Glossary · Compliance

AI Data Privacy

AI data privacy covers how personal data is collected, processed, retained, and shared by AI systems. Definition, key laws, and a vendor checklist.

By Kadin Nestler · May 28, 2026 · Updated May 28, 2026
On this page

Key privacy laws AI vendors must respect

  • GDPR (EU) — broadest, strictest. Fines up to 4% of global revenue.
  • CCPA / CPRA (California) — opt-out rights, sale/share definitions include AI training in some interpretations.
  • CDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah) — state-level US comprehensive laws.
  • Colorado AI Act (2024) — first US state AI-specific law, takes effect Feb 2026.
  • EU AI Act — risk-tiered AI regulation, with provisions on personal data interacting with GDPR.
  • Sectoral — HIPAA (health), GLBA (financial), FERPA (education), COPPA (children).

Common AI privacy risks

  • Training on customer data — model "remembers" what users typed.
  • Prompt logging — vendor stores everything users send for debugging or improvement.
  • Data residency — data crosses borders without legal basis.
  • Third-party processors — your data flows through sub-processors you did not vet.
  • Inference leakage — model output reveals training data.
  • No DSAR support — vendor cannot honor user data deletion requests.

Vendor privacy checklist

  • Data Processing Addendum (DPA) — required under GDPR, expected under CCPA.
  • Training opt-out — explicit, enforced, in writing.
  • Data residency — US-only or EU-only options as needed.
  • Retention policy — how long prompts and outputs are stored.
  • Sub-processor list — published and current.
  • DSAR / deletion process — how user data is removed on request.
  • Encryption at rest and in transit.

Practical posture for SMBs

Default to vendors with enterprise-tier privacy commitments — Anthropic Claude API (training opt-out by default), OpenAI Enterprise (no training on customer data), Google Vertex AI (data isolation guarantees). Avoid using consumer-tier ChatGPT / Claude.ai for any customer data without explicit consent and review of those products' terms.

What it means for your business

For SMBs serving multi-state or international customers, AI data privacy is the difference between a manageable compliance posture and a regulatory tripwire. The cost of getting it right at the vendor-selection stage is approximately zero.

  • HIPAA-Compliant AI — HIPAA-compliant AI handles protected health information under a Business Associate Agreement and meets the HIPAA Security Rule. Definition and vendor checklist.
  • SOC 2 for AI — SOC 2 is an audit framework for vendors handling customer data, including AI services. Definition, Type 1 vs Type 2, and what SMBs should demand.
  • AI Governance — AI governance is the policy and process layer for managing AI risk in an organization. Definition, frameworks, and what SMBs actually need.
  • AI Vendor Selection — AI vendor selection is how SMBs evaluate AI vendors on capability, cost, and risk. A practical 12-question checklist and decision framework.
  • AI Disclosure — AI disclosure is the legal and ethical obligation to tell users they are interacting with AI. Definition, applicable laws, and SMB practical guidance.
← Back to the full glossary