The Hamburg Data Protection Authority (DPA) laid out guidelines for Google regarding its voice assistant that may reveal what DPAs may be expecting for compliance with GDPR (and some parts may be applicable for CCPA too) :
Specifically they require:
- consent as the legal basis for the recording
- consent as the legal basis for review of the recordings by human beings (both employees and contractors, which seems strict)
- specify in the privacy notice about the recording, retention of snippets for improvement of the algorithm and human review
- specify in the privacy notice the possibility and risk of accidental recording activation and the accidental recording of third parties (e.g. guests)
- use technologies such as voice recognition to avoid the recording of third parties