July 2, 2026 - Most vendor privacy terms were built for traditional software, a predictable tool guided by human hands. An AI agent is different. Given a goal, it independently moves through internal systems, reads emails, files claims, and processes personal information without human sign-off. That autonomous behavior turns the agent into a regulated processing activity under the GDPR and the comprehensive U.S. state privacy laws now in force across more than 20 states.
What an AI agent actually does
Once activated, an agent maps its own path. It probes databases and document vaults, drafts and dispatches emails, opens and closes tickets, calls third-party APIs, moves money, and weaves these actions together. In real terms, an agent sorting a service queue sifts through account records and emails. A coding agent combs through source code and credentials. A sales agent digs into the CRM, an HR agent dissects resumes and personnel files, a healthcare agent handles charts, appointments, and claims, and a finance agent balances transactions and statements. All of this personal information flows autonomously, relentlessly, and at machine speed.
Why businesses are racing to deploy them
Agents sweep away the manual middle from almost every workflow: tier-one support, IT help desks, onboarding, document review, prior authorizations, claims processing, and back-office data entry. The draw is clear - tasks that formerly demanded human hours now run tirelessly, day and night, a trend covered in courses on AI Agents & Automation.
Equally important for privacy, agents are now the product itself. SaaS vendors graft copilots and autonomous agents onto their platforms; startups sell agent-as-a-service that taps customer emails, calendars, and records; established firms craft proprietary agents atop third-party models. Two money-making moves heighten the risk: vendors charge by usage or seat while quietly feeding customer data into their models, and agents become most valuable when they have wide, ongoing access. The business model and the privacy risk are two sides of the same coin.
The core problem: An agent is a processing activity, not a tool
An agent does not simply risk data leakage. It independently performs the regulated act of processing personal information, continuously, autonomously, and at scale. The analysis underscores: "It must be treated as a processing activity to be mapped, disclosed, and constrained, not as a neutral tool that happens to touch data." That single distinction engages purpose limitation, data minimization, storage limitation, and accountability - principles an autonomous agent is structurally prone to break.
Privacy risk domains
Purpose limitation and secondary use. Personal information may be used only for purposes disclosed at collection. A business cannot retroactively expand that scope by handing data to an agent that puts it to a new use. Two behaviors recur: vendor model training on the client's prompts, records, and transcripts - a secondary purpose that exceeds any service-provider authorization - and persistent memory that reuses personal data across tasks, sessions, or users, extending retention and undermining deletion.
Automated decision-making and profiling. An agent that screens, scores, prices, ranks, approves, or denies is engaged in automated decision-making that privacy law regulates directly. GDPR Article 22 gives individuals the right not to be subject to solely automated decisions with legal or similarly significant effects, plus meaningful information about the logic and a route to human review. U.S. states are converging through profiling opt-outs and the California Privacy Protection Agency's ADMT rules, which add pre-use notice, opt-out, access, and risk-assessment duties.
Sensitive and biometric data. Health, precise geolocation, race, sexual orientation, children's data, and biometric identifiers carry heightened consent and handling rules under GDPR Article 9 and state statutes. Agents routinely encounter these categories buried in documents, images, voice, and free text. Illinois's BIPA requires informed written consent before collecting biometric identifiers and provides a private right of action with statutory damages that have driven nine-figure exposure, so an agent processing voiceprints or facial geometry can create liability with no breach at all.
The processing chain and unauthorized recipients. Privacy law allocates responsibility by contract along a controller-processor chain. An agent vendor is almost always a processor. A vendor that uses data outside the contract - including to train its models - breaks the chain. Under the CCPA, it becomes a third party to whom data has been sold or shared, triggering opt-out rights the business never offered. Under the GDPR, it becomes an independent controller with direct liability. Multi-model agents compound this by routing data to model providers and tool vendors the client never vetted.
Personal rights and security. If memory, caches, embeddings, logs, or a vendor's fine-tuned model retain personal data, the business may be unable to honor deletion, correction, or access requests. Prompt injection and instructions hidden in content the agent reads and obeys can convert a trusted agent into an exfiltration channel with no perimeter breach, making output filtering and data-loss prevention privacy controls, not just security controls.
Sectoral overlays: HIPAA, GLBA, and others
HIPAA. If an agent or its vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate, the vendor is a business associate, and a compliant business associate agreement is mandatory before any PHI flows. The minimum-necessary standard cuts hard against agents built for broad access, and a vendor that trains on PHI or stores it in memory is making a use of the agreement that was almost certainly never authorized.
GLBA. Financial institutions must protect nonpublic personal information under the Safeguards Rule, which now requires documented oversight of service providers, access controls, and encryption. An agent with standing access to account data is exactly the service provider the Rule targets, and the institution remains answerable for its conduct.
Other laws bite just as hard. The Fair Credit Reporting Act governs agents used in eligibility, hiring, or background contexts and requires adverse-action notice. COPPA applies wherever children's data appears. FERPA covers education records. And a wave of state wiretapping suits over session-replay and chatbot eavesdropping maps directly onto agents that collect and route user exchanges in real time.
What the vendor contract must do
A legacy software data-processing agreement will miss most of this. Tune each term to the data:
- Bind the vendor to the contracted purposes and prohibit profiling and model training on personal information.
- Govern agent memory and require deletion of personal data and derived artifacts - embeddings, caches, fine-tuned weights - on request and at termination.
- Include the CCPA- and GDPR-required service-provider and processor terms and flow them to every sub-processor.
- Require least-privilege, task-scoped access with data-loss prevention on outbound actions.
- Support individual-rights and automated-decision obligations across every location the agent holds data.
- Require detection and lawful handling of sensitive and biometric data.
- Add data transfer mechanisms wherever data leaves its origin jurisdiction, plus the HIPAA business associate agreement or GLBA safeguards terms the sector demands.
The governance needs to be put in place first
Contracts allocate risk; governance prevents the deployment that creates it. Before an agent processes personal data:
- Treat it as a processing activity and complete the required data-protection and ADMT risk assessments.
- Update notices and confirm a lawful basis, including for sensitive and biometric data.
- Maintain an approved-tool list tiered to data sensitivity so regulated data never reaches unvetted consumer tools.
- Wire access, deletion, correction, and opt-outs into the agent's memory, logs, and derivatives.
- Enforce least privilege, full logging, an agent inventory, and a kill switch.
- Keep a human decision-maker in the loop for any legally consequential action.
Why this matters for legal professionals
An AI agent is a continuous, autonomous processing activity, and increasingly both the tool a business runs on and the product a vendor sells. That single fact triggers the full weight of general privacy law - and every sectoral overlay from HIPAA to GLBA. Legal teams must adapt quickly; targeted AI for Legal training can help build the necessary fluency. The immediate tasks are concrete: replace the legacy software data-processing agreement with an agent-specific contract, stand up governance, complete risk assessments, and ensure rights workflows actually reach the agent before it is deployed.
Your membership also unlocks: