Privacy Policy Transparency

I am guilty too! 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐏𝐨𝐥𝐢𝐜𝐢𝐞𝐬 𝐌𝐚𝐲 𝐁𝐞 𝐋𝐨𝐧𝐠, 𝐁𝐮𝐭 𝐓𝐡𝐞𝐫𝐞 𝐀𝐫𝐞 𝐊𝐞𝐲 𝐒𝐞𝐜𝐭𝐢𝐨𝐧𝐬 𝐭𝐨 𝐑𝐞𝐚𝐝. Some privacy policies can be long and boring. I understand that feeling of scrolling through a lengthy, legal-sounding privacy policy that feels more like a sleep aid than something you should actually pay attention to. I feel that temptation to just click I accept, I accept (without reading through). But here’s the reality: Privacy policies are important because they outline how your data is collected, used, and protected. While they can be tedious, taking a moment to skim for these key sections can make all the difference: 1. What Data is Collected? Pay attention to what personal information they collect (name, email, location, etc.) so you know exactly what you are sharing. 2. How is Your Data Used? Does the company use your data only for service provision, or is it also shared for marketing or sold to third parties? Be aware of how your data is being used. 3. Who Has Access to Your Data? Check if any third parties have access to your information and for what purposes. Transparency is key! 4. How is Your Data Protected? Look for information on data encryption, secure storage, and other security measures to protect your personal data. 5. What Are Your Rights? Ensure the policy outlines your rights, like the ability to access, modify, or delete your data. You have control! 6. How Long is Your Data Retained? Find out how long your information is kept. It is important to know when it will be deleted, especially if it’s no longer needed. 7. What Happens in Case of a Data Breach? Make sure they explain how they handle data breaches or unauthorized access to your personal data. Privacy policies may be long and a bit boring, but they protect you and your personal information. Skimming through these key points ensures you are making informed decisions about where and how you share your data. #DataPrivacyWeek #PrivacyPolicies #DigitalRights #DataProtection #CyberSecurity

Sharing a few new papers this week! First up - my new analysis of AI companies' privacy policies. We find major companies train on childrens' data and that each company now trains on user data by default Here are a few highlights from the paper: ► We develop a novel qualitative coding schema based on the California Consumer Privacy Act and apply it to privacy policies for LLM chatbots from Amazon, Anthropic, Google, Meta, Microsoft, and OpenAI ► In addition to chat data, which these companies train on by default, companies may also train their AI models on other user provided data. This includes voice data (Microsoft, Google), images (OpenAI, Microsoft, Google), user data from other platforms (Meta, Microsoft) ► Companies make bold arguments for why users should not opt out of using data for training. OpenAI says users should “Improve the model for everyone: Allow your content to be used to train our models, which makes ChatGPT better for you and everyone who uses it” ► Unlike other companies, it is unclear whether it is possible to opt out of using chat data for training using Amazon or Meta's chatbots ► We recommend that (i) companies require user opt-in for use of chat data to train or improve AI systems (as Anthropic did earlier this year, before it changed its policies to mirror those of other companies), (ii) companies improve the transparency of their privacy policies as they apply to AI systems (much of the key information under California privacy law was not discoverable or was unclear), and (iii) US lawmakers should pass comprehensive privacy legislation in light of the risks from AI related to children's' rights, data leakage and surveillance Thanks to Stanford Institute for Human-Centered Artificial Intelligence (HAI) for supporting this work! It was great to collaborate with Dr. Jennifer King, Emily Capstick, Tiffany Saade, and Victoria H. I am presenting our work today in Madrid at the AI Ethics and Society conference

🇫🇷 CNIL just published guidance on informing data subject in the context of AI + GDPR (Jan. 5, 2026). 🤖 A few quick takeaways: ✅ 1) The scope is broad. CNIL frames transparency as applying whether data is collected directly (first-party) or indirectly (downloads, web scraping tools, APIs, partners, data brokers, reuse of existing datasets). It also flags that this includes data generated by the controller, citing a CJEU decision. ✅ 2)  Timing: If data is not collected directly, CNIL reiterates the expectation to inform data subjects as soon as possible and within one month of retrieving the data (or earlier at first contact / first disclosure to a recipient, as applicable). Also notable: CNIL encourages a reasonable time gap between notice and model training when data is particularly sensitive, so rights can be exercised before training (given the technical complexity of “fixing” things at the model layer). ✅ 3) CNIL is explicit that AI complexity is not an excuse: information should be clear, intelligible, and easily accessible, and can use diagrams explaining how data is used in training, how the AI system works, and the distinction between the training dataset, the model, and outputs. ✅ 4) CNIL notes the GDPR derogation where individual notice is impractical or would require disproportionate effort, but stresses case-by-case analysis and documenting the balancing of (i) privacy impact and (ii) burden/cost and lack of contact details, plus safeguards (e.g., pseudonymization, DPIA, reduced retention, security measures). https://lnkd.in/gvmfbJyi #GDPR #Privacy #AI #AIGovernance #CNIL #Compliance #DataProtection #LLM

Recently, the Court of Justice of the European Union (#CJEU) dropped a ruling that is bound to make waves in the #AI and #DataProtection world. At the heart of it? A simple yet powerful question: how much do individuals really get to know about the #automateddecisions that affect them? In Case C-203/22 Dun & Bradstreet Austria (https://lnkd.in/gfP7GNv6), the CJEU tackled the interpretation of Article 15(1)(h) of the #GDPR, which grants individuals the right to obtain ‘meaningful information about the logic involved’ in automated decision making (#ADM). Specifically, the court ruled that if an individual is subject to a decision based solely on automated processing that significantly impacts them, they have the right to an #explanation of that decision. That explanation must go beyond a cryptic algorithmic formula, rather , it should clarify the principles and procedures behind how personal data was processed to reach a particular outcome. Moreover, the information must be #concise, transparent, intelligible, and easily accessible. In other words, no hiding behind AI jargon. The complexity of the ADM process does not exempt companies from providing an explanation. However, this right is not absolute. If disclosing such information would infringe on #TradeSecrets or #intellectualproperty, the organization can withhold it, but it must share that information with a #supervisoryauthority or #Court, which will decide how to balance #competingrights. Good news: You don’t have to hand over your proprietary algorithms to just anyone who asks. Trade secrets remain protected, provided that supervisory authorities or courts can still review them. Not-so-good news: ‘Meaningful information’ about ADM must actually be meaningful, iei, a mere #privacypolicy mention or a vague description won’t cut it. Transparency is key: Businesses must find a way to explain ADM in a way that people can understand, balancing clarity with protecting #proprietarytechnology. The bottom line? People don’t always demand a different outcome, but they do demand to understand the process. And now, the law is making sure they get it. Brace yourselves: AI accountability just got real.

Personal Data, Pseudonymisation & Transparency–A Definitive Clarification by the Court of Justice. The Court of Justice’s judgment in EDPS vs. SRB offers important guidance on how personal data should be treated in scenarios involving pseudonymisation and third-party processing. The case arose when the Single Resolution Board (SRB), handling compensation claims following a bank resolution, transferred pseudonymised shareholder and creditor comments to an external auditor without informing them. The European Data Protection Supervisor (EDPS) found this to be a breach of transparency obligations under Regulation 2018/1725. The Court clarified that: ✔ Personal opinions or views are inherently linked to individuals and constitute personal data at the time of collection. ✔ Pseudonymised data is not automatically excluded from data protection rules—its identifiability must be assessed in context. ✔ The obligation to provide information to data subjects applies at the time of collection and depends on the controller’s perspective—not on third-party processing. Key takeaways for Counsels: * Transparency obligations arise at data collection, irrespective of downstream processing. * Pseudonymisation is context-dependent and not a blanket safeguard. * Data governance must be rooted in how personal data is gathered and used—not just technical safeguards. This ruling reinforces the need for robust data mapping, clear notices, and accountability mechanisms as organisations handle increasingly complex data flows. #DataProtection #GDPR #Pseudonymisation #Transparency #Compliance #InHouseCounsel #PrivacyLaw #RiskManagement #DataGovernance #LegalInsights

A reminder for privacy professionals, especially as many complete their annual privacy policy updates, to ensure all interactions are covered or create interaction specific policies. Too often, privacy policies are narrowly scoped to websites or mobile apps. While missing other channels, such as customer support interactions. This can include call recordings, identity or account verification details, agent notes, and quality assurance monitoring. When these collections are not clearly disclosed, organizations create a transparency gap. Privacy laws consistently require that individuals are informed before or at the point of collection, and that notices accurately describe the processing activity. A general privacy policy is not a safe harbor. Pointing individuals to a policy that does not cover offline or human-mediated interactions can raise risk under frameworks such as FTC Section 5, CCPA and CPRA notice-at-collection requirements, GDPR Articles 13 and 14, and state call recording and consent laws. The fix is not complicated, but it does require intentional governance: • Ensure privacy policies clearly apply to all interaction channels, not just web or app use • Add supplemental or contextual notices for customer support interactions • Align agent scripts and disclosures with actual data practices • Revisit notices as support tools, AI, or monitoring practices evolve Transparency is about ensuring the right notice reaches the individual at the right moment, for the right type of data collection.

A major decision from the Austrian Supreme Administrative Court has reaffirmed data subject’s access right under #GDPR, sending a clear message to credit information agencies and businesses using #automated decision-making. In this case, it was found that the agency violated Article 15(1)(h) #GDPR by failing to provide #meaningfulinformation about #logic and weighting of factors used in its #automated #creditscoring process. So, once again, #meaningful information is non-negotiable as data subjects have a robust right to understand how their personal data influences an automated decision (a #creditscore, in this case). Vague or general statements are insufficient. Information must be precise, transparent, and understandable, allowing the individual to know which data points held which influence and challenge the outcome. Furthermore, invoking #tradesecrets is not an option as mere existence of a trade secret (#scoringmethodology, in this case) cannot justify a complete refusal to provide the required Article 15(1)(h) information. As always in the #dataprotectionworld, finding a #balance and a common sense is key as the agency must demonstrate why explaining the factors and their influence would necessarily reveal the secret formula. This ruling, informed by relevant CJEU case law (including SCHUFA Holding and Dun & Bradstreet Austria), solidifies the obligation for businesses to be #transparent about the use of personal data in automated processes. https://lnkd.in/dUzSt6dN #GDPR #DataProtection #PrivacyLaw #CreditScoring #AutomatedDecisionMaking #Transparency #scoringmetholodogy

If you think “Privacy Policy” and “Privacy Notice” are just different names for the same thing, this post is for you. I’ve lost count of how many founders, team leaders, and even lawyers mix these up. The problem? Mixing them up can quietly erode user trust, expose you to compliance risks, and confuse your own employees about how data is really handled. Let’s open your eyes to the real difference (and why it matters): 🔍 What Most People Get Wrong → “We have a privacy policy on our site, so we’re covered.” → “Our notice to users is enough; policy details are boring.” Sound familiar? Most startups slap a “Privacy Policy” online and call it a day, never realizing it’s often written for lawyers, not users. Others write a “Privacy Notice” but use it to govern internal processes. This blurs the line, gives users a false sense of security, and leaves staff in the dark. 📝 Privacy Notice: For Your Users → Purpose: A direct message to your users or customers: what data you collect, why, how you use it, who you share it with, and their rights. → Audience: External (website/app visitors, customers, anyone whose data you touch). → Legal Reality: Required by laws like GDPR, CCPA must be clear, simple, and upfront. → Impact of Confusion: If your notice is missing or vague, you risk user backlash, government fines, and damaged brand trust. 📚 Privacy Policy: For Your Team → Purpose: The internal playbook for your business: how you handle, store, process, and protect personal data. Helps train employees, guide vendors, and ensure legal compliance. → Audience: Internal (employees, management, sometimes partners). → Legal Reality: Often reviewed by regulators during an audit, should be thorough, detailed, and enforceable. → Impact of Confusion: If your policy is only public-facing and not comprehensive, your team may act inconsistently (or illegally), leading to compliance gaps and potential breaches. 🚦 Why the Confusion Hurts → Users think they have more rights or transparency than they do, until a data breach hits. → Employees may mishandle data, thinking the public “policy” is the full story. → Regulators spot inconsistencies, triggering investigations or fines. → One careless privacy misstep can set your growth back a year. ✨ Tip for Founders & Teams - Don’t treat “Privacy Notice” and “Privacy Policy” as synonyms. Review both today. Ask yourself, whether your Privacy Notice is clear, user-focused, and compliant, or does your Privacy Policy actually guide staff and partners in practice, or are you saying one thing to users and doing another behind the scenes. If you’re unsure, or you want reality-checked privacy documents that protect your business and your people, let’s have a virtual coffee. __________________________________________________________________________________ I’m Ryan Mendonca, the Founder of YVLC.legal. We help startups with contracts, global IP, compliance, and growth. Follow for more, and DM for a Virtual Coffee.

I have read over 100 privacy policies in the last 8 months for EdTech vendors and Curipod does it right. If you are wondering what I am looking for in a privacy policy, just take a look at theirs (link in comments). What specifically blew me away? They list the exact data fields that are shared with them when you sign up for an account. No one else does this (at least no one else that I've reviewed). They also list out other concerns and are transparent about their data storage practice, how the personal information interacts with AI {it doesn't}, and how it interacts with Google Workspace when you give it permission to. These are typically things not posted publicly and I have to contact the company directly to find out, but Curipod puts it out there. Accessible practice. Amen to that. Is there room for improvement? Sure. It isn't perfect. I'd like a specified timeframe on notification when the policy is changed/updated, and the same with the breach response plan. But all-in-all this is now my gold standard for a privacy policy, that all other policies will be measured against. FYI I haven't even made an account and used it yet. I check privacy policy first. Let's see what it actually does now. #aiineducation #privacymatters #k12education #edtech

Swiss FDPIC issues detailed guidance articulating the Swiss approach to data protection aspects of cookies and trackers. Key points that are equally applicable to US providers: ◆ The Buck stops with you: If you integrate third-party services  into your website you are responsible for ensuring that those services comply with data protection regulations. You must understand their data processing, inform your users and get consent or provide an opt out [In the US this could be a 'sale' or a violation of wiretapping laws such as California CIPA or Federal ECPA] ◆ When in doubt, it's personal: Cookie data often becomes personal when linked to accounts, device IDs, or combined datasets. Where identifiability or risks are unclear, particularly with location data, assume personal data is involved and assess the need for impact assessments. ◆ “Normal” vs. high-risk profiling: Regular ad-targeting cookies that infer user interests constitute “normal” profiling " (retargeting for your own product/properties) and generally allow an opt-out. But when tracking across multiple sites or linking to external datasets produces deep behavioral or sensitive-data insights, it becomes high-risk profiling, requiring explicit opt-in consent and prominent disclosure [US laws treat cross context advertising differently than your own advertising] ◆ Unexpected or unusual cookie uses: Cookies employed for purposes contrary to what users reasonably expect (e.g., commercial profiling on charity or political sites) require special, prominent notice and often express consent, especially when sensitive data is involve. [Same in the US in order to avoid potential consumer protection violations under the FTC Act or State UDAP laws] ◆ Real transparency: Provide the information in an “appropriate manner”. This means allowing people to make a conscious and self-determined decision based on the information they receive and exercise their rights of alteration, such as consenting to or rejecting personal data processing or cookie usage in a legally compliant manner. The more extensive and unexpected the data processing is and the more seriously it intrudes on the data subject’s personality rights, the higher the requirements for the accessibility of the information. Graphic from Appendix A of the document. https://lnkd.in/e364cQbR