Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Helsinki & North 2025 - AI in Privacy t...

Avatar for apidays apidays
June 07, 2025
2

apidays Helsinki & North 2025 - AI in Privacy tech and Consent Management, Unnikrishnan Sreedhara Kurup (Gravito)

AI in Privacy tech and Consent Management
Unnikrishnan Sreedhara Kurup, Co-Founder and Lead Developer at Gravito

apidays Helsinki & North 2025 - APIs for Innovation, Intelligence, and Impact
June 3 & 4, 2025

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

Avatar for apidays

apidays

June 07, 2025
Tweet

More Decks by apidays

Transcript

  1. AI in Privacy tech and Consent Management Unnikrishnan Sreedhara Kurup

    (Unni) Co-Founder & Lead Developer, Gravito Ltd.
  2. AI vs Privacy & Consent AI adoption is surging!! ChatGPT

    reached 100 M users in 2 Months vs. Netflix’s 10 years. AI Agents working for us are a reality now! Yet every click on that button is/must still be a human decision.
  3. AI vs Privacy & Consent ➢Emerging trends ➢Upcoming EU AI

    act ➢Best practices ➢Real-world use cases ➢Q&A
  4. Autonomous AI agents are going mainstream Agents string actions together

    to achieve a result 1. CRUD on APIs 2. Purchase actions 3. Send e-mails 4. Many more Without a fresh prompt every new action risks “function/purpose-creep” unless the user is re-consulted and a human can override. Emerging Trends
  5. Emerging Trends Remember GDPR assessments and Audits? Be prepared for

    Fundamental Rights Impact Assessment (FRIA) AI Providers Those developing or commissioning AI systems. AI Deployers Users of AI systems, excluding personal use. Importers and Distributors Entities bringing AI systems into the EU market. AI Product Manufacturers Producers of AI-enabled products. Authorised Representatives Representatives of non-EU AI providers within the EU. AI Act impacts
  6. Upcoming EU AI Act Source: https://www.isaca.org/ “High-risk deployers must run

    a Fundamental Rights Impact Assessment (FRIA) on top of any GDPR assessment”
  7. Practical best practices • Meaningful human oversight and progressive consent

    gathering and gating should be built into into any autonomous agent • Finnish Ombudsman says rubber-stamping will not suffice for decisions that “significantly affect rights” • Gather Consent regularly and have human oversight • Always using Hashed user identifier + consent token • Hashing a user identifier plus a consent token turns every data point into a self explanatory, regulator-ready data artefact which is “human-controlled yet AI- assisted” • Eg: IAB’s TCF V2 has the TC String that travels with every ad bid, paired with a pseudonymous cookie
  8. Use cases • Simple • AI Driven site scanning for

    cookies and tags for auto classification of cookies and tags on consent banner • Plain-language privacy-notice generator and translator based on users region with out expensive translation fees • Privacy Enforcement with AI-Automated Data Retention and Deletion • Advanced • Automated DPIA / FRIA risk engine • Privacy Center with «Privacy Assistants»
  9. Q&A • Do you already use AI as part of

    your business? • Beyond the cookie banner, have you mapped where these AI systems in your organisation actually touch personal data? • Do you offer users a self-service privacy centre where they can review and change their consents— or is the banner your only interface? • How are data-subject requests handled today in your organization?