When Should Your Business Disclose Its Use of AI?

Executive Summary: Businesses should disclose AI use when it processes personal data, influences customer decisions, uses client data for model training, or affects contractual obligations. Transparency under federal and state consumer protection laws reduces risk and builds trust.

Artificial intelligence is no longer optional in most business tools. It is embedded in email platforms, CRMs, document management systems, accounting software, and customer support products. Many companies are using AI without even realizing how often it is running in the background.

But once AI touches your data—or your customer’s data—the question shifts from convenience to compliance. When should you disclose that AI is involved? And what exactly are you disclosing?

These are not academic questions. They affect contracts, privacy policies, vendor negotiations, and customer trust.

1. When AI Processes Personal Data

If AI tools process personal data, disclosure may be required under federal or state privacy law.

For example, the Federal Trade Commission (FTC) has made clear that companies must avoid deceptive practices when using AI, especially if it affects consumers’ rights or expectations. If your privacy policy says you use data only to provide services, but your vendor uses that data to train models, you may have a mismatch between disclosure and reality.

For businesses in healthcare and healthtech, this risk is higher. Patient data and health-related information may also be subject to the Health Insurance Portability and Accountability Act (HIPAA), which imposes strict rules on how data is used, disclosed, and protected, even when AI tools are involved.

If AI is processing personal information, your privacy policy should clearly state:

• What data is collected

• Whether AI tools are used

• Whether data is used to train models

• Whether third-party vendors are involved

• 
  

Transparency is not optional. It is risk management.

2. When Vendors Use Your Data to Train Models

Before AI became widespread, vendor agreements often limited data use to “providing the services.” Now, many vendors rely on aggregated customer data to improve and train their AI systems.

The practical reality is that AI often works because vendors analyze user data at scale. Some vendors allow customers to opt out of training, but only at higher enterprise pricing tiers. Others may not allow it at all.

So the real question becomes: What are vendors doing with your data, and are you comfortable with it?

Businesses should:

• Review data processing agreements (DPAs)

• Identify whether data is used to train AI models

• Determine whether the data is anonymized or aggregated

• Confirm whether data flows to sub-vendors

  
  

Often, the data does not stay with one company. It may move to multiple sub-processors. Understanding that chain is critical. We have spent significant time evaluating how vendors handle information and the rules that govern its use.

Disclosure becomes necessary when your own customers’ data is involved. If their information helps train AI systems—even indirectly—they may have a right to know.

This becomes especially important for healthcare and healthtech companies. Many AI vendors classify health-related data as high-risk, and some restrict how that data can be used or prohibit certain types of model training altogether. In these cases, understanding where your data goes and whether it is used beyond providing the service is not optional. It directly affects compliance obligations and vendor selection.

3. When AI Influences Customer-Facing Decisions

If AI affects pricing, hiring, credit decisions, or customer service outcomes, disclosure may be required under sector-specific laws. For example:

• The Equal Credit Opportunity Act (ECOA) requires transparency in credit decisions.

• The Fair Credit Reporting Act (FCRA) governs certain automated decision systems.

• New York City’s Local Law 144 requires bias audits and disclosures for AI tools used in employment decisions.

Even if your business is based in Connecticut, New Jersey, or Pennsylvania, you may serve customers in jurisdictions with AI-specific rules. If AI materially affects decisions about people, disclosure and compliance review are essential.

4. When Your Contracts Promise Data Restrictions

Many service agreements include clauses that restrict data use to a specific purpose. If you later introduce AI tools that analyze or process that data differently, you may be in breach of contract. Commercial agreements should be reviewed to confirm:

• Whether AI processing is permitted

• Whether model training is allowed

• Whether sub-vendors are authorized

• Whether confidentiality provisions are satisfied

If a client objects to AI model training, you may face a choice: upgrade to an enterprise version that limits data use, or reconsider the vendor altogether. That becomes a commercial decision as much as a legal one.

5. Internal Policy Matters Too

Disclosure is not just external. Internally, companies should:

• Maintain AI use policies

• Train employees on approved tools

• Restrict uploading sensitive data into free AI platforms

• Distinguish between free and enterprise AI environments

For example, the difference between consumer AI products and business-tier products can include contractual restrictions on data retention and training. That difference should be understood before employees upload client data.

Disclosure Is About Trust

AI is now embedded in most software products. The issue is not whether AI is being used, because it almost certainly is. Instead, the issue is whether your customers understand how their data is handled and whether your contracts align with reality. Clear disclosure protects your reputation and reduces regulatory exposure.

If you are unsure where your data goes or how your vendors use it, that is the place to start.

Temple Law works with businesses across Connecticut, New Jersey, New York, and Pennsylvania to review AI policies, vendor agreements, and privacy disclosures so companies can innovate responsibly.

FAQs

1. Do we always have to disclose AI use?

Not always. Disclosure depends on whether AI processes personal data, affects customer decisions, or changes how data is used compared to your public statements.

2. Is anonymized data safe from disclosure requirements?

It depends on whether the data is truly de-identified under applicable privacy laws and whether contracts restrict its use.

3. What is the biggest risk with AI vendors?

Unclear data use rights. Many vendors reserve broad rights to use customer data for model training or improvement.

4. Can we prohibit vendors from training AI on our data?

Sometimes. Some vendors offer enterprise options that limit training use. Others may not. The contract governs.

5. Should AI use be addressed in commercial contracts?

Yes. Contracts should clearly define permitted data use, sub-processors, confidentiality, and model training rights.