"
-Alexa, please don’t collect my data.
-Leave her alone. She’s just trying to do her job.
"
Privacy in voice AI often raises eyebrows and is subject to jokes, as seen in the above example from The Onion, the satire website. Big Tech - Apple, Amazon, Google and Microsoft started it. Amazon even struggled to keep track of personal data collected and could not identify storage locations, let alone leaks. However, they were not alone. Independent voice AI vendors, such as Otter and even the toy manufacturer Mattel, owner of Barbie, contributed to this stigma.
Enterprises are now more careful with customer data thanks to the public reaction and regulations. For example, users receive notifications such as “your audio will be sent to Google to provide speech recognition service.” or can delete Alexa recordings. They can request Google Speech-to-Text not to use their data by paying 50% more. Moreover, Big Tech started moving to on-device speech recognition for their first-party devices.
GDPR
and CCPA
have a significant impact on this shift.
What’s GDPR?
GDPR
stands for General Data Protection Regulation and is a European Union regulation effective since 2018. GDPR
addresses the need for individuals' control over their data and unifies rules for businesses serving EU residents. GDPR
considers voice as Personally Identifiable Information
(PII) as voice recordings provide information on gender, ethnic origin or potential diseases. Thus, even if users do not share their names or credit card information in recordings, voice recordings are still PII. Considering voice can be faked, e.g. Alexa impersonating voices, treating it as PII shouldn’t be surprising.
What’s CCPA?
CCPA
stands for California Consumer Privacy Act. It became effective in January 2020. CCPA
focuses on giving individuals control over their data - including what information is collected, how it is used or whether it is sold. CCPA
considers audio recordings personal information and grants California residents request information about them, too.
In a nutshell, GDPR
and CCPA
deal with individuals’ data. They require organizations to
- inform users on what is collected and how used
- grant users an option to say no to sales of their data
- give users access to their data
- enable users to get their data deleted - right to be forgotten.
Some misbeliefs about GDPR
and CCPA
:
- “If a company is
GDPR
-compliant, it’s alsoCCPA
-compliant or vice-versa.” AlthoughGDPR
andCCPA
both focus on protecting personal data, there are nuances. - “If a company is not in Europe or California,
GDPR
orCCPA
doesn’t apply.” Both GDPR andCCPA
protect the rights of the residents. Thus they focus on whether a company handles EU or California residents’ data rather than its location.
What are the differences between GDPR and CCPA?
- Definition of personal data:
CCPA
covers individual and household data, whereas the GDPR
remains exclusively individual. Yet, GDPR
has a broader definition of personal information - anything related to individuals’ physical, physiological, genetic, mental, economic, cultural or social identities.
- Impacted organizations:
GDPR
applies to any organization, including non-profits, whereas CCPA
applies to enterprises with annual gross revenues above $25 million; that handle personal information of 50,000 or more consumers or households or earn more than half of its annual revenue from selling consumers' personal information.
- Definition of sell:
CCPA
treats “valuable considerations” as money. If a company works with an analytics firm for data analysis and lets them use the data for their benefits, such as improving offerings, it’s considered sales.
Besides California, an increasing number of states pass privacy laws in the US. In October, the White House released an executive order on the EU-U.S. Data Privacy Framework. The Department of Commerce is still working on privacy policies and self-certification guidelines in line with the new framework.
We prepared a list of questions to ask before sending any data to a 3rd party cloud to ensure the privacy and security of your data.
Disclaimer: The information provided on this page is for general informational purposes only, and is not legal advice.