#211 - Privacy Law + AI: What Small Businesses Need to Know

 [00:00:00] 

Tracey: Hello everyone. Welcome back to another episode of the podcast. Thank you as always for joining me. If you've been listening for a while, you'll know that in this season of the podcast, I'm answering two questions at the end of each episode, and the questions I'm answering, or I'm sharing with you are questions that are coming across my desk a lot.

So I know that they're points of concern or their popular questions, and so I'm sharing them here because if other people are asking, chances are it's probably something that will be of interest to you. That said, if you have questions that you'd like me to answer on the podcast, please reach out, reach out and share them with me.

[00:01:00] You can reach out to me on the website, Instagram dms, or you can send me an [ email. And the links are all in the show notes. My objective, as you know with this podcast is to share as much value as I possibly can to help you on your business journey. And that means giving you what you want, so answering the questions that you're wondering about.

So please don't hesitate to reach out and share if there's a question you'd like me to answer. Let's dive into today's episode. Today's episode is on a topic that is so important and overlooked in my experience because it's complex and daunting.

So there's very much an ostrich approach with business owners around these issues, and they are privacy law obligations, and AI. So as small business owners, we have obligations under the privacy legislation and that dovetAIls into using AI. I'm gonna talk about all of this in today's episode in a way that I hope makes it less daunting and super clear and easy to follow.

First of all, I've been talking a lot about changes to the privacy legislation here in [00:02:00] Australia. So for the first time in more than 20 years, the privacy legislation is undergoing a massive overhaul. There are so many considerations at play here, and there are some significant changes to the privacy legislation, and many of those now affect small businesses.

So let me pause. The reason I say many of those changes affect small businesses now is because for so long small businesses with an annual turnover of less than 3 million have typically been exempt. Most small businesses that is have typically been exempt from having to comply with some of these obligations under the privacy law. I've been saying to business owners and my clients for at least the last 18 months, that that exemption is very likely going to be removed.

So let's get on the front foot and comply with your obligations and do the things that you're going to need to do at some point anyway and integrate them now into your [00:03:00] processes so that when these changes come in, you won't have to worry. So if you are an existing client of mine, chances are we've worked together to develop your privacy policy.

So you don't have to worry about whether or not you're complying because you are because you have a privacy policy. One caveat to that, and that's in the context of AI, and I'm gonna get to that. But first and foremost, please know if you are a small business, if you hold any personal data, and the definition of data under the changes is being extended.

So it's anything now from a name and an emAIl address that constitutes data. So if you have any personal data, which is just about every single business, you need a privacy policy, it needs to be accessible via a link on the bottom of your homepage. If you're Allied health, if you're medical, then you need to go further because there's further things that you need to be disclosing.

But for the sake of this podcast episode, I'm not going to go down those rabbit holes. I'm gonna stay focused [00:04:00] on small businesses generally and how the changes to the privacy law are affecting them. And the first change is you need a privacy policy because you're no longer going to be exempt. There it is.

Really blunt, direct. That's one of the most fundamental changes here. So no longer can small businesses sit back and say, oh, I'm a small business. I've got less than 3 million annual turnover. I don't have to worry about privacy. Yes you do. You actually really do. On that, there's a couple of things to say about the importance of a privacy policy too.

So yes, a privacy policy is going to be compulsory. You need to have it. You need to include certain things. It needs to be compliant. It needs to tell consumers certain things. But also though, let's just think about the benefits for a moment because a privacy policy, in this day and age when security and cyber issues are so common, a privacy policy helps build trust and credibility with your audience.

Let's just call it for what it is, it's trust and credibility building as well as [00:05:00] compliance. I don't know about you, but when I'm looking at somebody's business and I go to their website for the first time, one of the first things I do is scroll to the bottom to see whether there's a privacy policy and website terms and conditions.

And if there's not, nine times outta 10, I'm leaving that site because that business has just told me either that they don't know about it, or that they don't care about it. Either way, that's not professional and it's not a business I wanna be engaging. I bet you, now that I've shared that, that that's something that you start doing too. But it's worth doing because we need to verify and validate businesses that we are checking out for the first time to see if they're the real deal. Should I be transacting with them?

Should I be trusting them? And having a privacy policy that's compliant and website terms and conditions on your website are one of the easiest ways to start building that trust and credibility with your audience. So that's a, that's a small aside. Coming back to the law changes, you haven't had to have one up until now as a small business.

That's [00:06:00] changing now you do. So know that if you don't have one, put it on the list of things to do because it's something that you need to talk to your business lawyer about. The thing is, with privacy policies, when you are drafting your privacy policies to comply with the legislation, you need to be telling consumers certain things.

If you breach your privacy policy, there is some really serious penalties as a part of this overhaul and penalties can scale up to $50 million for serious breaches. I'm not suggesting that small business owners are gonna breach so badly that that's a penalty they're going to be exposed to. But it's important to know just how seriously this legislation is being taken and where those penalties can go so that they're there. The penalties are there. There's things that you need to understand now about your internal processes and policies, and as a part of the changes, one of the big ones is a consumer's right to be forgotten. So they're able to reach out to you to ask you what personal data of mind do you hold.

They're able to ask you to update it. They're able to [00:07:00] ask you to remove it. I am not talking about tax and ATO compliance and our obligations as lawyers to hold onto records for seven years and finance and accounting and bookkeeping obligations, record keeping. I'm not talking about record keeping obligations.

I'm talking about personal data that you hold under your privacy policy where they may not be a client and you may not have onboarded, so they may not fall under your data keeping obligations. I'm talking about data that sits outside of that. People have got the right to get in touch with you to say, Hey, I've unsubscribed from your list. Can you please delete my data? They can do that now, and you need to have a system in place where you can action that.

You can start to see why this becomes overwhelming for small businesses, can't you? Because I know that there's a lot here, and as soon as you start reading about it, the legislation and the reasoning behind the changes and the considerations and the tranches of it being introduced. It's long and it's complicated.

[00:08:00] But to break it down for small business owners, you need to be really clear and transparent with consumers, your clients, about what you are using their data for. And this is where we dovetAIl into the conversation around AI. If you are using AI in your business, you need to be really across the AI that you're using.

You need to be really clear on what the data you input is being used for, and you need to be clear around who owns that data. You've probably encountered a time where you're gonna go and buy something online, or you're gonna sign up to an app, or you're gonna agree to the privacy terms of AIrbnb or something like that, and they give you a notification and you just tick "yes, I agree" without actually reading it. I'm sorry to say, but the days of doing that, as business owners are gone, we just can't afford to do that anymore. And it's not okay and it's not okay to not read it and then to have something go wrong and then to say, oh, but I didn't read it. So the obligation as a business owner is on you to make sure you are really [00:09:00] clear with the platforms you're using, who owns the data, what's being done with it. And this is such a big one for AI. Because of the increased obligations on business owners under these privacy law changes, you now have an obligation, a legal obligation to take care of the personal data that you are being trusted with by consumers and to take care when you are using it.

So what that means is when you are using an AI platform, you need to know who owns the data, what's being done with it. Is that AI going to continue to use it later for trAIning? These are the things we need to be so careful of. And as I'm sure you're nodding along, listening to this, you're thinking Chat GPT and Claude.

The obligations we have as business owners is to be really clear on what the data's being used for and there's all sorts of guidelines that have been published around personal data use and AI. What [00:10:00] I'd like to say to you is that internally, processes and systems around the use of AI are so important so you know what's being used in your business, you know what's being inputted into AI in your business and just as the very first touch point here, it should be a given for all small businesses that client and consumer personal and sensitive data is not inputted into AI.

And you might think, of course, Tracey, that's really obvious. It's actually not as obvious as you might think because whilst you might be pasting in transcripts to have it summarized or you might be pasting in a contract that you've got with your client to get Chat GPT's advice that happens. Clients reach out to me saying, oh, I've spoken to Chat GPT about this.

What do you think about this? And a lot of the time it's wrong, but that's okay. What's happening is business owners are just uploading the whole document, and what that's doing is exposing personal data. There's names in there, sometimes [00:11:00] there's addresses in there. Sometimes there's email addresses in there.

There's references in there that the client could consider to be sensitive. These are the obligations we have as business owners to ensure that we have checks and balances in place in our business, so we know what's being inputted into AI. You need to get really clear in your business on what AI you are using, and then if you are using AI in a way that's related to client delivery or output, or the use of client information that you're disclosing that to your clients.

And if you are going to input certain information which you think is anonymized or you think is not sensitive, if it does relate to a client, then you need to get their consent. So you can see it starts getting murky now because we start going down rabbit holes around, well, what's sensitive, what's personal?

When do I get consent? What's implied consent and express consent, that there's a whole number of rabbit holes we can go down. And what I want to say to you is, let's keep it simple. One of the values in my business is, let's keep it [00:12:00] simple. First and foremost, know the AI tools you are using. Know what's happening with data you input, and know who owns it.

That's the first thing. The second thing, be really clear with your team. Have your internal processes and policies drafted so that personal data belonging to a client or a consumer that you have acquired and been trusted with is not inputted into AI. That's the biggest takeaway from this podcast for you today other than you need a privacy policy, is don't put your client or consumer's personal data or sensitive information into AI.

That is the best approach because you then don't run the risk of having data or information misused, reproduced, used to teach the AI tool. It's my very risk averse approach for my clients. That's my best piece of guidance on that. What I wanna take a moment to say is, if you are using commercial AI [00:13:00] that's public facing, such as a chat bot, you need to make it really clear it's a chat bot. You can't pretend that it's you. You can't pretend that it's your team. So if somebody's entering their information, they need to know I'm a chat bot. They need to know when you are answering questions for them, that this is actually a chat bot, so that when they're entering their data, they're really clear that their data's not being given to you in the context of your business.

It's being given to a chat bot, which you may pay for and you may have engaged, but they need to know they cannot be misled around who it is that they're talking to. Transparency is a real focus of the changes to the privacy legislation. You can't mislead, you can't pretend. Please don't do that. That's something you need to be aware of and your privacy policy on your website needs to make it really clear if you are using these public facing AI tools such as Chatbot, that in fact chatbot's being used and the data you are sharing is chatbot, set out what it is, include [00:14:00] links to their own privacy so that consumers have the option if they want to, to go in and read so they can be really clear on what's happening with their data.

Many new clients say to me, Tracey, I don't really wanna go down this path because I'm quite sure no one will ever read it. That's not the point. That's not the test. And it's not a matter for you to decide whether people will read it or not. You have certain obligations as a business owner, now is the time to get really clear on them so you can meet them.

We can't say, I don't wanna be bothered because no one reads it anyway, 'cause you just don't know. And more and more people are becoming so aware and savvy with this and obligations of businesses that it is having an impact and they are reading. So I just wanna say that.

You have an obligation, so let's focus on your obligations, stay in your lane in relation to what you need to do so we can meet those obligations without getting caught up on, well, I don't really want to because I don't think anyone's gonna take any notice because they are, they're taking notice.

I wanna just pause here and give an example of a really [00:15:00] high risk situation where business owners don't realise that an app that they're using is using their data in other ways, so it's not necessarily AI, but it is a really important example that I just wanna shine a light on for the moment because this is something that business owners just don't seem to be aware of and the risk is so high.

This is the app Cap Cut. So if you haven't heard about Cap Cut, Cap Cut is an app that business owners are using to create and edit videos. The terms and conditions of Cap Cut have changed recently, and business owners are getting caught out because they're just ticking the box to say, yep, I agree, and they're not going in and reading it.

But what Cap Cuts terms say is any data you upload becomes the property of Cap Cut. They're free to do with it what they will, they can repurpose it. They can use it for advertising, they can edit it, they can cut it, they can share it. It is theirs. It is no longer yours. This is a massive red flag if you have Cap Cut , I suggest you delete [00:16:00] it immediately.

But this is a classic example of changes to terms and conditions being made and business owners not being aware because they haven't taken the time to read what the changes are and what they mean and when they're using the app, whatever it is they're creating is no longer their own. Now this is not a situation where I'm concerned about sharing client data or sensitive information. I'm using this as an example to demonstrate the importance of reading the terms and conditions in this day and age because ownership of the data, ownership of what's being created is so important because you assume it's yours. It is not. It is not always yours. It's an assumption that business owners can't afford to be making.

That's just one example. I just wanted to shine a light on that as a real life example for context, so you realize why it is that this topic is so important. It feels like it's a heavy episode, but it's not designed to be heavy. It's designed to be able to cut through the noise for you to be really clear around what it is you need to be focusing on and what you need to do.[00:17:00] 

And you can then go forward with confidence and peace of mind knowing you've got this. So let's just summarize. Changes to the privacy law, they're already being implemented. There are more changes coming. The biggest one being the exemption for small businesses is not going to apply for very much longer.

So if you don't have a privacy policy, now's the time to add it to your list and reach out to your business lawyer to have the conversation. If you don't have a business lawyer, you are so welcome to reach out to me. Let's talk about it. That's the first thing. The second thing, make sure you know what AI you're using in your business, what AI is being used in your business, and what the terms and conditions are around that AI.

If you're using AI, disclose it to clients. Make sure that they know. Make sure that you have processes and systems in place in your business where sensitive and personal data of your clients and consumers is not being shared in AI. And third, if you're using commercial front facing AI such as Chatbot, make sure your privacy policy is disclosing [00:18:00] the use of Chatbot.

Make sure people know it's a Chatbot and that you're not misleading them or pretending, such that they think they're dealing with a real person in your business. They're the biggest takeaways from this episode. I hope this has been valuable in sharing some insight for you on why the changes to the privacy law are really important for you, how this dovetails into AI and where you need to focus in understanding who owns the data that's being put in, what's being done with the data that you're putting into AI.

To wrap up, as I'm doing with all episodes in this series, I'm answering two questions that have come across my desk a lot lately. So the first one is a question that I had last week. Can my terms and conditions for my business be one paragraph at the bottom of my invoice? And quite simply, no it can't because they're not terms and conditions. There's so many reasons why they're not terms and conditions, and you can go back and listen to so many episodes of the podcast where I dive into T's and C's and what they are, what they need to include and why they're so important.

But no. That's [00:19:00] not terms and conditions. And the second one then, which flowed on from that one same person, is how long is long for T's and C's? So I talk a lot about saying there's no prizes for having T's and C's in your business, or a client service agreement that's two pages, no prizes. It just sends the wrong message.

It's a hard no from me. But then how long is long? Because I always say to clients, it doesn't need to be overly long. This doesn't need to look like something a lawyer from the sixties is drafted to demonstrate their intellect. When we start, when we talk about those types of terms and conditions that you'll get from traditional practice often, we're looking at around 40 pages often for your client service agreement and things like that.

No one needs that in their life. In my view, I don't think anybody needs that, and I don't feel like that serves anybody, either the business or the client. My best gauge ballpark to answer the question about, well, how long's long? 40 pages, no one needs it. Two pages, way too short. [00:20:00] Aim in the midde. So depending on the complexity, obviously of your services, but aim somewhere from say six or seven up to nine or 10 if it's average and if it's really straightforward services.

I just wanted to share that because it does help manage expectations when clients reach out to me to say, Hey, really wanna work with you. This is what I wanna create. And we always talk length of documents and when I draft, we talk about why everything's included and what needs to be added and what we can remove and things like that.

But that's where you wanna be aiming. Definitely not two pages. Most certainly not 40, somewhere in the middle, depending on the complexity, but usually around that six or seven, up to sort of eight or nine, something like that can work really, really well. I hope you have found this episode to be helpful, and I hope we've been able to cut through some of the complexity around the dialogue of privacy law changes, and AI use.

If any of this is causing you confusion or if you wanna dive in, continue the conversation, please reach out and book in a time for a conversation. Book in a time to chat. [00:21:00] I love to hear from you and I'm so happy to have these conversations to help guide you. You can book a time via the website, a time that suits you, and I look forward to hearing from you.

As always, thanks so much for joining me. Catch you next time.