiated employee.
You would need to tell it:
- Your legal scope (aka, what laws you must follow)
- Your company’s contact information
- The contact information for your Data Protection Officer
- The purposes you have for processing data
- The categories of personal data you collect
- If you sell it to or share it with any third parties
- The categories of those third parties
- Details about international data transfers
Once you write all of this information down as the prompt for ChatGPT, you’ve completed half of a compliant privacy policy already. So it’s not really quicker, it’s certainly not easier, and depending on your level of data privacy expertise, you might still need a lawyer to look it over.
Plus, your AI-generated privacy policy wouldn’t update automatically, so it can’t keep up with the evolution of data privacy laws.
Do you know what doesn’t have any of these problems? Termly’s privacy policy generator.
It was built for privacy compliance, but ChatGPT wasn’t — I’ll let you choose which is better for protecting your business.