The Matrix

Privacy Implications. Utilizing AI applications has privacy and data protection implications. As an initial matter, information provided to, or provided by, large language models may include personal data. Businesses should be careful sharing personal data with AI programs operated by third parties because doing so may be inconsistent with a business’s privacy policy and therefore may require additional notice to, or consent from, consumers. In addition, there is limited information about the data sets that are used to build the “brains” of natural language processing models, so it is possible that these technologies may disclose personal, non-public data to businesses using the systems. That also may be the case if a business accesses a large language model through an Application Programming Interface (API) license. Businesses that obtain such personal data should understand what data they collect and only use and store personal data that is directly relevant and necessary to accomplish a specified business purpose (“data minimization”).

Businesses that provide or receive information through large language models also should consider whether “data subject rights requests” are implicated. Residents of California, and a growing list of other states, as well as individuals located in the European Union are able to request, the deletion or correction of personal information and are entitled to know what personal information has been collected and how such information has been used and disclosed. In addition, evolving state laws allow consumers to opt-out of the sale or sharing of personal data, as well as automated decision-making and profiling, under certain circumstances. Honoring such requests, and determining the party ultimately responsible to do so, may have complications. Ultimately, businesses that incorporate AI programs should consider conducting a privacy impact assessment and implementing privacy and security by design when implementing new products and services that incorporate AI. Business aiming to responsibly incorporate AI into their processes, product and services also can utilize the AI Risk Management Framework released by the National Institute of Standards and Technology earlier this year.

Advertising and Marketing Implications. The FTC recently issued guidance regarding claims made by businesses whose products purportedly incorporate AI. The FTC warned that businesses should be able to provide proof for any claim that, among other things, AI used in their products enhances such products or otherwise makes the products better than other products which may or may not utilize AI. Similarly, businesses should be able to substantiate performance claims relating to the capabilities of products that incorporate AI. The FTC has stated that such claims may be deceptive if they lack scientific support or if they apply only to certain types of users or under certain conditions. The FTC’s recent guidance follows a blog post issued in 2021 in which the FTC noted its authority to regulate AI under the FTC Act, the Fair Credit Reporting Act, and the Equal Credit Opportunity Act.