Do Not Train

As AI adoption has accelerated, so has attention to a specific question: when a company uses a third-party AI platform, can that platform use the data passed to it, including prompts, queries, and documents, to train or improve its underlying models? The answer has significant implications for data privacy, confidentiality, and consent.

For individuals, the right not to have their data used to train AI models is emerging as a distinct privacy right. Italy's data protection authority has specifically questioned whether consent to data collection covers the subsequent use of that data for AI training.

For enterprises, 'do not train' controls address both regulatory compliance and commercial confidentiality. Most major AI providers offer contractual commitments not to train on enterprise customer data, but this protection applies only when those commitments are explicitly included in the agreement.

Organizations that send customer data to AI platforms without verifying training data policies may be violating the purposes for which that data was collected, creating GDPR and CCPA exposure. Implementing 'do not train' at scale requires flagging data with appropriate use restrictions and propagating those restrictions to every system that processes the data.