When you feed personal data into an AI model, the privacy risk profile changes completely. The questions shift from "where is this data stored?" to "what can this model learn about individuals?" and "what could it reveal that was never explicitly recorded?" The regulatory framework hasn't caught up to these questions, but enforcement is starting to.
I've watched organizations treat AI deployments like any other software purchase—run it through procurement, check the vendor security questionnaire, sign the DPA, move on. Then someone asks whether the model can infer protected characteristics from unstructured text. Or whether using customer data to fine-tune a model constitutes a new processing purpose. Or what "deletion" means when the data has been baked into model weights. The conversation stops.
The privacy risk calculus for AI is different because the technology operates differently. Training data becomes part of the model. Inference can surface patterns that were never labeled. The boundary between processing and profiling blurs. And consent—the foundation of most privacy frameworks—becomes nearly impossible to operationalize when you can't map specific records to specific model behaviors.
Training Data Is Not Just Another Copy
Under GDPR and most U.S. state privacy laws, creating a copy of personal data for a new purpose generally requires a new legal basis. Training an AI model on personal data looks like copying at first glance, but it's more transformative than that. The data doesn't just sit in a new database—it shapes the statistical relationships within the model itself.
The pattern I see most often: organizations rely on a "legitimate interest" basis under GDPR or assume their existing privacy notice covers "service improvement" broadly enough to encompass model training. Sometimes that holds up. Often it doesn't, especially when the training creates capabilities the original data subject couldn't have reasonably anticipated.
A healthcare provider collecting appointment notes for care coordination might have a solid legal basis for that collection. Using those same notes to train a model that predicts no-show risk across the patient population is a different processing activity. The purpose has shifted from individual care to population-level analytics. That shift matters under GDPR Article 6 and under most state laws' "compatibility" tests.
The Retention Problem
Data minimization and storage limitation are explicit requirements in GDPR and increasingly common in U.S. state laws. You're supposed to keep personal data only as long as necessary for the stated purpose. AI training complicates this in two ways.
First, the training dataset itself. If you train a model on three years of customer interaction data, what's your retention justification for keeping that dataset after the model is trained? Some organizations treat the training set as a compliance record—evidence of what went into the model. Others delete it to reduce risk. Neither answer is obviously right, and I haven't seen clear regulatory guidance.
Second, the model weights. If personal data has been encoded into the model's parameters, is the model itself personal data? The GDPR definition of personal data is broad: any information relating to an identified or identifiable person. If a model can reproduce training examples or reveal information about individuals in the training set, it arguably meets that definition. The European Data Protection Board has hinted at this in guidance on AI, but stopped short of a definitive position.
Inference Leakage and What Deletion Actually Means
When someone submits a data subject access request or a deletion request under CCPA, CPRA, or GDPR, what are you obligated to do if their data was used to train a model?
Deleting the original records is straightforward. Deleting the person's contribution to a trained model is not. You can't easily extract one individual's influence from model weights. Retraining from scratch without that person's data is technically possible but operationally expensive, and it changes the model for everyone. Some researchers are working on "machine unlearning" techniques, but they're not ready for production at scale.
The European Data Protection Supervisor has suggested that if deletion from a model isn't feasible, the model itself might need to be retired. That's an extreme position, and I haven't seen it enforced yet, but it's on the table. The less extreme version: if you can't guarantee deletion, you probably shouldn't have used that data for training in the first place without rock-solid consent or another strong legal basis.
Membership Inference Attacks
There's also the technical risk that someone can determine whether a specific individual's data was in the training set by querying the model. This is called a membership inference attack, and it's been demonstrated against real-world models. If successful, it's a privacy breach even if the model doesn't output the person's actual data, because it reveals information about them—namely, that they were a customer, patient, or user.
This risk is higher with smaller training datasets and models that overfit. Differential privacy techniques can reduce it, but they also degrade model accuracy. There's a trade-off, and most organizations aren't making it explicitly—they're just hoping no one tests their models this way.
Profiling, Automated Decision-Making, and the GDPR Hammer
GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. CCPA and CPRA have narrower but related provisions around automated decision-making technology.
Profiling under GDPR means any automated processing of personal data to evaluate personal aspects—predict performance, behavior, preferences, interests. Most AI models used for personalization, risk scoring, or targeting meet this definition.
If your model makes or heavily influences decisions that have legal or significant effects—denying a loan, adjusting insurance premiums, filtering job applicants, restricting access to services—Article 22 applies. You need either explicit consent, contractual necessity, or a legal authorization, plus you must implement suitable safeguards like human review and the ability to contest the decision.
In my experience, this is where organizations get tripped up. They build a model, deploy it, and treat the output as just another input to a human decision-maker. But if the human rarely overrides the model, or doesn't have enough context to meaningfully review it, regulators will look through the fig leaf. The decision is automated in substance, even if a human clicks "approve."
The California Privacy Rights Act added a category of "sensitive personal data" and gave consumers the right to limit its use. If you're using sensitive data—precise geolocation, racial or ethnic origin, health information—to train a model that profiles individuals, you're on the hook for both the profiling rules and the sensitive data rules. The obligations stack.
Navigating AI Privacy Risk in Your Organization?
Carl delivers keynote presentations and workshops on AI governance, privacy compliance, and managing regulatory risk in the age of machine learning. His sessions are built on real-world patterns, not vendor talking points.
Book Carl to SpeakConsent Is Nearly Impossible to Operationalize for Model Training
Consent under GDPR must be freely given, specific, informed, and unambiguous. Under CCPA and CPRA, it must be opt-in for certain uses of sensitive data, and consumers must be told what they're consenting to in plain language.
How do you get informed consent for model training when you can't tell someone exactly how their data will influence the model, what the model will be used for over its lifecycle, or what it might infer about them? The specificity requirement becomes a real problem.
Some organizations try to thread this needle with language like "we may use your data to improve our services, including through machine learning." That might pass muster for low-risk applications, but it won't hold up if the model is later used for a different purpose, or if it turns out the model can infer sensitive characteristics the individual never disclosed.
The bigger issue: consent needs to be granular and revocable. If someone withdraws consent, you're supposed to stop processing their data. But as discussed earlier, you can't easily remove their data from a trained model. This makes consent a fragile legal basis for training. I generally advise clients to rely on consent only when they're confident they can honor withdrawal without catastrophic operational consequences, or when the model is retrained frequently enough that withdrawal can be incorporated in the next cycle.
What Privacy Impact Assessments Should Actually Cover for AI
GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) when processing is likely to result in high risk to individuals' rights and freedoms. The guidelines explicitly mention large-scale profiling and automated decision-making as triggers. Most U.S. state laws don't mandate formal PIAs, but privacy impact assessments are still a best practice and sometimes required under sector-specific regulations.
For AI systems that touch personal data, a PIA should address questions most organizations don't ask:
- What can this model infer that wasn't in the input data?
- Can it surface protected characteristics or proxy variables for them?
- What's the risk of re-identification if the model outputs aggregated or anonymized results?
- How would we respond to a deletion request for someone whose data is in the training set?
- What happens if the model is later used for a purpose we didn't anticipate?
- Can we explain to a data subject how the model made a decision that affected them?
The last question ties into GDPR's transparency requirements and the right to explanation. There's debate over whether GDPR grants an absolute right to explanation for automated decisions, but the recitals and the Article 29 Working Party guidelines suggest you need to provide meaningful information about the logic involved. For complex models, that's hard. "The neural network predicted X" is not meaningful information.
I've seen organizations try to satisfy this with high-level descriptions of how the model type works—"we use gradient boosting to predict risk based on historical patterns." That might be technically accurate, but it doesn't tell the individual why they specifically were flagged or scored the way they were. Explainability tools like SHAP or LIME can help, but they add complexity and don't work equally well for all model types.
The Proportionality Question
A good PIA also asks whether the processing is proportionate to the objective. Just because you can build a model doesn't mean you should. If you can achieve the same business outcome with less intrusive methods—rules-based systems, aggregated analytics, models trained on synthetic data—you're on stronger ground if you choose those first and resort to personal data only when necessary.
This is where privacy by design becomes more than a buzzword. The principle is to embed privacy into the system architecture from the start, not bolt it on later. For AI, that means asking the privacy questions during model selection and design, not after deployment when the training data is already baked in.
Third-Party AI Services and the Processor vs. Controller Problem
If you're using a third-party AI service—an API from OpenAI, Google, AWS, Anthropic, or a specialized vendor—you're likely sending personal data outside your environment. Under GDPR, that makes the vendor a processor, and you need a data processing agreement (DPA) that meets Article 28 requirements. Under CCPA/CPRA, they're a service provider or contractor, and you need a contract that restricts their use of the data.
The complication: many AI vendors also use your data to improve their models. The terms of service might say they don't train on your data, or they might say they do but anonymize it first, or they might make it opt-out. You need to read the DPA and the terms carefully, because if they're training on your data for their own purposes, they're not acting purely as a processor—they're a joint controller or an independent controller, depending on how much control you have over the training decision.
This distinction matters because your liability doesn't end when you hand the data to a vendor. Under GDPR, you're responsible for choosing processors that provide sufficient guarantees, and you remain liable to data subjects if the processor screws up. Under CPRA, you can be liable for a service provider's violations if you fail to take reasonable steps to ensure compliance.
The pattern I see: organizations assume that signing a DPA with a reputable vendor covers them. It doesn't, unless you've actually verified that the vendor's data handling aligns with your legal obligations. For AI vendors, that means understanding what happens to your data during inference, whether it's logged, whether it's used for training, how long it's retained, and whether it's ever commingled with other customers' data. Not all vendors will answer these questions clearly, and that should be a red flag. If you're in a regulated industry—healthcare, finance, defense—using a vendor who can't or won't provide those answers exposes you to AI and privacy risk you can't mitigate.
Looking for a Speaker on Privacy, AI, and Regulatory Compliance?
Carl speaks to executive teams, boards, and industry conferences about the intersection of AI, privacy law, and practical risk management. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventThe Emerging State Privacy Law Landscape and AI
As of 2026, more than a dozen U.S. states have comprehensive privacy laws in effect or coming online. California's CPRA is the most detailed, but Virginia, Colorado, Connecticut, Utah, and others have similar frameworks with variations. These laws generally share a few common elements relevant to AI: consumer rights (access, deletion, correction, opt-out), data minimization, purpose limitation, and restrictions on processing sensitive data.
None of these laws were written with AI specifically in mind, but their application to AI is becoming clearer through enforcement and guidance. The California Privacy Protection Agency has signaled that it's paying attention to automated decision-making, and CPRA explicitly requires businesses to disclose whether they use automated decision-making technology and provide a way to opt out in certain contexts.
The multi-state compliance challenge is real. If you operate nationally and process data from residents of multiple states, you're juggling different definitions of personal data, sensitive data, and sale. You're also juggling different opt-out mechanisms and different timelines for responding to consumer requests. AI systems that touch personal data from multiple states need to be designed with this fragmentation in mind, or you end up with a compliance model that works for California but breaks in Virginia.
One approach: build to the highest standard. If you can meet GDPR and CPRA requirements, you'll likely cover most other state laws. The risk is over-engineering for markets where the regulation is lighter, but the alternative—maintaining different versions of the same model for different jurisdictions—is operationally painful and error-prone. U.S. state privacy laws in 2026 have created a patchwork that rewards simplicity over customization.
Transparency Obligations You Can't Meet with a Black Box
Both GDPR and most state privacy laws require organizations to disclose what personal data they collect, how they use it, and who they share it with. When you deploy an AI model that processes personal data, this obligation extends to the model's operation.
If the model makes decisions about individuals—credit scoring, eligibility determinations, content recommendations that affect what people see or buy—you're supposed to be able to explain, at least at a high level, how those decisions are made. You don't need to disclose trade secrets or proprietary algorithms, but you do need to provide enough information that a person can understand the logic and contest it if they believe it's wrong.
This is where the "black box" problem hits privacy compliance directly. If you can't explain how your model works because it's a deep learning architecture with millions of parameters and emergent behaviors, you're in tension with transparency requirements. The law doesn't prohibit complex models, but it does require that you be able to tell someone why they were denied, flagged, or scored the way they were.
In my work with organizations deploying AI, this drives architectural decisions earlier than most expect. If you know you'll need to explain outputs to satisfy GDPR Article 13-15 obligations or state law disclosure requirements, you choose models and techniques that support interpretability. That might mean using simpler models, ensemble methods where you can trace decision paths, or investing in explainability tooling from the start. It also means logging enough information at inference time to reconstruct the basis for a decision if you're later challenged.
The Right to Object and Opt-Out
GDPR Article 21 gives individuals the right to object to processing based on legitimate interests, including profiling. CPRA and other state laws provide a right to opt out of the sale or sharing of personal data, and in some cases, a right to opt out of profiling or automated decision-making.
If your AI model profiles users for targeted advertising, personalized pricing, or behavioral prediction, individuals can invoke these rights. When they do, you need a mechanism to honor the objection or opt-out that actually stops the processing. This is harder than it sounds if the model operates in real-time or if user profiles are distributed across multiple systems.
The worst implementation I've seen: a company that honored opt-out requests by flagging the user's record in the CRM but didn't propagate the flag to the inference pipeline. The model kept scoring the user because the two systems didn't talk to each other. The opt-out was theater. When that came to light during an audit, it was treated as a systemic control failure, not a one-off mistake.
Strategic Implications and What Leadership Needs to Understand
AI creates privacy risk that doesn't fit neatly into the compliance frameworks most organizations have built over the last decade. The risks are harder to inventory, harder to measure, and harder to remediate after the fact. This demands that privacy and AI governance converge at the leadership level, not remain in separate lanes.
The strategic decision points come early: what data are we willing to use for training? What processing purposes can we justify under our current legal bases, and where do we need new consent or new contracts? What transparency and explainability standards will we commit to before we choose models? What's our plan for data subject rights when the request implicates a trained model?
These aren't questions the data science team can answer alone, and they're not questions the legal team can answer without understanding the technology. The organizations getting this right are the ones where the CISO, DPO, Chief AI Officer (if there is one), and business leadership are in the same conversation from the start. They're mapping AI and privacy risk the same way they'd map cybersecurity or financial risk—at the enterprise level, with ownership and accountability clearly assigned.
The gap I see most often: leadership treats AI as an innovation priority and privacy as a compliance obligation, and the two workstreams don't talk until something goes wrong. By then, you've deployed a model that can't easily be brought into compliance without retraining or retiring it. The cost of retrofitting privacy into AI is much higher than building it in, and the reputational risk of getting it wrong is growing as regulators and consumers pay more attention.
If your organization is moving into AI in a serious way—beyond experimentation and into production systems that touch customer, employee, or patient data—you need a framework that integrates AI governance and privacy compliance from day one. That means clear policies on data use for training, a process for evaluating AI and privacy risk before deployment, technical controls that support data subject rights, and a governance model that doesn't treat AI as exempt from the rules that apply to every other data processing activity. You also need leaders who understand that privacy isn't just a box to check—it's a design constraint that shapes what's possible and what's defensible.
The technology is moving faster than the law, but enforcement is catching up. The organizations that treat privacy as a late-stage compliance check are the ones that will spend the next few years managing regulatory risk reactively. The ones that get ahead of it will be the ones that asked the hard questions early and built systems they can actually defend.