Consent in the Age of AI — and Why Your Company's Data Is Part of the Story

Consent in the Age of AI — and Why Your Company's Data Is Part of the Story

The debate about artificial intelligence has shifted. For a while the question was "what can AI create?" Increasingly it is "whose name, face, voice and work was used to create it — and did they agree?" In June 2026, that question got a concrete answer for individuals: the Human Consent Registry, a free tool to tell AI systems how — or whether — they may use your identity.

For organizations, the story does not end with celebrities and creatives. If your business uses AI, you are on the other side of the same question: are you using data you actually have the right to use, and are the AI systems handling it secure?

What is the Human Consent Registry?

The registry was launched by the nonprofit RSL Media, co-founded by actor and producer Cate Blanchett, and unveiled at the European Parliament in Brussels alongside MEP Eva Maydell. It gives people a simple, free way to declare how AI may use their identity — their name, image, likeness, voice and movement.

Blanchett framed the launch bluntly: "AI technologies are expanding rampantly, essentially unchecked and unregulated… for humans to remain in front of these technologies, consent must be the first consideration." RSL Media has backing from a range of public figures and says it will expand into other rights areas — Work, Characters and Marks — after this first "Identity" launch.

How it works

Think of it as a traffic light for your identity. For each use, you can:

  • Allow AI systems to use your identity;
  • Allow with terms — permit use under conditions you set;
  • Prohibit use entirely.

The intent is that these choices are expressed in a machine-readable way (built on the RSL, "Really Simple Licensing", approach) so AI systems and data crawlers can read and respect them — conceptually similar to how a robots.txt signals crawler rules, but for consent over identity.

The AI risks it responds to

The registry exists because the misuse of personal likeness is no longer hypothetical:

  • Scraping of photos, video and audio to train models without permission.
  • Deepfakes and voice cloning used for fraud, impersonation and reputational harm.
  • Identity in, no consent out — your data feeding systems you never agreed to.

It is worth being honest about the limits, too. At launch there is no real enforcement mechanism compelling AI companies to obey these signals, and you are entrusting personal data to a third party. It is a meaningful step and a strong signal — not a guarantee.

Why this matters for organizations, not just individuals

Here is the part most businesses miss: the consent question runs in both directions. Companies are now feeding enormous amounts of data into AI — copilots, chatbots, retrieval-augmented (RAG) systems, internal LLM tools. That creates two distinct obligations:

  • Use only what you have the right to use. Training or prompting a model with scraped, personal, or improperly licensed data is exactly the harm the registry pushes back against — and under the GDPR and the EU AI Act, it is a compliance and reputational risk for the organization, not just an ethics question.
  • Secure the data once it is in the AI system. Even with the right to use data, an insecure AI deployment can leak it. Prompt injection, insecure tool/agent actions, over-broad retrieval and weak access controls can turn a helpful assistant into a data-exfiltration channel.

In other words: consent decides whether you should use the data; security decides whether that data stays safe once you do.

Make sure the data your AI uses is secure

This is where we help. Our LLM / AI penetration testing validates the AI systems your business relies on against real attacker techniques — prompt injection, data exfiltration, model and tool abuse — benchmarked against the OWASP LLM Top 10 and mapped to EU AI Act, NIS 2 and DORA evidence requirements. The goal is simple: whatever data your organization feeds into AI, prove that it cannot be leaked, abused or turned against you.

Consent and security are two halves of responsible AI. The Human Consent Registry is a welcome push on the first. If your organization is deploying AI, make sure you are just as deliberate about the second.

Protect your own identity at registry.rslmedia.org — and if your business runs on AI, let's test it.


This article is general information, not legal advice.

Back to blog