Do they own your data? Otter.ai Privacy Policy Reviewed.
Companies handling highly sensitive calls face significant privacy concerns when using Otter.ai for call recording, including data usage for AI training, third-party data sharing, and compliance challenges with regulations like GDPR and HIPAA.
TL;DR: Companies handling highly sensitive calls face significant privacy concerns when using Otter.ai for call recording, including data usage for AI training, third-party data sharing, and compliance challenges with regulations like GDPR and HIPAA.
Our team scored Otter.ai a 4/10 on privacy regarding using them for a business user case.
Introduction
In today’s digital landscape, tools like Otter.ai provide convenient solutions for recording and transcribing meetings. However, for companies handling highly sensitive calls and working with individuals requiring strict confidentiality, it’s essential to understand the privacy implications of using such services. This blog post examines key privacy concerns associated with Otter.ai’s call recording feature, referencing their privacy policy effective September 1, 2024, and explains what these mean for your organization.
1. Data Usage for AI Training
Under Section 2: How We Use Your Personal Information, Otter.ai states:
“We train our proprietary artificial intelligence technology on de-identified audio recordings. We also train our technology on transcriptions to provide more accurate services, which may contain Personal Information.”
They also mention:
“We obtain explicit permission (e.g. when you rate the transcript quality and check the box to give Otter.ai and its third-party service provider(s) permission to access the conversation for training and product improvement purposes) for manual review of specific audio recordings to further refine our model training data.”
What This Means for You:
Your sensitive call data is used to train Otter.ai’s AI models. Even though they mention de-identified audio recordings, transcriptions used for training may still contain confidential information. Additionally, manual reviews involve human access to specific audio recordings, potentially exposing sensitive content. This raises concerns about data confidentiality and whether the measures taken to de-identify data are sufficient to protect your sensitive information.
2. Third-Party Data Sharing
In Section 4: With Whom We Share Your Personal Information, Otter.ai states:
“We share your Personal Information with selected third parties, including:
- Data labeling service providers who provide annotation services and use the data we share to create training and evaluation data for Otter’s product features.
- Artificial intelligence service providers that provide backend support for certain Otter product features.”
They also mention:
“Cloud service providers who we rely on for compute and data storage, including Amazon Web Services, based in the United States.”
What This Means for You:
Sharing data with third-party service providers, including data labeling and AI service providers, increases the risk of unauthorized access or misuse of your sensitive information. Storing data on cloud services like AWS, while generally secure, may conflict with your company’s policies or regulatory requirements, especially if you need to maintain data within specific jurisdictions or under strict control.
3. Data Security Concerns
Under Section 10: Data Security, Otter.ai acknowledges:
“However, the transfer of Personal Information through the internet will carry its own inherent risks and we do not guarantee the security of your data transmitted through the internet. You make any such transfer at your own risk.”
What This Means for You:
Despite Otter.ai implementing security measures, there is an acknowledgment that data transmission over the internet carries inherent risks, and absolute security cannot be guaranteed. For companies dealing with highly sensitive information, even minimal risks may be unacceptable. This could potentially lead to exposure of confidential data during transmission.
4. Data Retention and Deletion
In Section 5: How Long We Store Your Information, Otter.ai states:
“Otter.ai stores all Personal Information for as long as necessary to fulfill the purposes set out in this Policy, or for as long as we are required to do so by law or in order to comply with a regulatory obligation.”
They further mention:
“When deleting Personal Information, we will take measures to render such Personal Information irrecoverable or irreproducible, and the electronic files which contain Personal Information will be permanently deleted.”
What This Means for You:
The policy does not specify exact retention periods, leading to uncertainty about how long your sensitive data will be stored. Extended retention increases the risk of data breaches. While Otter.ai mentions data deletion measures, if your data has been used for AI training, it may not be feasible to completely remove it from all systems, especially from AI models that have already been trained on that data.
5. Compliance with Regulations
Under Section 11: Cross-Border Data Transfers, Otter.ai mentions:
“To facilitate our global operations, Otter.ai may transfer, store and process your operations with our partners and service providers based outside of the country in which you are based. Laws in those countries may differ from the laws applicable to your country of residence.”
They also state:
“Where we transfer, store and process your Personal Information outside of the EEA or the UK we will ensure that the appropriate safeguards are in place to ensure an adequate level of protection such as through acceding to the Standard Contractual Clauses.”
What This Means for You:
Cross-border data transfers could potentially violate data protection regulations such as GDPR or HIPAA, especially if data is transferred to countries without adequate data protection laws. Your company may face compliance challenges, particularly if sensitive personal data of individuals from the EU or other regions with strict data protection laws is involved.
6. Control Over Data
In the opening section of the privacy policy, Otter.ai states:
“Where we have an Otter Business or enterprise service agreement in place with an enterprise customer… we obtain and process your Personal Information on behalf of and at the instructions of that customer. In that context, such enterprise customers are the data controllers.”
However, they also mention:
“We are the data controller under the applicable privacy laws.”
What This Means for You:
Unless you have an enterprise agreement with Otter.ai, they act as the data controller, giving them significant control over how your data is processed and used. This limits your company’s ability to enforce specific data handling procedures or policies, potentially leading to data processing activities that do not align with your privacy requirements.
7. Consent and Permissions
Under Section 1: Information You Provide Us About Others, Otter.ai states:
“If you provide an Audio Recording, this may contain the Personal Information of third parties. Before you do so, please make sure you have the necessary permissions from your co-workers, friends or other third parties before sharing Personal Information or referring them to us.”
What This Means for You:
When recording calls that involve sensitive individuals, you must ensure that you have obtained all necessary consents. This can be complex, particularly when dealing with individuals in different jurisdictions or when the calls involve highly confidential matters. Failure to obtain proper consent could result in legal issues and breach of privacy laws.
8. Law Enforcement and Legal Requests
In Section 4: With Whom We Share Your Personal Information, Otter.ai mentions:
“Law enforcement agencies, public authorities or other judicial bodies and organizations. We disclose Personal Information if we are legally required to do so, or if we have a good faith belief that such use is reasonably necessary to comply with a legal obligation, process or request…”
They add:
“For more information, please see Otter’s Data Request Policy.”
What This Means for You:
Your sensitive data may be disclosed to law enforcement or other authorities without your knowledge or consent if Otter.ai deems it necessary. This could breach confidentiality agreements and expose sensitive information, with your company possibly being unaware of such disclosures and unable to take protective measures.
9. Use of Data for Advertising and Analytics
Under Section 3: How We Use Cookies and Similar Technologies, Otter.ai states:
“We and our third party partners use Cookies, pixel tags, and similar technologies to collect information about your browsing activities…”
They also mention:
“Advertising Partners: We work with third party advertising partners to show you ads that we think may interest you.”
What This Means for You:
While Otter.ai primarily uses cookies and similar technologies for improving user experience, the involvement of advertising partners means that some of your usage data could be used for advertising purposes. Although this may not include the content of your calls, metadata or patterns of use could inadvertently reveal sensitive aspects of your company’s operations.
10. Change in Ownership
In Section 4: With Whom We Share Your Personal Information, Otter.ai notes:
“Change of corporate ownership. If we are involved in a merger, acquisition, bankruptcy, reorganization, partnership, asset sale or other transaction, we may disclose your Personal Information as part of that transaction.”
What This Means for You:
If Otter.ai undergoes a business change, your data could be transferred to a new entity that may have different privacy policies or less stringent data protection measures. This increases the risk of your sensitive information being handled in ways that do not meet your company’s standards or legal obligations.
11. Data Security Measures
Under Section 10: Data Security, Otter.ai states:
“Otter.ai maintains and implements physical, administrative, and technical safeguards to protect the confidentiality, integrity, and availability of personal information.”
However, they also acknowledge:
“The transfer of Personal Information through the internet will carry its own inherent risks and we do not guarantee the security of your data transmitted through the internet.”
What This Means for You:
While Otter.ai mentions that they have security measures in place, the lack of detailed information about these safeguards makes it difficult to assess whether they are sufficient for your company’s needs, especially when dealing with highly sensitive data. The admission that they cannot guarantee security during data transmission is a significant concern.
12. Employee Access
Privacy Policy Insight:
In Section 2: How We Use Your Personal Information, Otter.ai mentions:
“We obtain explicit permission… for manual review of specific audio recordings to further refine our model training data.”
This implies that employees or contractors may access your audio recordings during manual reviews.
What This Means for You:
There is a risk that individuals within Otter.ai could access and potentially misuse your sensitive information. Without clear information about internal access controls and oversight, it’s challenging to be confident that your data will remain confidential and only accessed by authorized personnel for legitimate purposes.
Conclusion
For companies handling highly sensitive calls and working with individuals requiring strict confidentiality, using Otter.ai for call recording presents several privacy concerns. These range from data usage for AI training and third-party sharing to compliance with international regulations and control over data.
Recommendations:
• Conduct a Comprehensive Risk Assessment: Evaluate how Otter.ai’s data handling practices align with your company’s privacy policies and regulatory obligations.
• Seek Customized Agreements: If considering Otter.ai, negotiate an enterprise agreement that gives you greater control over data processing and ensures compliance with privacy laws.
• Explore Alternative Solutions: Consider using on-premises or self-hosted transcription services that offer greater control and security.
• Enhance Security Measures: If you proceed with Otter.ai, implement additional encryption and security protocols where possible.
• Consult Legal Experts: Engage with legal counsel specializing in data privacy to navigate potential liabilities and ensure compliance with all relevant regulations.
Disclaimer: This blog post is for informational purposes only and does not constitute legal advice. Companies should consult with qualified legal professionals to address specific concerns related to privacy and data protection.
