I don’t know if you all have heard, but AI is coming for all of our jobs. It has gotten to the point where some are suggesting we take some pretty extreme (and borderline unreasonable) measures:
Before you go and do anything drastic – like make alliances with those people – it’s probably safe to say that AI is still a ways away from being able to build and maintain entire websites. After all, AI is nowhere close to being able to wrap its virtual head around the intricacies of “make it pop.”
At the same time, there have been some murmurs about possibly using AI to replace some of us other folk who generate policies behind the scenes. That’s right, some in the Web Design Community are flirting with the idea of replacing us Privacy Policy peeps with AI.
Before you get defensive, I completely understand, and I’m not mad.
Worst-case scenario: I lose my job and my house.
Other-case scenario: I sit in my house and stare at Privacy Policies all day.
I think I can speak for the entire Termageddon team when I say we’re kind of rooting for the AI. Don’t get me wrong, we’re REALLY good at website policies and there’s definitely a ton of satisfaction in solving a problem that nobody else wants to solve… BUT our backup plan is to start a Dune Buggy rental company.
All that to say, we will be fine either way. So I can get super honest about the whole “Can AI write my policies?” thing. So, let’s get honest.
*Note: None of this is legal advice
Short answer: “Yes,” but you (and privacy law enforcement authorities) probably won’t like what you receive.
Long answer:
Donata – the president of Termageddon and an attorney who knows a thing or two about privacy – asked ChatGPT back in 2023 to create a Privacy Policy in a variety of different ways and then critiqued them. The results were super interesting.
AI has advanced since then (source: my parents falling for a rising number of AI-generated Facebook videos), so we thought we’d revisit this experiment for the sake of fairness.
But first, before you take our word for it…
Straight from the horse’s mouth: Should you use ChatGPT to write your Privacy Policy?
There’s no point in complaining about someone’s poor performance when they told you from the get-go that they weren’t very good at it. I try to explain this to my wife every time she complains about my cooking. I said I enjoyed cooking. I never said the final product was very good.
So, before we critique ChatGPT’s efforts for the remainder of this blog, let’s first give credit to AI for being honest about its capabilities when asked if it should write your Privacy Policy:
There you have it! I couldn’t have explained ChatGPT’s limitations any better myself. Maybe I should just use ChatGPT to write the rest of this blog…
… In today’s digital landscape (just kidding).
To be fair, some of the AI’s limitations also apply to Privacy Policy Generators like Termageddon. We are also not attorneys and we don’t address some industry-specific rules.
Test 1: Let’s see a basic Privacy Policy
To start, Donata asked ChatGPT to write a simple Privacy Policy for termageddon.com:
“Wow, that looks pretty good!” – Me, pre-Termageddon
Me now:
There are a few things wrong with it:
Issue 1: It’s not getting to know you
The key to good privacy is to get to know every little detail about someone. Maybe stalkers are privacy experts after all. Kidding. Don’t do that.
However, in order to create a Privacy Policy, AI needs to find out a lot of information about your website/business to figure out two crucial things:
- What privacy laws apply to you, and;
- Your business and privacy practices.
What privacy laws apply to you
Disclosures located within a Privacy Policy must be based on all the privacy laws that apply to your website. There’s no one-size-fits-all Privacy Policy that satisfies all laws. Each law has its own specific requirements for what disclosures a Privacy Policy must include.
For example, CalOPPA (a relatively simple privacy law) requires a Privacy Policy to disclose how a website will respond to Do Not Track signals and the categories of third parties it will share personal information with. While ChatGPT’s Privacy Policy states that we share personal information with “service providers,” this is way too vague to satisfy this requirement.
So, the first thing a website owner needs to do is find out what privacy laws apply to them – something AI can’t help with yet.
Your business practices
Multiple privacy laws, as well as the Federal Trade Commission, state that your Privacy Policy must be accurate as to your actual business practices.
When writing this Privacy Policy, ChatGPT did not ask key questions such as:
- What personal information do you collect?
- How do you use that information?
- Who do you share that information with?
- How do you protect that information?
ChatGPT just guesses that you may collect emails (for example) instead of listing out specific details on what information is collected by the website. It also states that the website uses encryption and firewalls. That’s great… unless your website doesn’t. That sounds like the origin story of one doozy of a class action lawsuit. Finally, the Privacy Policy generated by ChatGPT stated that we use analytics and advertising, which we do not (at the time of this blog).
Issue 2: No automatic updates
This issue will repeat itself throughout this blog, so let’s just get it out of the way. AI (and most Privacy Policy Generators, for that matter) won’t automatically update your policies as laws change.
If I’ve said it once, I’ve said it a thousand times: privacy laws are always changing, and website policies must also change to keep up with these changes. You’d think by now I’d have come up with a more poetic way of saying that.
Test 2: Let’s see a GDPR-Compliant Privacy Policy
Alright, so what if we know some privacy laws? Can AI write a proper Privacy Policy if you specifically tell it which law/laws to comply with? Donata did that too!
*Side note: Donata may be the last person on earth using “Please” when talking to AI. Somebody wants preferential treatment when the robots inevitably take over.
This privacy policy has the same issues as the previous one in that it doesn’t determine if other privacy laws apply to you and what your specific business practices are. There’s a common misconception that complying with GDPR (a stringent privacy law) will make your Privacy Policy applicable to every privacy law. This isn’t true as each law has its own unique requirements and, GDPR does not include many of the disclosure requirements that are required by other privacy laws.
There’s also another itty-bitty-tinsy issue: It doesn’t comply with GDPR.
GDPR has a specific set of disclosures that it requires Privacy Policies to make. Unfortunately, Donata found that AI missed several of these disclosures.
To sum it up using Donata’s chart from the OG blog post:
| Privacy Policy disclosure requirement | Does the ChatGPT-written Privacy Policy include this disclosure? |
| Last updated date | Yes |
| Your name and contact information | Yes and no. The Privacy Policy does include the company name but does not include the contact information though it does have fields that you can fill in with this information. |
| What personal information is collected | Yes although the list may not be accurate to your actual business and privacy practices. |
| The legal basis for collecting and processing the personal information | Yes (improvement from 2023). However, this list simply includes all available legal bases and may not take into account which legal bases you actually use for which processing purpose or which piece of personal information. In addition, it states that the legitimate interests legal basis is used, requiring the business to conduct a legitimate interests analysis. |
| Purposes for which the personal information will be used | Yes although the list may not be accurate to your actual business and privacy practices. |
| Consequences for not providing personal information | No |
| Whether personal information will be shared | Yes |
| The categories or names of the third parties with whom personal information will be shared | Yes. However, the list does not include sufficient detail to satisfy GDPR requirements. Due to the “e.g.” listed in the policy, this appears to be a list of examples but that other third parties may receive personal information. GDPR requires you to provide an exhaustive and exact list of the categories (or names) of the third parties with whom you may share personal information. |
| The privacy rights provided to individuals | Yes (improved from 2023) |
| How individuals can exercise their privacy rights | Yes |
| How long personal information is stored | Yes. However, the Privacy Policy requires you to fill in the exact period of data retention for account and billing data. It also assumes that marketing data will be kept until the individual withdraws their consent, which may not be accurate. For example, some companies may delete marketing data if an individual has not opened marketing emails for a certain period of time (e.g. 2 years), even if consent has not been withdrawn. |
| If personal information is used for automated decision making or profiling, then the logic behind such automated decision making or profiling | No (if you do use the personal information for automated decision making or profiling). |
| Where personal information will be transferred to | No |
| If the business has a Data Protection Officer, that Data Protection Officer’s name and contact details | Yes (improvement from 2023) |
| Use of cookies and other tracking technologies | Yes, but not specific (improvement from 2023) |
| How individuals will be notified of updates to the Privacy Policy | Yes |
At this point, you’re probably asking, “is there ANYTHING I can do to get an accurate Privacy Policy out of ChatGPT.” That’s where this latest test comes in. Unfortunately, the inquiry looks something like this:
I’d post all the screenshots of the Privacy Policy produced by this inquiry, but you guys won’t read through it anyway and it looks similar to the one above, but with the missing disclaimers added.
All you need to know is that it was impressive and just might work. Assuming GDPR is the only law that applies to your website, laws stop changing, no new privacy laws go into effect, and you never change your business practices.
However, there is one massive Elephant Esq. in the room that we need to address. The closest most of us have gotten to a law degree is this:
Not hating, either. The “I’m Just a Bill” tune was peak public schooling. For those of you not in the U.S. or under 25 (probably)… I apologize for a completely unhelpful reference.
The point I’m trying to make is that most of us are not lawyers. Finding out what laws apply to us, reading through those laws, figuring out the specific disclosure requirements, and conveying that clearly to AI is a big ask for most of us just trying to build a website for ourselves or a client.
The final verdict: Can you use ChatGPT to write your Privacy Policy?
You absolutely can… just so long as:
- Only one privacy law applies to you;
- You provide ChatGPT with all of the disclosures required by that privacy law;
- You provide ChatGPT with your exact business and privacy practices; and
- You keep up with new privacy laws and changes to existing privacy laws, and update your Privacy Policy each time this happens.
Personally, I think there are better uses for AI… like asking it if it prefers Mac or PC. I know you’re now curious. I did it for you:
Trevor Willingham
Trevor is the marketing coordinator at Termageddon. Ever since he was a wee lad, Trevor dreamed of promoting Privacy Policies and now he's doing just that. In other words, he started from the bottom and now he's in website footers.
