Benchmark data from 14 platforms reveals critical privacy gaps. 86% fail automated decision review under GDPR and CCPA frameworks.
By Diego Monteiro | CEO of TrustThis.org | Open platform for privacy scoring and AI governance
Most enterprises assume their software vendors handle privacy compliance. Independent audit data tells a different story, and the gap between assumption and reality is wider than most compliance teams realize.
TrustThis.org evaluated 14 major digital platforms using the AITS (AI Trust Score) methodology, analyzing 20 criteria across privacy governance and AI ethics. The results reveal a compliance spectrum that should concern every CISO, compliance officer, and procurement team responsible for vendor due diligence under CCPA and GDPR.
THE SCORING GAP NOBODY TALKS ABOUT
When organizations evaluate software vendors, they typically review privacy policies, check for certifications, and accept marketing claims at face value. The AITS methodology takes a fundamentally different approach: scoring platforms across 20 specific criteria covering both baseline privacy practices and AI governance commitments.
The results are striking. Anthropic Claude achieved a perfect A+ on the AITS AI Trust Score, demonstrating comprehensive documentation across all evaluated criteria. Microsoft Copilot earned a strong A, with approval on 19 of 20 criteria and perfect compliance on all 12 baseline privacy criteria. The platform benefits from Microsoft’s established contractual frameworks, including Data Processing Addendums and documented opt out procedures for AI training data.
But the picture changes dramatically as you move down the rankings. OpenAI ChatGPT scored B+, with stronger performance in AI governance but notable gaps in ethical AI documentation within its consumer facing privacy policy. Google Gemini received a B, lacking specific opt out mechanisms for AI model training entirely. Users have access to generic controls for cookies and advertising preferences, but these do not address the core question of whether their inputs contribute to model development.
At the bottom of the benchmark sits WhatsApp Business with a D+ grade, the worst classification among all 14 platforms analyzed. This is the tool that millions of enterprises use daily for customer communication, yet it operates with only 3 of 8 AI governance criteria approved.
WHERE VENDORS FAIL AND WHY IT MATTERS
The most alarming finding cuts across nearly every platform evaluated: 86% fail to offer human review of automated decisions. Under GDPR Article 22, data subjects have the right not to be subject to decisions based solely on automated processing that significantly affect them. CCPA is moving in the same direction, with emerging interpretations expanding consumer rights regarding automated profiling and algorithmic decision making.
This is not an abstract regulatory concern. When an AI system within a collaboration suite automatically transcribes a meeting and generates action items, when AI driven spam filters block critical communications, or when automated content moderation removes legitimate business content, users currently lack documented pathways to challenge these decisions on the vast majority of platforms.
Google Workspace earned a C+ overall, with its AI governance component scoring particularly low. The platform mentions not using sensitive categories for personalized advertising, but our analysis found no explicit reference to ethical AI principles, responsible AI commitments, or algorithmic bias mitigation in the evaluated privacy documentation. Microsoft 365 achieved an A on baseline privacy criteria, yet faces identical criticism regarding AI decision contestation: the platform provides support channels for general privacy concerns but does not specify a human review process for automated AI decisions.
The gap exists even among the highest scoring platforms. Microsoft Copilot’s only identified deficiency relates precisely to this contestation mechanism. While Microsoft provides contact channels for privacy concerns, the policy does not explicitly document a process for human review of AI automated decisions.
OPT OUT: THE DIVIDING LINE
Four platforms in the benchmark failed the opt out criterion entirely: TikTok, YouTube, LinkedIn, and WhatsApp Business. This means these platforms do not provide users with a clear mechanism to refuse having their data used for AI model training.
For organizations subject to CCPA, this creates direct compliance exposure. The right to opt out of the sale or sharing of personal information is a cornerstone of CCPA, and recent regulatory interpretations increasingly include data sharing for AI training purposes within this definition. An enterprise integrating a platform without AI opt out capabilities may find itself unable to fulfill consumer opt out requests passed through its own systems.
The contrast with compliant platforms is instructive. Microsoft Copilot explicitly states its AI training data policy and provides documented opt out procedures. Anthropic Claude maintains transparent data usage practices with clear user controls. These platforms demonstrate that comprehensive opt out mechanisms are technically achievable, making the absence of such mechanisms elsewhere a deliberate choice rather than a technical limitation.
DATA RETENTION: ANOTHER HIDDEN RISK
Three of 14 platforms evaluated, including TikTok, WhatsApp Business, and LinkedIn, do not declare AI data retention policies at all. Without knowing how long AI systems retain and process user data, compliance teams cannot accurately assess risk exposure or fulfill data subject deletion requests within the timeframes required by GDPR and CCPA regulators.
Microsoft Teams earned an A on data retention transparency, with policies explicitly allowing users to manage and delete prompt history and activity data through the Microsoft Privacy Dashboard. Google Meet received a C+, reflecting significantly less granular controls over AI processed content.
WHAT COMPLIANCE TEAMS SHOULD DO NOW
The data points to three immediate actions. First, audit every AI integrated tool in your technology stack against standardized criteria. Vendor self certification is insufficient; independent evaluation using consistent methodology reveals gaps that polished marketing materials consistently obscure.
Second, verify that opt out mechanisms exist and function for AI training data specifically, not just for cookies or advertising. If a vendor cannot demonstrate a clear opt out pathway, your organization faces real compliance risk under both CCPA and GDPR frameworks.
Third, require contractual language addressing AI decision contestation. Since most platforms lack documented processes for human review of automated decisions, enterprises must negotiate these protections directly into their vendor agreements rather than assume they exist.
Organizations that wait for regulatory enforcement to drive vendor accountability may find themselves explaining to boards and regulators why measurable warning signs went unaddressed. The benchmark data exists today. The question is whether your vendor assessment process is using it.
Diego Monteiro is CEO of TrustThis.org, an open platform for privacy scoring and AI governance of software applications. TrustThis.org provides independent evaluation using the AITS methodology to help enterprises evaluate vendor AI Privacy and Security.
Sources:
TrustThis.org: Privacy Essentials Benchmark Report (February 2026)
TrustThis.org: Platform Privacy Analyses (February 2026)
