AI Generated Privacy Policy Examined: Should You Use ChatGPT?

By: Etienne Cussol CIPP/E, CIPM Etienne Cussol CIPP/E, CIPM | Updated on: October 1, 2024

Generate a Free Privacy Policy
AI-Privacy-Policy-Examined-Should-You-Use-ChatGPT-01

Artificial intelligence (AI) can do a lot — from internet search engines to filtering out spam emails from our inboxes — but can it write your privacy policy for you?

As Termly’s Compliance Analyst, I’ve worked in the data privacy industry for several years, and rumors about businesses using ChatGPT to make privacy policies piqued my curiosity.

Are the final documents actually legally sound? What prompts do these businesses use to ensure the final clauses reflect their data processing activities?

I put ChatGPT to the test by asking it to make a compliant privacy notice.

Come along on this AI experiment with me, see what type of policy it created, and let me know you if you think AI has replaced the need for humans in the world of data privacy or if privacy policy generators are here to stay.

Table of Contents
  1. Can You Use ChatGPT For a Privacy Policy?
  2. ChatGPT Privacy Policy Testing
  3. Why You Have To Be Careful With ChatGPT
  4. Better Solution For Your Privacy Policy
  5. Summary

Can You Use ChatGPT For a Privacy Policy?

Imagine asking an AI to make your business a unique, accurate, legally compliant privacy policy. What a dream! While we may get there one day, right now, the human touch is still very necessary, especially if you want to avoid violating any data privacy laws.

When I experimented using ChatGPT to create an accurate privacy policy, I quickly noticed that even when it gave me decent results, I still needed to carefully review every part of the final document.

Every ChatGPT privacy policy iteration required multiple edits, revisions, and updates.

You may be saying, Etienne, doesn’t this mean I can use ChatGPT to at least create a rough draft for me?

You absolutely can, but I still suggest using a free privacy policy generator or template instead, especially one that’s vetted by a legal team and data privacy experts.

You see, your privacy policy must inform website users about your transparent data privacy practices and help you comply with all applicable privacy laws.

A Generator does this for you, and you don’t have to write as much as you do to get a similar but still imperfect result from our AI friend, which can never guarantee that your final policy is legally sound or accurate.

But I’m getting ahead of myself — first, let’s cover some basics.

What Is AI & ChatGPT?

In its simplest form, artificial intelligence, or AI, refers to when a machine can demonstrate human intelligence — it can perceive, synthesize, make inferences, problem-solve, and even fight cyberattacks.

ChaptGPT is an artificially intelligent chatbot developed by a group called OpenAI.

The ‘GPT’ stands for generative pre-trained transformer, which refers to a series of large language models or LLMs.

The LLMs that train ChatGPT use deep learning (aka, machine learning that closely mimics how humans process information) to recognize complex patterns, texts, syntax, and diction.

It also has access to a data set filled with millions, if not billions, of written-word examples that come from textbooks, online articles, websites, and other sources.

Because of this, it can use natural-sounding language, have human-like conversations, and create different types of written content, like social media posts, essays, codes, and emails.

But, as it turns out, it still can’t quite write a compliant privacy policy for you. Let me explain.

ChatGPT Privacy Policy Testing

Now onto the fun part! Before showing you my results, let me walk you through the different prompts I used when asking ChatGPT to make a privacy policy.

After rigorous testing, I settled on using the following three prompt, which got more specific each time.

Test ChatGPT Prompt
#1 “Please write a privacy policy for https://termly.io/
#2 “Write a privacy policy for https://termly.io/ that is GDPR compliant”
#3 “Write a privacy policy for https://termly.io/ that includes the following information:

For EEA/UK users:

  • Company name and contact details: Termly LLC, [email protected]
  • Contact details of the data protection officer: [email protected]
  • Purposes of the processing: provide our services and products, process payment, provide marketing offers
  • Legal basis: we rely on contract, consent, and legitimate interest to process personal information
  • Third parties or categories of third parties processing personal information: data analytics services, customer relationship management platforms, payment processors
  • International transfers: we transfer information to the US, for which we rely on Standard Contractual Clauses, available in our Data Processing Agreement 
  • Retention period of personal information collected: we keep the information as long as you have an account with us, for purposes applicable, or to comply with laws and regulations
  • You have the right to access, rectify, erase, restrict the processing of your personal information, and the right to withdraw consent
  • We use automated decision-making, including profiling, as part of our marketing practices
  • You have the right to lodge a complaint with a supervisory authority
  • In some cases, the provision of personal data may be a statutory or contractual requirement or necessary to enter into a contract
  • Categories of personal data: names, email, company name, IP addresses, device information, browser information, payment details, transaction history, and credit card details
  • We may obtain your personal information from other sources, such as social media or data analytics service providers

For Californian users:

  • You have the right to know, the right to delete, and the right to opt-out of the sharing or sale of your personal information
  • A “Do Not Sell or Share my personal information” link is available on our website
  • Categories of Personal information collected in the previous 12 months: names, email, company name, IP addresses, device information, browser information, payment details, transaction history, and credit card details
  • Sources from which personal information is collected: customers, end users, website visitors
  • We collect personal information for the following business purpose: provide our services and products, process payment, and provide marketing offers
  • Categories of third parties with whom the personal information is shared or sold: data analytics services, customer relationship management platforms, payment processors
  • Date of update of the privacy: April 18, 2023”

Now let’s go over what our AI friend created based on these three inquiries.

Test 1: Write a Privacy Policy For Termly

Initially, I kept the prompt request very broad and simple by asking ChatGPT to write a privacy policy for Termly. To me, this prompt is like the “control” of the experiment.

The result? The privacy policy does not apply to Termly’s legal scope.

See what ChatGPT provided below:

Test 1

Right away, I noticed that the AI couldn’t define the legal scope of the privacy policy, so the privacy policy it generated is not compliant.

Usually, the first step of writing a privacy policy is to identify which data protection laws apply to your business. This depends on things like your company location, where your customers come from, and your sector of activity.

But because ChatGPT doesn’t ask questions, it can’t identify what laws or regulations apply to your company.

If you tried to make a privacy policy this way, you’d still need to read through the data privacy laws and identify which ones affect your business. Then you’d need to go back into the privacy policy and add all relevant clauses and missing pieces to ensure it complies with those laws.

Essentially, you’d be writing the whole thing yourself. You’d be better off using a privacy policy template, which is properly formatted for you already and would at least have the added benefit of saving you time.

Test 2: Write a Privacy Policy For Termly That’s GDPR Compliant

I was a little more specific with my prompt for this next test. Let’s imagine we’ve identified that our company is only subject to the General Data Protection Regulation (GDPR) — can ChatGPT write a privacy policy that complies with it?

The result? The privacy policy is missing necessary GDPR requirements and is NOT compliant.

Take a look at what ChatGPT gave me below:

Test 2 (1)

Test 2 (2)

Unfortunately, this is not a GDPR-compliant privacy policy.

If you posted it on your site, you could get fined for violating the Regulation. Nobody wants that.

In the table below, let’s compare the requirements of the GDPR to the privacy policy generated by ChatGPT so you can see precisely what parts of the Regulation this policy breaks.

GDPR Article GDPR Requirements ChatGPT Generated Privacy Policy
Articles 13 1(a)

  • (Information to be provided where personal data are collected from the data subject)
Identity and contact details of the Company. Partially Compliant

  • The company contact details are not provided
Article 13 1(b) Contact details of the data protection officer (DPO). Not Compliant
Article 13 1(c)  Purposes of the processing and your legal basis. Partially Compliant

  • The legal basis is not provided
Article 13 1(d) Third parties or categories of third parties processing the personal information. Yes
Article 13 1(f) International transfers, which safeguards are used for the transfer, and how to obtain information on these safeguards. Not Compliant
Articles 13 2(a) Retention period of the personal information you collected. Yes
Articles 13 2(b) +(c) The existence of rights to access, rectify, erase, and restrict the processing of personal information and the right to withdraw consent. Yes
Articles 13 2(f) The existence of automated decision-making, including profiling. Not Compliant
Articles 13 2(d) Right to lodge a complaint with a supervisory authority Not Compliant
Articles 13 2(e) If the provision of personal data is a statutory or contractual requirement or necessary to enter into a contract. Not Compliant
Article 14 1(d)

  • (Information to be provided where personal data has not been obtained from the data subject)
The categories of personal data. Yes
Article 14 2(f) From which source the personal data originates. Not Compliant

As you can see from the red text in the table above, the ChatGPT privacy policy is far from complying with every requirement of the GDPR.

Moreover, the information generated is not guaranteed to be correct.

For example, if you read through Section 2, ‘How We Use Your Information’, many purposes legally applicable to Termly are simply missing.

This is because ChatGPT is generating text using other pre-existing policies as a reference — it’s not based on any of our actual business practices.

We’re back to the original issue we experienced with the first test. ChatGPT needs to be provided with all of the correct information directly in the prompt because our AI friend can’t ask us for any specifications or corrections.

Test 3: Write a Privacy Policy For Termly That Includes The Following Information…

Now that we’ve established that ChatGPT needs specific information provided to it to write a compliant privacy policy let’s see if it can combine the requirements of several privacy laws if you feed it all of the necessary information.

This time, I’ve added details about the California Consumer Privacy Act (CCPA) and the GDPR.

In theory, this should finally give us a proper privacy agreement ready to be published online.

The result? The Privacy Policy includes all the requested elements but lacks clarity and formatting. It still needs human-applied edits.

As a reminder, here is the very thorough and specific prompt I fed to ChatGPT:

Below, read through the privacy policy that ChatGPT generated based on these long instructions:

Test 3

I am pleasantly surprised by these results. But I am also aware that it took a lot of time, effort, and writing on my part for us to get here. And, if I’m not mistaken, the hope is that using AI to make a privacy policy would lead to doing less work, not more.

The privacy policy that ChatGPT generated is satisfactory in that it includes all the requested elements. It even stated the privacy laws in the header without us asking for it:

‘If you are in the European Economic Area (EEA) or the United Kingdom (UK), please note that we comply with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. If you are a resident of California, please note that we comply with the California Consumer Privacy Act (CCPA).’

In our prompt, I also distinguished between the EEA/UK and Californian requirements, and our AI friend replicated it in the privacy policy.

As such, it can be considered a compliant privacy policy, and we can conclude that it’s possible to combine the requirements of different privacy laws so long as you provide the AI with a detailed and organized request.

However, a human is still needed to finalize this privacy policy.

The text that ChatGPT generated is more of a listing of our requirements than a logically crafted privacy agreement. It was able to include all of the information I asked for, but it didn’t organize it in any way.

A company using AI to generate its privacy policy would still need to review the content and potentially rewrite parts to make it more readable, coherent, and transparent (laws like the GDPR and the CCPA legally require this).

Why You Have To Be Careful With ChatGPT

So, where do these experiments leave us?

You must be careful with ChatGPT, especially if you think it can make you a compliant privacy policy. Right now, the technology simply isn’t there.

Because the AI pulls from pre-existing content, it’s not making a unique or individualized policy for your company. Instead, it’s a combination of all privacy policies on the internet.

It also tends to leave out legally required elements necessary for achieving full compliance — details you might not know are missing if you’re not a data privacy expert or lawyer.

You must also provide ChatGPT with a particular, specific set of directions. Writing these takes time, effort, and legal knowledge about business requirements and privacy policy obligations.

This is the same amount of effort needed to fill out a free privacy policy template (and those have a higher chance of being compliant on the first try).

Additionally, it’s significantly more complicated than using a free privacy policy generator, which requires very little to no writing at all.

Better Solution For Your Privacy Policy

If you’re a business owner who must follow data privacy laws, using a generator to make your privacy policy will be your best solution.

Our Generator provides you with a final draft that you can trust is legally sound and unique to your business because it uses the answers you provide to create the agreement.

Designed by product engineers and data privacy experts, it includes the appropriate clauses to follow seven different data protection laws, and we update it regularly whenever those laws change or if new ones enter into action.

Plus, you can easily make changes to it in real-time as needed directly from your Termly dashboard.

And trust me, the questions it asks you are easy to answer. See an example in the screenshot below:

termly-privacy-policy-generator-easy-questions

If you require a basic privacy policy, you don’t process any user data, or if your business doesn’t fall under any data privacy laws, I suggest using a free privacy policy template instead of relying on an AI like ChatGPT.

Honestly, templates are easier and faster to fill out manually than writing the detailed prompt required to get our AI friend to create an acceptable privacy policy.

See an example of our template in the screenshot below:

termly-privacy-policy-template-example

Summary

In my expert opinion, AI is currently not the most efficient or affordable way to write a compliant privacy policy.

Getting ChatGPT to present a legally sound privacy agreement required several inputs from me, a privacy expert — this could result in hours of work for a non-privacy-initiated employee.

For example, you would need to explicitly explain to it in your prompt the following details:

  • What privacy laws apply to your business
  • Your company’s contact information
  • The contact information for your Data Protection Officer
  • Your purposes for processing data
  • What categories of data you collect
  • If you sell or share it with any third parties
  • The categories of those third parties
  • Details about international data transfers

Writing all of this information down as the prompt for ChatGPT is essentially equal to writing half of a compliant privacy policy, so it’s not really quicker, it’s certainly not easier, and depending on your level of data privacy expertise, you might still need a lawyer to look it over.

Plus, your AI-generated privacy policy wouldn’t update automatically, so it can’t keep up with the evolution of data privacy laws.

Solutions like Termly’s privacy policy generator were built for privacy compliance, but ChatGPT wasn’t — I’ll let you choose which is better for protecting your business.

Etienne Cussol CIPP/E, CIPM
More about the author

Written by Etienne Cussol CIPP/E, CIPM

Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author

Related Articles

Explore more resources