Published:

Updated:

Can ChatGPT (Artificial Intelligence) write your Privacy Policy?

Privacy Policy

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Can-AI-Write-A-Privacy-Policy

ChatGPT has recently taken the Internet by storm by writing screenplays, short stories, website copy, and even code. ChatGPT, which stands for Pre-trained Transformer, is an Artificial Intelligence (“AI”) chatbot created by OpenAI in November of 2022. Chat GPT aims to give human-like responses and to establish a dialogue between humans and AI. So, if ChatGPT can write essays and website copy, can you ask ChatGPT to write your website’s Privacy Policy too? The short answer is “yes,” but you (and privacy law enforcement authorities) may not like what you receive.

In this article, we will discuss the ability of ChatGPT to write a website Privacy Policy, as well as examples of the issues with the types of Privacy Policies that ChatGPT produces so that you can make a decision on how to best protect your business. 

What is a Privacy Policy? 

Just so we are all on the same page, a Privacy Policy is a document that explains your business’ privacy practices, such as what personal information your website collects, what you do with that information, who you share it with and includes other disclosures as well. The disclosures within your Privacy Policy depend upon what privacy laws apply to you as each privacy law has distinct Privacy Policy requirements. Thus, the first step is to determine what privacy laws apply to you. It is important to note that privacy laws protect individuals and thus can apply outside of the state or country in which they are passed. In addition, while some privacy laws exempt small businesses, most do not, and they can apply to you as soon as your website collects personal information such as names, emails, phone numbers or IP addresses. Lastly, the fines for violating privacy laws are high – from $2,500 per website visitor to €20,000,000 or more in total so having a compliant Privacy Policy is very important. 

Straight from the horse’s mouth: should you use ChatGPT to write your Privacy Policy? 

While generating Privacy Policies is not the intended use of ChatGPT, several individuals have used the tool to write their Privacy Policies. Thus, in the spirit of sportsmanship, our first task was to ask ChatGPT whether we should do so. Here is its response: 

 

Truthfully, this response seems accurate and is pretty impressive. ChatGPT can write a Privacy Policy for you but cannot provide you with legal advice since it’s an AI, not a lawyer. ChatGPT also states that it is not a legal expert, meaning that any Privacy Policy that is written by it will probably not include the disclosures that your Privacy Policy needs to contain, as required by the privacy laws that apply to you. 

Test 1: Can ChatGPT write a simple Privacy Policy? 

To begin, we asked ChatGPT to write a simple Privacy Policy for termageddon.com

At a first glance, this Privacy Policy looks pretty good – it’s short, easy to read, and provides information in a concise manner. To a trained eye however, the following issues become immediately apparent: 

Issue 1: This Privacy Policy is not based on any privacy laws

As discussed previously, the disclosures within a Privacy Policy must be based on the privacy laws that apply to you as each privacy law has its own set of disclosures that it requires you to make. ChatGPT did not help me determine what privacy laws apply to me, nor did it even ask me what privacy laws apply to me so this Privacy Policy is not based on any privacy laws. In fact, if you consider one of the more simple privacy laws, the California Online Privacy and Protection Act (CalOPPA), which applies to businesses that collect the personal information of residents of California, this Privacy Policy will not comply with this law as it does not disclose how my website responds to Do Not Track signals, nor does it state who I share personal information with. More complex privacy laws require more extensive disclosures, which are not included here either. Thus, using this Privacy Policy would lead to non-compliance issues and could put your business at risk of fines. 

Issue 2: This Privacy Policy does not fit actual business practices

Multiple privacy laws, as well as the Federal Trade Commission, state that your Privacy Policy must be accurate as to your actual business practices. When writing this Privacy Policy, ChatGPT did not ask me what personal information I collect, how I use it or how I protect it. The Privacy Policy written by ChatGPT states that I collect names and email addresses when someone creates an account or uses my service. However, what if your website does not allow individuals to create an account or to use a particular service? In addition, what if you also collect IP addresses, home addresses, or credit card numbers? Lastly, this Privacy Policy states that we use encryption and firewalls, if you do not, this can lead to class action lawsuits where consumers can claim that a reasonable expectation of security was established via your Privacy Policy, which can be an issue in case of a data breach. In this case, the Privacy Policy created for you by ChatGPT would not fit your business practices and thus would be in violation of multiple privacy laws and could even lead to Federal Trade Commission enforcement actions. 

Issue 3: This Privacy Policy will not update as the laws change 

With new privacy laws going into effect each year and more than a dozen prosed privacy bills in the United States, and countries like Canada and the United Kingdom considering updates to their privacy laws, Privacy Policies will change. That is because each of these laws and bills will have their own requirements for Privacy Policies. While ChatGPT can write you a screenplay, it will not contact you to update your Privacy Policy when new laws are passed or existing privacy laws change, thus leaving you out of compliance and in risk of fines. 

Test 2: Can ChatGPT write a GDPR compliant Privacy Policy? 

For our second test, we decided to ask ChatGPT to write a Privacy Policy that complies with the privacy law that protects the privacy of residents of the European Union, the General Data Protection Regulation (GDPR). Here is the result: 

Issue 1: Does GDPR actually apply to you? 

As discussed before, ChatGPT cannot determine what privacy laws apply because it cannot ask questions. Thus, by using ChatGPT, it would be up to the business owner to determine what privacy laws apply to them, which means reading each privacy law and interpreting the factors of who those privacy laws apply to. In this case, we told ChatGPT that GDPR applies to us, and thus the tool is assuming that this is indeed the case and thus we cannot entirely blame the tool for this issue if GDPR does not actually apply to us. 

Issue 2: This Privacy Policy is not GDPR compliant

GDPR has a very specific set of disclosures that it requires Privacy Policies to make. The below chart compares these requirements with the Privacy Policy written by ChatGPT: 

Privacy Policy disclosure requirementDoes the ChatGPT-written Privacy Policy include this disclosure? 
Last updated dateYes
Your name and contact informationNo – the Privacy Policy does not provide the company name and does not list actual contact information
What personal information is collectedYes
The legal basis for collecting and processing the personal informationNo
Purposes for which the personal information will be usedYes
Consequences for not providing personal information No
Whether personal information will be sharedYes but the text is self-contradictory because it first states that personal information will not be shared but then states that personal information may be shared with third-party service providers. 
The categories or names of the third parties with whom personal information will be sharedNo
The privacy rights provided to individualsYes. However, certain privacy rights such as the right to portability, and the right to complain to a competent authority are missing. 
How individuals can exercise their privacy rights Yes
How long personal information is storedYes. However, the disclosure is contradictory. For example, the Privacy Policy states that personal information will be used to send promotional materials. However, the Privacy Policy also states that personal information will only be retained as long as necessary to provide the individual with products and services and comply with legal and regulatory requirements. Since sending promotional materials is not a provision of products and services, nor is it a legal or regulatory requirement, personal information cannot be stored for long enough to actually send the promotional materials, making these disclosures contradictory. 
If personal information is used for automated decision making or profiling, then the logic behind such automated decision making or profiling No (if you do use the personal information for automated decision making or profiling). 
Where personal information will be transferred toNo
If the business has a Data Protection Officer, that Data Protection Officer’s name and contact detailsNo (if you do have a Data Protection Officer). 
Use of cookies and other tracking technologiesNo
How individuals will be notified of updates to the Privacy Policy Yes

As you can see from the above, the Privacy Policy written by ChatGPT is not actually compliant with GDPR because it misses more than half of the disclosures required by this privacy law. In addition, multiple disclosures that are provided are contradictory with the remainder of the Privacy Policy, making this Privacy Policy confusing and non-compliant. 

Issue #3: This Privacy Policy does not fit actual business practices

As stated before, ChatGPT inserts text that may sound good, but that text will not fit your actual business practices. This is problematic due to the fact that GDPR specifically states that a Privacy Policy must be transparent regarding the collection and processing of personal information. If a Privacy Policy is not accurate as to privacy practices, then the provided information is not transparent. For example, this Privacy Policy states that the business may use personal information to send promotional materials, which may not be the case for your business. In addition, this Privacy Policy also states that personal information may be shared with payment processors, which may not be the case if your website does not have eCommerce functionality. It is interesting to compare the first test to the second test here – the second Privacy Policy contains quite a few more disclosures but they are all created seemingly at random, without any regard for the actual privacy practices of the business for whom the Privacy Policy is being written, thereby putting this business at risk of GDPR non-compliance fines. 

Test 3: Can ChatGPT write a GDPR compliant Privacy Policy when it is provided with all necessary information? 

This Privacy Policy is much better than the other Privacy Policies provided by ChatGPT and is actually pretty impressive. However, it still has several issues: 

Issue 1: You have to know the Privacy Policy disclosures to provide to ChatGPT 

The first issue with this Privacy Policy is that you, as the business owner, will still need to provide the exact disclosures that your Privacy Policy will need to contain to ChatGPT. This means that you will need to spend hours, days, or even weeks first determining what privacy laws apply to you, analyzing the disclosure requirements of those laws and then providing this information to ChatGPT, along with your specific business practices. 

Issue 2: This Privacy Policy does not combine other privacy laws 

If only GDPR applies to you, then you may be able to get away with using this Privacy Policy. However, it is unclear whether ChatGPT would be able to incorporate other privacy laws into this Privacy Policy. It is important to note here that having a GDPR-compliant Privacy Policy does not mean that you are automatically compliant with other privacy laws as each privacy law has its own set of required disclosures. For example, CalOPPA requires websites to disclose how they respond to Do Not Track signals. This requirement is not present in GDPR so a GDPR-compliant Privacy Policy would not work for CalOPPA, as well as other privacy laws. 

Issue 3: This Privacy Policy does not update as the laws change 

As mentioned before, ChatGPT will not update your Privacy Policy as the laws change. With more privacy laws going into effect this year and over a dozen proposed privacy bills, this can leave you out of compliance and in risk of fines in the future. 

The final verdict: can you use ChatGPT to write your Privacy Policy? 

After performing our tests, we have determined that the only way to receive a reasonably workable Privacy Policy from ChatGPT is if: 

  1. Only one privacy law applies to you; 
  2. You provide ChatGPT with all of the disclosures required by that privacy law; 
  3. You provide ChatGPT with your exact privacy practices; and 
  4. You don’t mind having to update the Privacy Policy yourself when existing privacy laws change or new privacy laws are enacted. 

Thus, ChatGPT can be a viable solution for some privacy experts to use to write Privacy Policies. However, it is really not a great solution for people who are not privacy experts, nor for small businesses that do not have the time to determine which privacy laws apply to them and what the disclosures requirements of those privacy laws are. The best solution to obtaining a Privacy Policy is still using a privacy attorney or an auto-updating Privacy Policy generator like Termageddon.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates