Q. How do we define "artificial intelligence (AI) technologies" or "AI"?

A.   Any system or component that uses large language models or machine learning models to consume, process or output information.

Q. How do we define "automated decision-making technologies" or "ADMT"?

A.   Any software component which utilizes AI or rules to generate information that could result in a decision impacting individual consumers.

Q. How do we define "Responsible AI"?

A.   By associating an AI instance with a Responsible Human, who is accountable for the AI instance. The Responsible Human must have a name, role, and contact information. The Responsible Human must demonstrate their ability and willingness to respond to questions and concerns from individual consumers in a timely manner without charging fees or meeting conditions designed to suppress interactions with the entity represented by the Responsible Human.

Q. How do we define "vendors"?

A.   Organizations (businesses, public agencies, and not-for-profit organizations) with a direct relationship to a consumer is considered a "vendor". If your organization is considered a first-party controller of someone's personal information, then your organization is classified as a vendor.

Q. How do we define "third parties"?

A.   If your organization does not have a direct relationship with a consumer, then your organization is classified as a "third party". A third party might be a vendor, service provider, or contractor to a consumer's first-party vendor which authorizes the third-party to process the consumer's personal information by executing a written contract or data processing agreement. A third-party could also be a "data broker", which we define as any organization or individual who publishes or shares personal information of consumers without written authorization. Important: If your organization does not have a "direct relationship with a consumer" and is not willing or able to provide a consumer with proof of written authorization to collect, store, process, or share the consumer's personal information, then your organization is classified as a data broker.

Q. How does PrivacyPortfolio determine if a consumer has "a direct relationship to an organization"?

A.   When a consumer consents to collection, processing, or sharing of personal information when visiting a website or digital property, requesting a resource, accepting cookies or policies, or voluntarily submitting personal information directly or indirectly to an organization's domain. It is not necessary for a consumer to purchase any goods or services or to create a digital account from a first-party vendor to establish a "direct relationship".

Q. What is PrivacyPortfolio's definition of "a consumer"?

A.   A consumer is a natural-born individual that has a right to privacy. In California, a consumer can also be an employee.

Q. Who does PrivacyPortfolio consider to be a "stakeholder"?

A.   Stakeholders are individuals and organizations with an interest in a specific company's business practices. Stakeholders may include consumers, customers, vendors, investors, management, employees, partners, sponsors, regulatory agencies, subject matter experts, and advocates representing the public. In general, stakeholders are those parties potentially impacted by a company's decisions or actions.

Q. What is a "Decision Diary"?

A.   PrivacyPortfolio maintains an event log of decision-making activities when consumers interact with organizations. These events are associated with Decision Sets attributed to an organization, for the purpose of collecting evidence for Risk Assessments on Automated Decision-Making Technologies. Alerts can be generated and sent to registered stakeholders who subscribe to these events, which provides opportunities for all stakeholders to evaluate risks, act, and provide impact information related to these Decision Sets.