Voice assistants and privacy is a topic that's often in the news. While most of the attention is on device manufacturers, anyone who offers tools and services that use the technology also needs to think carefully about the privacy implications.

Whether it's a mobile app that uses voice recognition, or a dedicated service for a voice assistant gadget, you need to comply with both the rules of the device manufacturer and a host of national and international laws.


Voice Assistants and Data Processing

One of the most important points you might overlook with voice assistants is the data processing that's involved. Naturally your organization (via the app or service) will collect, use and potentially store personal data.

However, the company behind the voice assistant technology such as Google or Amazon will also process the data when it listens to a voice command, turns it into text and then deciphers the meaning. This usually happens on a remote server rather than the voice assistant device itself.

This can be significant as it can affect which regulations apply. It can also mean the company behind the voice assistant technology has special privacy rules to protect it from violating a privacy law while operating your app or service.

Relevant Privacy Laws

Relevant Privacy Laws

The GDPR

The General Data Protection Regulation (GDPR) is a European law but it may well cover you even if you aren't in Europe. That's because it applies in three situations:

  • The data subject is in a European Union country
  • The data controller is in a European Union country
  • The data processing takes place in a European Union country

This means it is possible that both your organization and the data subject are outside the EU, but the company behind the voice assistant technology physically processes the voice command and the relevant data on a server in the EU.

In this situation, both you and the processing company could be legally responsible for complying with the GDPR. That's because the regulation distinguishes between:

  • A data processor, who physically processes the data, and
  • A data controller, who decides what data is processed and how

In simple terms, the data processor must comply with the GDPR, but the data controller is legally responsible for making sure the data processor does so. In other words, if the voice assistant technology company processes the data in the EU, you could be responsible for GDPR compliance.

The GDPR is an extremely detailed regulation, so you should read it in full if it applies to you.

The key points to know are:

  • You must get meaningful consent from the data subject before processing personal data. This includes collecting, using and sharing data.
  • You must collect the data for a specific purpose. You will need fresh consent to use it for a different purpose.
  • You can only keep data for as long as needed to satisfy the stated purpose.
  • You must inform users about your data processing procedures. The best way to do this is with a Privacy Policy.

Children's Online Privacy Protection Act (COPPA)

Although COPPA is commonly associated with websites, it actually applies to any "online service." The key points are:

  • COPPA applies if your service is aimed at US children under 13 or you know they are using it.
  • If COPPA applies, you must display a Privacy Policy that notifies parents about how you handle personal information from children.
  • If COPPA applies, you must get verifiable parental consent before collecting personal information about children.

In 2013, the Federal Trade Commission updated COPPA so that any recording of a child's voice counted as personal data regardless of the content. In principle that meant parental consent was needed to record a child's voice.

In 2017, the FTC clarified this rule to take account of voice assistant technology. Parental consent isn't needed when recording a child's voice if three conditions apply:

  • What they are saying isn't personal information
  • You only keep and use the recording for a brief time and then delete it
  • You only use the recording to carry out the child's request or command

Even when you don't need parental consent, your Privacy Policy must detail how you collect and delete audio recordings.

Remember that if what the child says is personal information, for example if they give their name, you still need to get parental consent.

This example of Google's Privacy Policy directly addresses audio recordings of children:

Google Privacy Notice for Google Accounts Managed with Family Link for Children Under 13: Your child's voice and audio information clause

California Online Protection Act (CalOPPA)

As with COPPA, CalOPPA covers any "online service" rather than just websites. CalOPPA applies if you collect "personally identifiable information" about any user in California.

If CalOPPA applies, you must publish a Privacy Policy. You must either include the policy on your website's homepage, or include a "conspicuous" link on your home page to the policy.

California Consumer Privacy Act (CCPA)

The CCPA applies to any business (regardless of location) that serves people in California and meets one of three criteria:

  • Annual revenue of $25 million or more (from any source)
  • Half of annual revenue comes from selling personal data about California residents
  • Processes personal data about 50,000 or more California residents in a year

The CCPA applies to data controllers rather than service providers. That means the person or organization that decides what data is collected and used comes under the CCPA. With voice assistant devices and apps, that means the CCPA applies to you rather than the device or operating system manufacturer.

If the CCPA applies, you must make sure users in California know what personal data you collect and whether (and to whom) you disclose or sell personal data. You must let them access a copy of all the data you hold about them. You must also let them demand you don't sell their personal information.

The CCPA also says you must have a Privacy Policy covering these points. You must update this policy at least once a year and include a link to it from your website's home page.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA applies to many Canadian businesses when they collect personal information "in the course of a commercial activity" which in turn is defined as an act "of a commercial character."

With technology, this doesn't necessarily mean the app or service has to be a paid option. For example, a 2018 case examined whether Microsoft had violated PIPEDA through data collection in Windows 10. Although the individual concerned hadn't necessarily paid a fee to use Windows 10, the software is part of Microsoft's business.

If PIPEDA applies, you must follow 10 fair information principles when collecting personal information. These include:

  • Keeping people informed about what data you collect and why (usually through a Privacy Policy)
  • Getting consent before collecting, using or sharing data
  • Only collecting data needed for the stated purpose and deleting it when no longer needed

What Company Policies Require

What Company Policies Require

Google

Google has rules for Privacy Policies in two voice assistance contexts: For Android apps, which use a phone or tablet's voice control, and for Actions, which work on a voice assistant device such as Google Home or Google Nest.

Android Apps

According to Google, whenever you develop an Android app that you want to distribute via the Google Play store (whether or not it uses the voice assistant), you must give "legally adequate privacy notice" to users. In other words you must publish a Privacy Policy if any relevant laws require you to do so.

If your app collects or uses "personal and sensitive" information, Google specifically requires you to post a Privacy Policy that covers:

  • How your app collects data
  • How your app uses data
  • Whether your app shares data and, if so, the type of people or organization you share the data with

You can publish the Privacy Policy elsewhere (for example on your website) but both your Google Play store listing and the app itself must include a link to the policy.

This example from the Kasa app shows the Privacy Policy link in the listing in the Google Play store. It points to the relevant page on parent company TP-Link's website:

Kasa Google Play Store app listing with Privacy Policy highlighted

The app itself also includes the Privacy Policy. As it is built directly into the app, it's designed to work well on a phone screen, for example by using a simple menu to access key documents with a tap:

Kasa app: Screenshot of Privacy Policy

Actions

Google's rules say you must have a Privacy Policy for your Action and that you must include a link to it in Google's Directory of Actions.

Here's how the link appears in the listing for the Motley Fool Action:

Motley Fool Stocks Google Actions listing with Privacy Policy highlighted

You can't put the policy itself in the directory; rather you must host the policy elsewhere. You can do this anywhere that's publicly accessible online, though it may be easiest to do it on your own website. This will make it easier to keep it up to date and to display it alongside other privacy-related information on your site.

The Privacy Policy should cover three key points:

  • What information you collect (both directly and indirectly)
  • How you use the information
  • Whether and how you share the information with a third party

Your Privacy Policy must cover all the ways you interact with the user and handle data, not just the voice control.

Note that Google also requires you to comply with all applicable laws, even where these go beyond Google's own rules.

Amazon

When you produce a service that uses Amazon's Alexa voice assistant, your service is known as a "Skill" rather than an app. Amazon's rules say you must have a Privacy Policy in two cases:

  • Your Skill collects user information
  • Your Skill connects the user's Amazon account with a non-Amazon account

You must publish the Privacy Policy on an external web page such as your own location. You must then put the URL of this page in the Skill Preview section of the Alexa developer console.

You'll need to repeat this process for each language your Skill works with. The link to the policy will then appear on your listing in the Alexa app and on the Amazon website.

Here's how the link appears in the listing for the LEGO Duplo Stories Skill:

LEGO Duplo Stories Amazon Skill listing with Privacy Policy highlighted

Amazon's guidelines for Skills don't detail exactly what needs to be in your Privacy Policy. However, in reply to a query on an official support forum, a company representative said:

"You will need to outline the type of information you are collecting, why it is needed, how it [is] used, and how it is disseminated."

Apple

Apple's rules for apps specifically require that you get "explicit user consent" when recording user activity, including through the microphone.

Apps using Apple's Siri voice assistant also come under Apple's wider app rules. These include a requirement to have a Privacy Policy and include a link to this policy both in the App Store listing (via the App Store Connect metadata field) and in the app itself.

The Privacy Policy must cover:

  • What data you collect and how you use it
  • Confirmation that if you share the data with a third party, that third party will give the same protection of the data that you offer
  • How you decide when to keep or delete data
  • How the user can withdraw consent to process data and ask that you delete data

The rules also say you must get user consent to collect any data, even if it is anonymous.

Summary

Let's recap what you need to consider when developing an app or other service that uses voice assistant technology.

  • The company behind the technology may process personal data as part of making your service work for the user. This can affect the privacy rules that apply.
  • The GDPR applies if you or the user are in a European Union country. It can also apply if the voice processing is in an EU country.

    • If the GDPR applies, you need to get meaningful consent to process data for a specific purpose.
  • COPPA applies if you aim your service at users aged under 13 or know they use it.

    • If COPPA applies you must get parental consent before collecting personal data and you must publish a Privacy Policy.
    • COPPA has an exemption for recording a child's voice but this doesn't apply if you collect personal information.
  • The CCPA applies to large businesses, those handling personal data about a lot of Californians, or those which make most of their money from selling personal data about Californians.

    • The CCPA covers data controllers. That means you are responsible for privacy rules with your service because you control what data is collected.
    • If the CCPA applies, you must publish a Privacy Policy and update it once a year.
  • PIPEDA applies to most Canadian businesses collecting personal information "in the course of a commercial activity." This may apply even if users don't pay for your app or service.

    • If PIPEDA applies, you'll need to get advance consent to collect personal data and keep people informed, usually through a Privacy Policy.
  • If you have a Google Action (for a voice assistant device) on an Android app, you must publish a Privacy Policy covering how you collect, use and share personal information.

    • Google specifically requires you to follow any laws that apply to your Action or app.
  • If you have an Amazon Alexa Skill, you must have a Privacy Policy if your Skill collects user information or links to a non-Amazon account.
  • Apple requires explicit user consent before you record user activity through a microphone. You must publish a Privacy Policy for any iOS app.