Privacy Activity Tool

Privacy Activity Tool

Privacy Activity Tool

Interactive checklist • Practice assessments • Privacy education for AI & the web
0
Current Score
Needs work

Welcome

Use this tool to learn and practice how to evaluate website and AI privacy practices. Move through the tabs to read the material, complete the 15‑point checklist, and assess real websites with real‑time scoring.

  • Real‑time scoring on a 0–100 scale
  • 15‑point interactive checklist with progress
  • Practice workflow to assess any URL
  • Comparative case studies
  • Overview of GDPR, CCPA/CPRA, COPPA, HIPAA & more

Privacy in AI — why it matters

AI systems are only as trustworthy as the data and safeguards behind them. Responsible AI requires data minimization, clear consent, and human‑centered transparency about how data trains or powers models. This tool highlights what to look for in the real world.

✔️ Minimization
🔐 Encryption in transit & at rest
📜 Clear, accessible policies
🧹 Reasonable retention & deletion
🧠 AI transparency & model use
🚪 User rights & opt‑out

15‑Point Privacy Checklist

Progress: 0/15

Check each criterion that the site clearly meets. Your score updates in real time.

Practice Assessment

Paste a website or app URL to assess. Use the checklist, then save your results. You can add optional notes.

Current: (none)

Saved Assessments

DateURLScoreChecked

Privacy Regulations — Quick Overview

  • GDPR (EU): Lawful basis, data minimization, purpose limitation, DPIAs for high‑risk processing, DPO where required, cross‑border safeguards, data subject rights (access, rectification, erasure, portability, objection).
  • CCPA/CPRA (California): Notice at collection, right to know/delete/correct, opt‑out of sale/sharing, sensitive data limits, GPC (Global Privacy Control) signals, reasonable security.
  • COPPA (US): Parental consent for under‑13 data, age‑gating, data minimization, clear notice.
  • HIPAA (US): For covered entities & BAs handling PHI: safeguards, minimum necessary, BAAs, breach notification.
  • PIPEDA (Canada): Consent, identifying purposes, limiting collection, safeguards, access & correction rights.
  • Other: GDPR‑UK, LGPD (Brazil), PDPA (various), ePrivacy, state privacy laws (VA, CO, CT, UT, etc.).

Tip: When assessing a site, scan for a data rights portal, cookie banner configuration, and region‑specific notices.

Key Concepts for AI

  • Model training disclosures: Does the site explain whether personal data trains models?
  • Inference privacy: Are prompts/outputs logged? For how long? Who can access them?
  • De‑identification: Are datasets aggregated or anonymized with re‑identification testing?
  • Human‑in‑the‑loop: Who reviews flagged content? What safeguards exist?
  • Vendor risk: Which subprocessors receive data? Are DPAs/BAAs in place?

Good Practice — “ClarityAI” (hypothetical)

  • Layered privacy notice with plain‑language summaries
  • Granular consent & opt‑out controls, honors GPC
  • Short retention (30 days logs), user deletion within 7 days
  • Public list of subprocessors + DPAs
  • AI transparency page with training data categories, evaluation risks
Expected score: 90–100

Poor Practice — “ShadowScrape” (hypothetical)

  • No visible privacy policy; dark patterns at sign‑up
  • Extensive tracking without consent; ignores GPC
  • Indefinite retention, shares data broadly
  • No deletion/export process; vague AI training claims
  • No security details; TLS errors on subpages
Expected score: 0–30

Step‑by‑Step Assessment Guide

  1. Find the privacy artifacts: Policy, cookie banner, account settings, data request form, AI transparency page.
  2. Identify data flows: What is collected? Where does it go (vendors)? For what purposes?
  3. Apply the 15‑point checklist: Check only what you can confirm from UI/policy evidence.
  4. Score & reflect: Use notes to capture gaps, risks, and suggested improvements.
  5. Compare: Review case studies; what separates high vs low scorers?

Pro tip: Screenshots + URLs to specific policy sections strengthen your evidence trail.