Companies May Be Responsible for the Use of AI in Their Supply Chain Services

Most companies that collect or process personal information (aka personal data or PII) have service providers (vendors or sub-processors) as part of their supply chain. There may be many layers to that supply chain as service providers are likely to have service providers. Several state privacy laws contain mandatory contractual obligations for service providers that process personal information including passing these obligations onto the service provider’s sub-processors. Another designation for a service provider is a “processor.” Under the Colorado Privacy Act (“CPA”), a processor is defined as “a person that processes personal data on behalf of a controller.” The controller is the entity that collects the data and either processes it or passes it on to a service provider for processing. Under the CPA, controllers and processors have certain obligations. These obligations may also apply to the service provider’s use of artificial intelligence (“AI”) that aids in the processing. Such obligations are:

• “Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations.”
• “Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligations to respond to consumer requests to exercise their rights.”
• The processor shall engage “a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with” the CPA
• “PROCESSING BY A PROCESSOR MUST BE GOVERNED BY A CONTRACT BETWEEN THE CONTROLLER AND THE PROCESSOR THAT IS BINDING ON BOTH PARTIES AND THAT SETS OUT”:
  • Processing instructions
  • Deletion or return of all personal data at the choice of the controller at the end of the servicers
    • Note: retrieving data from an AI model may be challenging if not impossible
  • Making available to the controller all information necessary to demonstrate compliance with CPA obligations

These responsibilities cannot be contracted away: “In no event may a contract relieve a controller or a processor from the liabilities imposed in them by virtue of its role in the processing relationship as defined by [the CPA].”

The California Consumer Privacy Act (“CCPA”) regulations have similar contractual requirements including:

• Prohibiting the service provider from selling or sharing personal information that it collects under the contract
• A specific description of the business purposes for processing under the contract
• A prohibition on the service provider from retaining, using or disclosing the personal information that it collected under the contract for any purpose not specified
• Requiring the service provider to comply with all applicable sections of the CCPA and regulations. Examples include:
  • requiring the service provider or contractor to cooperate with the business in responding to and complying with consumers’ requests made pursuant to the CCPA
  • assisting the business in completing the business’s cybersecurity audit pursuant to Article 9 (effective Jan. 1, 2026)
  • assisting the business in conducting the business’s risk assessment pursuant to Article 10 (new regulation effective Jan. 1, 2026)
  • assisting the business in complying with the business’s automated decisionmaking technology (“ADMT”) requirements pursuant to Article 11 (new regulation effective Jan. 1, 2027)
  • implementing reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure

“Automated decisionmaking technology” or “ADMT” means any technology that processes personal information and uses computation to replace human decision-making or to substantially replace human decision-making.

And if you have a global company, the United Kingdom (UK) and European Union (EU) General Data Protection Regulation (GDPR) also require similar contractual obligations in Article 28.

If ADMT or ADM sounds a lot like AI, that is because it is traditional AI. ADM has been around for a long time. Indeed, ADM is addressed in Article 22 of the European General Data Protection Regulation (“GDPR”) that became effective in May 2018. ADM can be accomplished with relational databases and structure query language (“SQL”) queries. Passing data to vendors and service providers that provide ADM services has not been an issue for accessing that data for data subject access requests (“DSARs”) because data in a relational database is easy to retrieve, correct and delete. That is not the case for generative AI (“Gen AI”) that is not based on a relational database but instead on an AI model. Personal information or data placed into an input prompt for Gen AI may become lost in the model and thus, unretrievable. The Gen AI provider may also collect prompt input data. Companies should maintain control over their AI solutions and also apply contractual control over how AI is used with its data in the supply chain.

For Gen AI solutions that your company employs, you may have some configuration and enterprise version choices for control. You can and should train your employees on specific use cases and limit the use of AI to specific roles and use cases. Use of unapproved AI (shadow AI) should be prohibited just as the use of shadow IT should be prohibited. But what about your vendors that you pass personal information to for processing? You could contractually forbid the use of AI by your vendors—we have seen this approach. But that isn’t a viable solution in today’s tech-forward environment, and the services may cost more without AI if you can find a vendor willing to not use AI. The solution for meeting privacy law contractual obligations in your supply chain is a data processing agreement (“DPA”) that includes an AI addendum or statement of work (“SOW”) that limits the use of AI by the vendor to a specific set of customer-approved use cases.

The DPA also provides protection for service providers as the DPA contains customer obligations in addition to service provider obligations. For example, the service provider may provide an AI chatbot prompt that is susceptible to prompt injection attacks if not properly managed by the customer.

A well-written DPA will protect both the customer and the supply chain service providers—a win-win situation.