Google backtracks on AI benefits policy after employee backlash; Nayya data sharing now optional

Google reverses benefits policy that required sharing data with third-party AI tool

Google has clarified that employees can enroll in health benefits without sharing personal data with Nayya, a third-party AI tool. The HR site language that implied participation was required has been corrected, and opting out will not affect eligibility.

For HR leaders, this is a clear reminder: wording, consent, and vendor data flows are not "fine print." They are the product.

What changed

• Original guidance suggested employees had to let Nayya access their information or risk losing benefits for the next year.
• Updated guidance makes the Nayya tool optional and states that opting out has no impact on enrollment.
• Employees who opt in may share data such as pay, gender, and Social Security numbers for personalised recommendations.
• Nayya is expected to protect health data under HIPAA; no data is shared for employees who do not opt in.

Why this matters for HR

• Consent must be clear, specific, and freely given-no gating core benefits behind tool usage.
• Language on your HR site and enrollment flows must match intent; ambiguity looks like coercion.
• Third-party AI tools increase data exposure: more systems, more subprocessors, more risk.
• Benefit deadlines amplify pressure; build privacy choices that stand up even under time constraints.

Immediate actions for your plan year

• Audit all benefits communications (site, emails, enrollment screens) for any language that could be read as "mandatory tool usage."
• Make consent explicit and separate from enrollment: clear opt-in with plain descriptions of data used and purpose.
• Apply data minimisation: challenge why SSNs or pay data are needed for recommendations and limit what's collected.
• Execute proper agreements: BAA for HIPAA-covered data, data protection addendum, and security schedule.
• Review vendor security: encryption at rest/in transit, access controls, audit logs, breach notification timelines, and deletion SLAs.
• Define retention and deletion on opt-out, termination, and vendor offboarding.
• Publish an employee FAQ that answers "what data, why, who can see it, how long, how to opt out."

Questions to ask AI benefits vendors

• Are you a HIPAA business associate? Do you sign a BAA without exceptions?
• Do you use my employees' data to train models for other clients? Can we opt out of that use?
• What specific fields are required (e.g., SSN) and why? Can we mask or tokenise?
• Where is data stored and processed? List all subprocessors and locations.
• Provide logs for data access and recommendation decisions. Can employees view or correct their data?
• What are your breach notification timelines and incident response procedures?
• What deletion guarantees apply on opt-out, end of plan year, and contract termination?

Policy patterns to avoid

• Gating enrollment behind tool access or data sharing.
• Default opt-ins or passive consent via silence.
• Ambiguous phrases like "can't entirely opt out of third-party data sharing."
• Linking incentives or penalties to sharing sensitive data.

Sample language you can adapt

"[Company] offers an optional benefits guidance tool to help you compare plans. The tool is not required for enrollment. If you choose to use it, it will request certain information (e.g., demographics, compensation) to generate recommendations. You may opt out at any time, and opting out has no impact on your eligibility or coverage."

"If you opt in, your data will be processed by [Vendor] under a Business Associate Agreement and our data protection addendum. We do not allow [Vendor] to use your data for advertising or to train models for other clients. See our privacy notice for details, including how to request deletion."

Compliance notes

Ensure alignment with HIPAA where applicable and with your own privacy commitments. If you operate in multiple jurisdictions, validate consent and transparency standards against local laws before enrollment opens.

• U.S. HHS: HIPAA basics
• NIST AI Risk Management Framework

Upskill your HR team on AI in benefits and policy

If your team needs a fast primer on evaluating AI vendors, consent flows, and data controls, explore practical training paths by role: AI courses by job.

Bottom line

Optional means optional. Put plain language, clear consent, and minimal data collection at the center of your benefits experience, and your employees-and legal team-will thank you.