Data Privacy in Customer Service Tools

Are you risking your company’s IP and customer personal data for the convenience of meeting transcription? Convenience is great, but not at the cost of accidentally donating your crown-jewel knowledge and customer personal data to someone else’s AI lab. AI-powered meeting transcription services are becoming increasingly popular - they offer so much convenience, sometimes even for free. I spent a few days combing through the actual Privacy Policies and Terms of Service for four popular AI notetakers—Otter.ai, Read.ai, Fireflies.ai, and tl;dv—to see whether they train their models on your conversations. I have no association with any of them, but what I found is worrying. Here’s the short version: 🔹 Otter.ai – On by default. Otter trains its speech-recognition models on 'de-identified' audio and text of your conversations. They claim that personal identifiers are stripped, but your confidential data still fuels their AI unless you negotiate a restriction. 🔹 Read.ai – Your choice. By default your data is not used. If you opt in to its Customer Experience Program, your transcripts can help improve the product. 🔹 Fireflies.ai – Aggregated-only. They forbid training on identifiable content, limiting themselves to anonymised usage statistics. No individual transcript feeds their AI. 🔹 tl;dv – Never. They explicitly prohibit using customer recordings for model training. Transcript snippets sent to their AI engine are anonymised, sharded, and not retained. Why it matters: Even “de-identified” data can leak competitive IP or sensitive customer information if models are ever breached or repurposed. Business recordings can contain personal data, meaning you’re still on the hook for consent, minimisation, and transfer safeguards. Your management, board and clients may assume you’ve locked this down; finding out later is awkward at best, non-compliant at worst. By the way - true anonymisation of data is exceptionally difficult, especially in complex data like speech. Claims that only 'deidentified' data is used for training needs to be scrutinised. Not one of the products reviewed provided any meaningful technical information about how they achieve this. What to do next: 1. Read the legal docs—marketing pages are full of assurances, but they don’t tell the full story. Read the privacy policies and terms of service. 2. Decide your red line: zero training, aggregated-only, or opt-in? 3. Configure or negotiate: most vendors offer enterprise DPAs or private-cloud options if you ask. 4. Review the consent flows: it’s not just your rights—your guests’ data is in play too. Have you asked the meeting participants if they are happy to hand their personal data and IP to a third party? Convenience is great, but not at the cost of accidentally donating your crown-jewel knowledge to someone else’s AI lab. I write about Doing AI Governance for real at ethos-ai.org. Subscribe for free analysis and guidance: https://ethos-ai.org #AIGovernance

𝐏𝐒𝐀 𝐟𝐨𝐫 𝐂𝐮𝐬𝐭𝐨𝐦𝐞𝐫 𝐒𝐮𝐜𝐜𝐞𝐬𝐬 𝐋𝐞𝐚𝐝𝐞𝐫𝐬 𝐚𝐧𝐝 𝐂𝐒𝐌𝐬 𝐞𝐱𝐩𝐥𝐨𝐫𝐢𝐧𝐠 𝐆𝐞𝐧𝐀𝐈 𝐭𝐨𝐨𝐥𝐬 There’s a growing wave of excitement around using AI copilots like NotebookLM, ChatGPT, and plethora of other apps to enhance Customer Success workflows like summarizing meetings, creating briefs, and extracting insights from QBR decks and success plans, etc. Tonne of advice on LinkedIN and other blogs/articles on how to leverage these tools. But here’s the critical piece that’s being overlooked: Most of these tools are not approved by your customers' (or your own company's) IT and security teams. 😱 𝐈𝐟 𝐲𝐨𝐮’𝐫𝐞 𝐜𝐨𝐩𝐲𝐢𝐧𝐠 𝐜𝐨𝐧𝐟𝐢𝐝𝐞𝐧𝐭𝐢𝐚𝐥 𝐜𝐮𝐬𝐭𝐨𝐦𝐞𝐫 𝐜𝐨𝐧𝐭𝐞𝐧𝐭, 𝐢𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐜𝐚𝐥𝐥 𝐭𝐫𝐚𝐧𝐬𝐜𝐫𝐢𝐩𝐭𝐬, 𝐛𝐮𝐬𝐢𝐧𝐞𝐬𝐬 𝐬𝐭𝐫𝐚𝐭𝐞𝐠𝐢𝐞𝐬, 𝐬𝐮𝐩𝐩𝐨𝐫𝐭 𝐢𝐬𝐬𝐮𝐞𝐬, 𝐨𝐫 𝐢𝐧𝐭𝐞𝐫𝐧𝐚𝐥 𝐝𝐨𝐜𝐬, 𝐢𝐧𝐭𝐨 𝐜𝐨𝐧𝐬𝐮𝐦𝐞𝐫-𝐠𝐫𝐚𝐝𝐞 𝐆𝐞𝐧𝐀𝐈 𝐭𝐨𝐨𝐥𝐬, 𝐲𝐨𝐮 𝐦𝐚𝐲 𝐛𝐞 𝐯𝐢𝐨𝐥𝐚𝐭𝐢𝐧𝐠 𝐜𝐮𝐬𝐭𝐨𝐦𝐞𝐫 𝐌𝐒𝐀𝐬, 𝐍𝐃𝐀𝐬, 𝐨𝐫 𝐢𝐧𝐭𝐞𝐫𝐧𝐚𝐥 𝐝𝐚𝐭𝐚 𝐡𝐚𝐧𝐝𝐥𝐢𝐧𝐠 𝐩𝐨𝐥𝐢𝐜𝐢𝐞𝐬. 🤯 Just because a tool is publicly available doesn’t mean it’s safe to use for sensitive customer data. While I’m an avid supporter and power user of AI, I write this in anguish, and with the aim to shine light on a serious security issue that’s not getting enough attention. This is a call to CS leaders, RevOps, and enablement teams: - Include data security and tooling policies in AI enablement - Work with IT/GRC to define clear guardrails - Educate teams (or risks and permitted use) before encouraging broad AI adoption Productivity should never come at the expense of trust. Innovation means nothing if it puts customer data at risk. 𝐋𝐞𝐭’𝐬 𝐫𝐚𝐢𝐬𝐞 𝐭𝐡𝐞 𝐛𝐚𝐫. 𝐑𝐞𝐬𝐩𝐨𝐧𝐬𝐢𝐛𝐥𝐞 𝐀𝐈 𝐬𝐭𝐚𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐮𝐬.

"How should I think about the security and privacy of customer data if I use ChatGPT in my product?" We get this question a lot at Vanta. If you’re planning to integrate a commercial LLM into your product, treat it like you would any other vendor you’re onboarding. The key is making sure the vendor will be a good steward of your data. That means: 1. Make sure you understand what the vendor does with your (= your customers'!) data and whether it may train new models. Broadly speaking, you don't want this, because in the process of training a new model, one customer's data may show up for another customer. 2. Remember that if your LLM vendor gets breached, it's leaking your customers' data, and you'll need to let customers know. In my experience, your customers are unlikely to care that it was another provider's "fault" – they gave the data to you. As with any other vendor, you'll want to convince yourself that your LLM vendor is trustworthy. However, if you’re using the free version of ChatGPT (or any free tool), you might not be able to get the same contractural assurance or even be able to get specific questions answered by a person (not, you know, an LLM-powered chatbot.) In those cases, we recommend: 1. Adjusting settings to ensure your data are not shared or used to train models. 2. Even them, understand there's no contractural guarantee. We recommend keeping confidential, personal, customer, or private company data out of free service providers for this reason. As ever, ymmv. Matt Cooper and Rob Picard recently hosted a webinar, answering common questions about AI, security, and compliance. Link in comments if you're curious for more.

Headway's Alleged Data Sharing with Google: Understanding the Class Action Lawsuit TherapyMatch, Inc., operating as Headway, is facing a class action lawsuit over claims of improper data sharing. Headway helps users find mental health providers and book sessions directly through their platform. However, allegations suggest that users’ sensitive information, including their mental health data, was shared with Google via embedded analytics tools—without proper consent. Here’s a quick timeline: July 2023: The lawsuit was filed, accusing Headway of sharing sensitive user data without proper disclosure. August 2023: The case moved to federal court. September 2024: The court allowed some privacy violation claims to proceed, including those related to the California Invasion of Privacy Act (CIPA) and the California Consumer Privacy Act (CCPA). What Happened? The lawsuit claims Headway used Google Analytics on their website to track user activity and share personal information, including health-related details, with third parties without user consent. Their privacy policy also failed to fully explain this data sharing, further contributing to the lawsuit. How Can Businesses Prevent This? Businesses can prevent issues like those in the Headway lawsuit by ensuring consent banners are clear and functioning, obtaining explicit user consent before collecting or sharing data. Properly configure tag managers to fire tags only after consent is given and monitor third-party scripts closely. Analytical tools should have privacy features like IP anonymization enabled, and data collection must be limited to what's necessary. Regular scans of websites and apps for compliance and security issues will help protect user data and prevent legal risks. Why Is This Challenging? Managing privacy and consent across a business is like conducting a complex orchestra. Websites undergo frequent updates, and different teams—marketing, product, and engineering—each use their own tools. With hundreds of configurations across CMPs, tag managers, and analytics tools, ensuring consent works correctly across all these systems is a massive challenge. The CMP acts as the conductor, coordinating everything. But without a tool to continuously monitor and ensure everything is in sync, even a small misstep can lead to non-compliance or data privacy issues. This complexity makes it nearly impossible to manage manually, highlighting the need for automated monitoring solutions to keep everything running smoothly and compliant. How are you tackling these challenges in your organization? #DataPrivacy #PrivacyLaws #CCPA