-Alexa, please don’t collect my data.
-Leave her alone. She’s just trying to do her job.


Privacy in voice AI often raises eyebrows and is subject to jokes, as seen in the above example from The Onion, the satire website. Big Tech - Apple, Amazon, Google and Microsoft started it. Amazon even struggled to keep track of personal data collected and could not identify storage locations, let alone leaks. However, they were not alone. Independent voice AI vendors, such as Otter and even the toy manufacturer Mattel, owner of Barbie, contributed to this stigma.

Consumers want to have control over their data AND understand how it is being used
Global population whose personal data covered under the privacy regulations by 2024
Large enterprises’ differentiation focused average yearly privacy budget by 2024

Enterprises are now more careful with customer data thanks to the public reaction and regulations. For example, users receive notifications such as “your audio will be sent to Google to provide speech recognition service.” or can delete Alexa recordings. They can request Google Speech-to-Text not to use their data by paying 50% more. Moreover, Big Tech started moving to on-device speech recognition for their first-party devices.

GDPR and CCPA have a significant impact on this shift.

What’s GDPR?

GDPR stands for General Data Protection Regulation and is a European Union regulation effective since 2018. GDPR addresses the need for individuals' control over their data and unifies rules for businesses serving EU residents. GDPR considers voice as Personally Identifiable Information (PII) as voice recordings provide information on gender, ethnic origin or potential diseases. Thus, even if users do not share their names or credit card information in recordings, voice recordings are still PII. Considering voice can be faked, e.g. Alexa impersonating voices, treating it as PII shouldn’t be surprising.

What’s CCPA?

CCPA stands for California Consumer Privacy Act. It became effective in January 2020. CCPA focuses on giving individuals control over their data - including what information is collected, how it is used or whether it is sold. CCPA considers audio recordings personal information and grants California residents request information about them, too.

In a nutshell, GDPR and CCPA deal with individuals’ data. They require organizations to

  • inform users on what is collected and how used
  • grant users an option to say no to sales of their data
  • give users access to their data
  • enable users to get their data deleted - right to be forgotten.

Some misbeliefs about GDPR and CCPA:

  • “If a company is GDPR-compliant, it’s also CCPA-compliant or vice-versa.” Although GDPR and CCPA both focus on protecting personal data, there are nuances.
  • “If a company is not in Europe or California, GDPR or CCPA doesn’t apply.” Both GDPR and CCPA protect the rights of the residents. Thus they focus on whether a company handles EU or California residents’ data rather than its location.

What are the differences between GDPR and CCPA?

  • Definition of personal data:

CCPA covers individual and household data, whereas the GDPR remains exclusively individual. Yet, GDPR has a broader definition of personal information - anything related to individuals’ physical, physiological, genetic, mental, economic, cultural or social identities.

  • Impacted organizations:

GDPR applies to any organization, including non-profits, whereas CCPA applies to enterprises with annual gross revenues above $25 million; that handle personal information of 50,000 or more consumers or households or earn more than half of its annual revenue from selling consumers' personal information.

  • Definition of sell:

CCPA treats “valuable considerations” as money. If a company works with an analytics firm for data analysis and lets them use the data for their benefits, such as improving offerings, it’s considered sales.

Besides California, an increasing number of states pass privacy laws in the US. In October, the White House released an executive order on the EU-U.S. Data Privacy Framework. The Department of Commerce is still working on privacy policies and self-certification guidelines in line with the new framework.

We prepared a list of questions to ask before sending any data to a 3rd party cloud to ensure the privacy and security of your data.

Disclaimer: The information provided on this page is for general informational purposes only, and is not legal advice.