Voice Apps and GDPR

GDPR (General Data Protection Regulation, Wikipedia) was a big topic last year. I saw some people ask questions about how to make their Alexa Skills and Google Actions GDPR conform, but there are no clear answers.

Has anyone here built GDPR compliance into their voice apps? What did you do?

GDPR requires a few users’ rights (learn more here). Some of them are easy to solve by adding some additional intents and logic, some are a little tricky:

• Right to Access Personal Data: Users should be able to get all the data collected about them. I think this can be a challenge because of anonymized user IDs, so this could only be “triggered” (if no account linking is used) by a dedicated intent. Difficult to return saved data in a voice response though. Any thoughts?
• Right to Rectification: Users should be able to have their data modified. If the user’s ID is known (see above), this shouldn’t be a problem.
• Right to Erasure: All data should be able to be deleted. Shouldn’t be a problem with a DeleteAllMyDataIntent.
• Right to Restrict Data Processing: Users should be able to stop processing of their personal data. I think this can be solved by adding a flag isUserDataProcessingAllowed. This would keep the data in the database, but would treat the user as a new user with no stored data.
• Right to be Notified: I think both Alexa and Google Assistant app stores solve this with links to terms of use and privacy policies of individual apps.
• Right to Data Portability: A user should be able to request that their personal data is sent to a third party. Shouldn’t be a problem, as user data in voice apps is mostly structured and available in one database.
• Right to Object: Solution -> don’t reject data processing requests.
• Right to Reject Automated Individual Decision-Making: Similar to Right to Restrict Data Processing in my opinion.

The question here is also: What counts as personal data? As the voice platforms already anonymize the data to app-scoped user IDs, there is not a lot of Amazon/Google account information that an app can get (without account linking). Does has used the 3 times this week count as personal data?

Interested in hearing your thoughts!

This is a really interesting topic. For the French speaking members of the Jovo Community, I’d like to point out there is a MOOC on GDPR that is run by the data watchdog organization here in France:

As far as I understand, personal data is data that can uniquely identify an individual. So for instance the color and make of your car is not personal data because presumably many different people can have the same car unless for instance we are talking about some prototype or uniquely made car that is very well known. So although IANAL, I don’t think has used 3 times this week counts as personal data.

Thanks, Luis. Yes, I think this makes sense. But then again, I’m not sure if we can rely on common sense here

I think that’s the intuition behind the definition of personal data but hey someone might have a different view and take it personally More seriously though, it would be helpful to have some practical guidance on the issue, perhaps from the voice community at large. I signed up for the MOOC (baby steps) !