Skip to main contentIBM Design for AI

User data rights

AI must be designed to protect user data and preserve the user’s power over access and uses.

It is your team’s responsibility to keep users empowered with control over their interactions. Pew Research recently found that being in control of our own information is “very important” to 74% of Americans. The European Commission found that 71% of EU citizens find it unacceptable for companies to share information about them without their permission. These percentages will rise as AI is further used to either amplify our privacy or undermine it. Your company should be fully compliant with the applicable portions of EU’s General Data Protection Regulation and any comparable regulations in other countries, to make sure users understand that AI is working in their best interests.

User data rights pictogram

Users should always maintain control over what data is being used and in what context. They can deny access to personal data that they may find compromising or unfit for an AI to know or use.

Allow users to deny service or data by having the AI ask for permission before an interaction or providing the option during an interaction. Privacy settings and permissions should be clear, findable, and adjustable.

Provide full disclosure on how the personal information is being used or shared.

Users’ data should be protected from theft, misuse, or data corruption.

“Individuals require mechanisms to help curate their unique identity and personal data in conjunction with policies and practices that make them explicitly aware of consequences resulting from the bundling or resale of their personal information.”

To consider

  • Employ security practices including encryption, access control methodologies, and proprietary consent management modules to restrict access to authorized users and to de-identify data in accordance with user preferences.
  • It is your responsibility to work with your team to address any lack of these practices.

Questions for your team

  • What types of sensitive personal datadoes the AI utilize and how will this data be protected?
  • What contractual agreements are necessary for data usage and what are the local and international laws that are applicable to our AI?
  • How do we create the best user experience with the minimum amount of required user data?

Data rights example

  • The hotel provides guests with a consent agreement to utilize the AI hotel assistant before they begin using the AI’s services. This agreement clearly outlines to guests that the hotel does not own their data and they have the right to purge this data from the system at any time, even after checkout.
  • During user interviews, the design researchers find that the guests feel they should be provided with a summary of the information that was acquired from them during their stay. At checkout, they can instruct the hotel to remove this information from the system if they wish.
User data rights illustration