WebKitty Creative Services LLC

Can ChatGPT (Artificial Intelligence) write your Privacy Policy?


ChatGPT has been making waves on the internet with its ability to write screenplays, short stories, website copy, and even code. This Artificial Intelligence (AI) chatbot was created by OpenAI in November 2022, and its aim is to provide human-like responses and stimulate a dialogue between humans and AI. While ChatGPT is capable of writing website Privacy Policies, the results may not meet the expectations of privacy law enforcement authorities or website owners.

This article will explore ChatGPT’s potential to produce a website Privacy Policy and highlight examples of the issues that may arise with the types of policies it generates. By understanding the limitations of ChatGPT’s abilities and the risks involved, website owners can make informed decisions about how to best protect their businesses.

What is a Privacy Policy?

To ensure that we are all on the same page, a Privacy Policy is a document that outlines your business’ privacy practices, including the personal information collected by your website, how it’s used, who it’s shared with, and other relevant disclosures. The contents of your Privacy Policy will vary based on the privacy laws that apply to your business, as each law has its specific Privacy Policy requirements. Therefore, the first step in creating your Privacy Policy is to determine which privacy laws apply to you.

It’s essential to note that privacy laws protect individuals and can apply outside of the state or country in which they are enacted. Although some privacy laws may exempt small businesses, most do not, and they can apply as soon as your website collects personal information such as names, emails, phone numbers, or IP addresses. It’s worth noting that the penalties for non-compliance with privacy laws can be high, ranging from $2,500 per website visitor to €20,000,000 or more in total. Therefore, having a compliant Privacy Policy is crucial for your business.

Is ChatGPT the Right Tool for Crafting Your Privacy Policy? Insights Directly from the Source

Though the primary purpose of ChatGPT is not to create Privacy Policies, a few people have employed the tool to generate their policies. As a result, we approached ChatGPT to ascertain whether this practice is appropriate. Here’s what the platform had to say:

In all honesty, the answer appears to be both precise and impressive. While ChatGPT is capable of generating a Privacy Policy, it cannot offer legal guidance as it is an AI, not a legal professional. Moreover, ChatGPT acknowledges that it lacks expertise in legal matters, implying that any Privacy Policy it drafts may not include the necessary disclosures required by relevant privacy laws.

Can ChatGPT write a simple Privacy Policy? 

Our starting point was requesting ChatGPT to produce a basic Privacy Policy for termageddon.com:

Upon initial inspection, the Privacy Policy appears to be well-organized, concise, and easily comprehensible. However, a close examination by an expert would reveal the following concerns:

Problem 1: This Privacy Policy is not based on any privacy laws

As previously noted, a Privacy Policy should be tailored to the specific privacy laws that are applicable to your business, as each law mandates its own unique set of disclosures. Unfortunately, ChatGPT did not assist in identifying the relevant privacy laws nor inquire about which laws apply to your business. Consequently, the Privacy Policy is not founded on any privacy laws. Even a relatively uncomplicated privacy law such as the California Online Privacy and Protection Act (CalOPPA), which pertains to businesses that gather personal information from California residents, would not be satisfied by this policy since it does not reveal how your website responds to “Do Not Track” signals nor identify with whom personal information is shared. More complex privacy laws necessitate more extensive disclosures, which are also absent here. Therefore, utilizing this Privacy Policy could result in non-compliance issues and jeopardize your business with penalties.

Problem 2: This Privacy Policy does not fit actual business practices

According to multiple privacy laws and the Federal Trade Commission, it is imperative that your Privacy Policy accurately reflects your actual business practices. In the case of ChatGPT’s Privacy Policy, it was written without consulting you on the personal information that you collect, how you use it, and how you protect it. The policy states that you only collect names and email addresses when users create an account or use your service, but what if your website does not allow for account creation or specific services? Additionally, what if you also collect IP addresses, home addresses, or credit card numbers? If your Privacy Policy does not accurately reflect your business practices, you may be at risk for class action lawsuits in the event of a data breach, as consumers could argue that a reasonable expectation of security was established through your Privacy Policy. This could potentially lead to enforcement actions by the Federal Trade Commission and violate multiple privacy laws.

Problem 3: This Privacy Policy will not update as the laws change 

2023 will see the introduction of six new privacy laws, with over a dozen proposed bills in the United States, and updates to privacy laws being considered in countries such as Canada and the United Kingdom. As a result, Privacy Policies are expected to undergo changes, as each law and bill will come with its own set of requirements. However, it’s worth noting that while ChatGPT can assist with writing your Privacy Policy, it won’t be able to contact you when new laws are passed or existing laws are modified. This means that you may be at risk of non-compliance and subject to fines if your Privacy Policy is not updated accordingly.

Can ChatGPT write a GDPR compliant Privacy Policy? 

We tasked ChatGPT with drafting a Privacy Policy that adheres to the General Data Protection Regulation (GDPR), a privacy law aimed at safeguarding the privacy of European Union residents. Here’s what ChatGPT came up with:

Problem 1: Does GDPR actually apply to you? 

As previously mentioned, ChatGPT is unable to determine which privacy laws are applicable due to its inability to ask specific questions. Therefore, it is the responsibility of the business owner to determine which privacy laws apply to their organization by examining and interpreting the relevant laws. In this particular instance, we instructed ChatGPT to draft a Privacy Policy that complies with GDPR. However, it’s important to note that if GDPR is not applicable to the business in question, the tool cannot be entirely held responsible for any resulting issues arising from the incorrect assumption. Ultimately, it is the business owner’s responsibility to ensure compliance with all applicable privacy laws.

Problem 2: This Privacy Policy is not GDPR compliant

The General Data Protection Regulation (GDPR) mandates certain disclosures that must be included in Privacy Policies. To assess compliance, we have created a chart that compares these requirements with the Privacy Policy generated by ChatGPT:

Privacy Policy disclosure requirement Does the ChatGPT-written Privacy Policy include this disclosure? 
Last updated date Yes
Your name and contact information No – the Privacy Policy does not provide the company name and does not list actual contact information
What personal information is collected Yes
The legal basis for collecting and processing the personal information No
Purposes for which the personal information will be used Yes
Consequences for not providing personal information  No
Whether personal information will be shared Yes but the text is self-contradictory because it first states that personal information will not be shared but then states that personal information may be shared with third-party service providers. 
The categories or names of the third parties with whom personal information will be shared No
The privacy rights provided to individuals Yes. However, certain privacy rights such as the right to portability, and the right to complain to a competent authority are missing. 
How individuals can exercise their privacy rights  Yes
How long personal information is stored Yes. However, the disclosure is contradictory. For example, the Privacy Policy states that personal information will be used to send promotional materials. However, the Privacy Policy also states that personal information will only be retained as long as necessary to provide the individual with products and services and comply with legal and regulatory requirements. Since sending promotional materials is not a provision of products and services, nor is it a legal or regulatory requirement, personal information cannot be stored for long enough to actually send the promotional materials, making these disclosures contradictory. 
If personal information is used for automated decision making or profiling, then the logic behind such automated decision making or profiling  No (if you do use the personal information for automated decision making or profiling). 
Where personal information will be transferred to No
If the business has a Data Protection Officer, that Data Protection Officer’s name and contact details No (if you do have a Data Protection Officer). 
Use of cookies and other tracking technologies No
How individuals will be notified of updates to the Privacy Policy  Yes

Based on the chart above, it’s evident that the Privacy Policy generated by ChatGPT falls short of GDPR compliance as it fails to include more than half of the required disclosures. Moreover, several of the disclosures that are included are inconsistent with the remaining portions of the Privacy Policy, thus rendering it confusing and non-compliant.

Problem 3: This Privacy Policy does not fit actual business practices

As previously mentioned, ChatGPT generates text that may appear suitable, but it may not align with your specific business practices. This poses a problem because GDPR mandates that Privacy Policies be transparent about the collection and processing of personal data. If a Privacy Policy contains inaccurate information regarding privacy practices, it fails to provide transparent information. For instance, the Privacy Policy generated by ChatGPT suggests that personal information may be used to send promotional materials, which may not be applicable to all businesses. Additionally, the Privacy Policy claims that personal information may be shared with payment processors, which may not be relevant if your website lacks eCommerce functionality. It’s worth noting that while the second test Privacy Policy includes more disclosures, they seem to be randomly generated without considering the actual privacy practices of the business, thus putting the business at risk of receiving GDPR non-compliance fines.

Can ChatGPT write a GDPR compliant Privacy Policy when it is provided with all necessary information?

While this Privacy Policy is a significant improvement over other Privacy Policies generated by ChatGPT and is quite impressive, it still has several areas that require attention.

Problem 1: You have to know the Privacy Policy disclosures to provide to ChatGPT

The primary concern with this Privacy Policy is that as the business owner, you are responsible for providing ChatGPT with the precise disclosures that your Privacy Policy must include. This implies that you will need to dedicate a considerable amount of time, potentially hours or even days, to determine the relevant privacy laws that apply to your business, analyze the necessary disclosure requirements of those laws, and then provide this information to ChatGPT, along with your specific business practices.

Problem 2: This Privacy Policy does not combine other privacy laws 

If only GDPR is applicable to your business, then utilizing this Privacy Policy may suffice. However, it remains uncertain whether ChatGPT can integrate other privacy laws into this Privacy Policy. It is crucial to understand that adhering to GDPR compliance does not automatically guarantee compliance with other privacy laws since each law has its unique set of required disclosures. For instance, CalOPPA mandates websites to disclose their response to Do Not Track signals, which is absent in GDPR. Thus, a GDPR-compliant Privacy Policy would not suffice for CalOPPA and other privacy laws with similar requirements.

Problem 3: This Privacy Policy does not update as the laws change

As previously stated, ChatGPT will not modify your Privacy Policy to reflect changes in laws. Considering that this year has seen the implementation of six new privacy laws, and over a dozen proposed privacy bills, this approach could render you non-compliant and susceptible to penalties in the future.

In Conclusion: Can you use ChatGPT to write your Privacy Policy? 

Upon conducting our tests, we have concluded that the only viable means of obtaining a practical Privacy Policy from ChatGPT is if:

  1. Only one privacy law applies to you; 
  2. You provide ChatGPT with all of the disclosures required by that privacy law; 
  3. You provide ChatGPT with your exact privacy practices; and 
  4. You don’t mind having to update the Privacy Policy yourself when existing privacy laws change or new privacy laws are enacted. 

In conclusion, ChatGPT represents a feasible option for certain privacy professionals to draft Privacy Policies. However, it may not be an ideal solution for individuals lacking expertise in privacy law or small businesses that lack the bandwidth to identify applicable privacy laws and their corresponding disclosure requirements. The most effective approach to acquiring a Privacy Policy remains engaging a privacy attorney or using an automated Privacy Policy generator such as WebKitty’s Termageddon that updates the Policy in real-time.