Voice assistants and privacy is a topic that's often in the news. While most of the attention is on device manufacturers, anyone who offers tools and services that use the technology also needs to think carefully about the privacy implications.
Whether it's a mobile app that uses voice recognition, or a dedicated service for a voice assistant gadget, you need to comply with both the rules of the device manufacturer and a host of national and international laws.
- 1. Voice Assistants and Data Processing
- 2. Relevant Privacy Laws
- 2.1. The GDPR
- 2.2. Children's Online Privacy Protection Act (COPPA)
- 2.3. California Online Protection Act (CalOPPA)
- 2.4. California Consumer Privacy Act (CCPA)
- 2.5. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 3. What Company Policies Require
- 3.1. Google
- 3.1.1. Android Apps
- 3.1.2. Actions
- 3.2. Amazon
- 3.3. Apple
- 4. Summary
Voice Assistants and Data Processing
One of the most important points you might overlook with voice assistants is the data processing that's involved. Naturally your organization (via the app or service) will collect, use and potentially store personal data.
However, the company behind the voice assistant technology such as Google or Amazon will also process the data when it listens to a voice command, turns it into text and then deciphers the meaning. This usually happens on a remote server rather than the voice assistant device itself.
This can be significant as it can affect which regulations apply. It can also mean the company behind the voice assistant technology has special privacy rules to protect it from violating a privacy law while operating your app or service.
Relevant Privacy Laws
The General Data Protection Regulation (GDPR) is a European law but it may well cover you even if you aren't in Europe. That's because it applies in three situations:
- The data subject is in a European Union country
- The data controller is in a European Union country
- The data processing takes place in a European Union country
This means it is possible that both your organization and the data subject are outside the EU, but the company behind the voice assistant technology physically processes the voice command and the relevant data on a server in the EU.
In this situation, both you and the processing company could be legally responsible for complying with the GDPR. That's because the regulation distinguishes between:
- A data processor, who physically processes the data, and
- A data controller, who decides what data is processed and how
In simple terms, the data processor must comply with the GDPR, but the data controller is legally responsible for making sure the data processor does so. In other words, if the voice assistant technology company processes the data in the EU, you could be responsible for GDPR compliance.
The GDPR is an extremely detailed regulation, so you should read it in full if it applies to you.
The key points to know are:
- You must get meaningful consent from the data subject before processing personal data. This includes collecting, using and sharing data.
- You must collect the data for a specific purpose. You will need fresh consent to use it for a different purpose.
- You can only keep data for as long as needed to satisfy the stated purpose.
Children's Online Privacy Protection Act (COPPA)
Although COPPA is commonly associated with websites, it actually applies to any "online service." The key points are:
- COPPA applies if your service is aimed at US children under 13 or you know they are using it.
- If COPPA applies, you must get verifiable parental consent before collecting personal information about children.
In 2013, the Federal Trade Commission updated COPPA so that any recording of a child's voice counted as personal data regardless of the content. In principle that meant parental consent was needed to record a child's voice.
In 2017, the FTC clarified this rule to take account of voice assistant technology. Parental consent isn't needed when recording a child's voice if three conditions apply:
- What they are saying isn't personal information
- You only keep and use the recording for a brief time and then delete it
- You only use the recording to carry out the child's request or command
Remember that if what the child says is personal information, for example if they give their name, you still need to get parental consent.
California Online Protection Act (CalOPPA)
As with COPPA, CalOPPA covers any "online service" rather than just websites. CalOPPA applies if you collect "personally identifiable information" about any user in California.
California Consumer Privacy Act (CCPA)
The CCPA applies to any business (regardless of location) that serves people in California and meets one of three criteria:
- Annual revenue of $25 million or more (from any source)
- Half of annual revenue comes from selling personal data about California residents
- Processes personal data about 50,000 or more California residents in a year
The CCPA applies to data controllers rather than service providers. That means the person or organization that decides what data is collected and used comes under the CCPA. With voice assistant devices and apps, that means the CCPA applies to you rather than the device or operating system manufacturer.
If the CCPA applies, you must make sure users in California know what personal data you collect and whether (and to whom) you disclose or sell personal data. You must let them access a copy of all the data you hold about them. You must also let them demand you don't sell their personal information.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA applies to many Canadian businesses when they collect personal information "in the course of a commercial activity" which in turn is defined as an act "of a commercial character."
With technology, this doesn't necessarily mean the app or service has to be a paid option. For example, a 2018 case examined whether Microsoft had violated PIPEDA through data collection in Windows 10. Although the individual concerned hadn't necessarily paid a fee to use Windows 10, the software is part of Microsoft's business.
If PIPEDA applies, you must follow 10 fair information principles when collecting personal information. These include:
- Getting consent before collecting, using or sharing data
- Only collecting data needed for the stated purpose and deleting it when no longer needed
What Company Policies Require
Google has rules for Privacy Policies in two voice assistance contexts: For Android apps, which use a phone or tablet's voice control, and for Actions, which work on a voice assistant device such as Google Home or Google Nest.
- How your app collects data
- How your app uses data
- Whether your app shares data and, if so, the type of people or organization you share the data with
You can't put the policy itself in the directory; rather you must host the policy elsewhere. You can do this anywhere that's publicly accessible online, though it may be easiest to do it on your own website. This will make it easier to keep it up to date and to display it alongside other privacy-related information on your site.
- What information you collect (both directly and indirectly)
- How you use the information
- Whether and how you share the information with a third party
Note that Google also requires you to comply with all applicable laws, even where these go beyond Google's own rules.
- Your Skill collects user information
- Your Skill connects the user's Amazon account with a non-Amazon account
You'll need to repeat this process for each language your Skill works with. The link to the policy will then appear on your listing in the Alexa app and on the Amazon website.
"You will need to outline the type of information you are collecting, why it is needed, how it [is] used, and how it is disseminated."
Apple's rules for apps specifically require that you get "explicit user consent" when recording user activity, including through the microphone.
- What data you collect and how you use it
- Confirmation that if you share the data with a third party, that third party will give the same protection of the data that you offer
- How you decide when to keep or delete data
- How the user can withdraw consent to process data and ask that you delete data
The rules also say you must get user consent to collect any data, even if it is anonymous.
Let's recap what you need to consider when developing an app or other service that uses voice assistant technology.
- The company behind the technology may process personal data as part of making your service work for the user. This can affect the privacy rules that apply.
The GDPR applies if you or the user are in a European Union country. It can also apply if the voice processing is in an EU country.
- If the GDPR applies, you need to get meaningful consent to process data for a specific purpose.
COPPA applies if you aim your service at users aged under 13 or know they use it.
- COPPA has an exemption for recording a child's voice but this doesn't apply if you collect personal information.
The CCPA applies to large businesses, those handling personal data about a lot of Californians, or those which make most of their money from selling personal data about Californians.
- The CCPA covers data controllers. That means you are responsible for privacy rules with your service because you control what data is collected.
PIPEDA applies to most Canadian businesses collecting personal information "in the course of a commercial activity." This may apply even if users don't pay for your app or service.
- Google specifically requires you to follow any laws that apply to your Action or app.