Do I really have a right to an explanation of an AI decision?

In many places, yes — within limits. Under GDPR Article 22, decisions made solely by automated means with legal or similarly significant effects give you the right to meaningful information about the logic, to contest the decision, and to obtain human review. The depth of explanation owed is debated, but the right to human intervention is clear.

Does this apply to a chatbot or a recommendation feed?

Your data-access and deletion rights apply broadly to any processing of your personal data. The stronger contest-and-human-review rights apply specifically to significant automated decisions, so a low-stakes recommendation feed triggers fewer of them than HR screening or a credit decision.

What if I'm in the US?

There is no single federal equivalent, but state laws like the CCPA/CPRA give access, deletion, and opt-out-of-sale rights, and several states add rights around profiling and automated decisions. Your specific rights depend heavily on your state.

Is this legal advice?

No. It is a plain-language summary of commonly applicable rights to help you understand and exercise them. For a specific dispute or formal complaint, consult a qualified lawyer or your national data protection authority.

How do I actually use these rights?

Usually by sending a written request to the organisation's data protection contact or privacy team citing the relevant right. They must respond within a legally set period (one month under GDPR). If they refuse or ignore you, you can complain to your data protection authority.

AI & Your Data Rights Explainer

AI & your data rights explainer

When an AI screens your job application, recommends your feed, powers a chatbot you talk to, or assists a medical decision, the law often gives you specific rights — to see your data, to understand the logic, to contest a decision, and to get a human involved. But those rights are buried in dense statutes. This explainer translates them into plain language for your country and the kind of AI you’re dealing with, and names the legal basis so you can cite it.

How it works

You pick your country and the AI context. The tool maps your country to the governing regime — EU GDPR plus the AI Act, UK GDPR, US state laws like CCPA/CPRA, or a general baseline — then selects the rights that apply to that context. Significant automated decisions such as HR screening or medical and credit decisions unlock the strongest rights: meaningful information about the logic, the right to contest, and the right to human review under GDPR Article 22. Lower-stakes contexts like a recommendation feed still carry your access, correction, deletion, and opt-out rights. Each right is explained in everyday terms with the legal basis named so you know exactly what to invoke.

Why these rights exist

Automated systems can make consequential decisions at scale and with opaque logic. Data-protection law responds by giving individuals levers: transparency about what data is held and how it is used, the ability to correct or delete it, and — crucially for AI — the ability to demand a human look at a decision that a machine made about you. The EU AI Act adds duties on the organisations deploying high-risk AI, which in turn strengthens what you can ask for. The intent across regimes is the same: keep a human accountable for decisions that materially affect people.

How to exercise them

In practice you send a written request to the organisation’s privacy contact or data protection officer, naming the right you are invoking (for example, “I am exercising my right under GDPR Article 15 to access my personal data” or “Article 22 to obtain human review of this automated decision”). They must respond within a set period — one month under GDPR. If they refuse or ignore you, you can escalate to your national data protection authority, which can investigate and enforce. Keep copies of everything you send and receive.

Tips and notes

Stakes drive strength. The bigger the effect of the decision on you, the more rights you have — significant automated decisions get the strongest protection.
Name the right. Citing the specific article or law makes a request far harder to brush off.
Mind the clock. Organisations have a deadline to respond; note the date you sent your request.
This is a summary, not advice. For a formal dispute, your data protection authority or a lawyer is the right next step.