GDPR/Chatbots/Article • 4 min read

How To Make Your Chatbot GDPR Compliant

Is your chatbot protecting user data according to Europe’s largest regulations? In this post, we will explain how privacy works and how to make your chatbot GDPR compliant step-by-step.

Daryna Lishchynska
Daryna Lishchynska
Oct. 8, 2018. Updated Jul. 23, 2024
Padlock with key

What Is GDPR?

The General Data Protection Regulation (GDPR) is a set of rules that gives citizens of the European Union legislative control over sharing, editing, and removing their personal data online. The regulation aims to apply transparency in company/user relations for data collection and storage.

In simple words, GDPR helps to protect privacy online. Companies are obliged to inform about how and when the data is collected, as well as protect it from possible breaches and report if such happened. Users can demand to edit or remove personal information from databases at any time.

These rules are strict and are often considered the largest privacy policy update in Europe ever.

Guide to Chatbots
×

What Types Of Data Are Protected By GDPR?

For company websites, it’s about user information collected with forms, payment systems, and marketing software that follow users’ web activity. As per official resources, GDPR covers such information as:

  • Identity information (name and surname; date of birth; phone number; a home address; an email address; ID card number and Social Security number etс. )
  • Web data (location, IP address, cookie data)
  • Health and genetic data, biometric data (data that identifies a person);
  • Racial and ethnic origin, religious beliefs, political opinions, and so on.

Note that GDPR is not limited to information storage only. It also implies transparency of data collection: users must understand why this information is requested, how it will be protected, and how to claim the right to be forgotten and remove it anytime.

What if a company fails to comply with GDPR?

As you might have heard, severe penalties come in charge, making up to 20 million euros for especially high violations. In June 2021, Deliveroo Italy has been charged 2,500,000 euros for “Non-compliance with general data processing principles”. The regulation is real and can’t be ignored, so chatbot GDPR compliance is a must.

Why Does Chatbot Fall Under GDPR?

Chatbots are often used for lead generation and collect information like names, emails, phone numbers, etc. Rule-based chatbots are a great example of such: they ask simple questions and accept inputs just like a regular website form. GDPR requires companies to explain how this data will be used.

Another point is user behavior data. With NLP or Machine Learning, a chatbot can process the input to understand the context and provide the best reply. Per GDPR, people have the right to object to the use of their personal data for automated decision-making. Also, if a chatbot analyses web activity like page visits, it is subject to prior consent as well.

Chatbots GDPR

A GDPR Requirements Checklist For Chatbots

1. Update the Privacy Policy

One of the main requirements of the GDPR is that you have a clear Privacy Policy. It should be easy to access at any time.

Your GDPR-compliant page will need to include the legal basis around 8 User Rights: The Right to Information, The Right of Access, The Right to Rectification, The Right to Erasure, The Right to Restriction of Processing, The Right to Data Portability, The Right to Object, The Right to Avoid Automated Decision-Making.

Privacy Policy must provide the full description regarding:

  • What information is being collected? Description of types and all possible ways.
  • How long will it be stored and used? What happens after this period?
  • How is it processed? Are there any third parties involved in a data exchange?
  • Your legal basis for collecting personal data: why is it required? What is the minimum information needed?

 Users must have the ability to:

  • Confirm the processing of personal data;
  • Get a copy of any personal data that is stored;
  • Review privacy policy information anytime in free access.
  • Ask to change their data if they believe it is not accurate
  • Request to erase date per “right to be forgotten”
  • Withdraw consent to data processing partially or completely.
  • Object to data processing, like direct marketing (unsubscribe)

Privacy Policy must describe the basic rules of how to claim these rights at any moment. For chatbot GDPR compliance, additional actions are needed to make these regulations work. 

Need help with chatbot privacy policy? Contact us or try our bot that will generate a template for you. 

2. Add privacy and access to the conversation data

The chatbot should provide users with a clear-cut, transparent, distinguishable, and easily accessible form to understand what data is collected, and how the bot and organization will use it. Users should be acquainted with privacy policies before their data is collected. To share this with users, companies can use a link in chatbots' conversational flow or have a summarized version as a part of introductory greetings and conversation.

You can indicate these points, as well as give users access to review consent, manage chat history, and download copies of their data in the chat menu. If the platform you are using supports persistent menus, those options should be offered there, or they can be added manually to your custom chatbot by a developer.

GDPR Menu Privacy Chatbot

In addition, if your chatbot uses NLP for automated decision making it is also subject to prior consent. A chatbot cannot make decisions when it comes to legal queries or unlawful use of personal information that could affect users.

Also, the user should be able to delete their information whenever they ask. Adding this option to a chatbot’s persistent menu provides a great way to give your users the ability to erase their personal data.

GDPR Menu Delete Data

3. Provide the chatbot logs

Usually, different web servers and messenger platforms that run chatbot services can store different types of logs, such as access, error, or security audit logs. Sometimes they might contain personal data such as IDs, IPs, and names. Companies are not allowed to store this kind of information if there is no legitimate reason to. Even if there is a legitimate need, organizations are not allowed to save them without the user's direct consent. These logs can be reviewed by a developer to ensure that you aren't storing any personal data.

4. Review the data that you’re collecting

You may also want to make sure your chatbot asks only for vital data. Remember, each request for information must have a legal basement from your company. Why are you asking for this information? A privacy policy must state that clearly.

5. Make sure the chatbot is secure

A chatbot service should demonstrate that it has appropriate technical and organizational measures to protect against a data breach. Also, it should have clear procedures to handle any information leak.

Data breaches that may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay following Article55.

Chatbot security can be accomplished by using the following strategies:

  • user identity authentication
  • authentication timeouts
  • two-factor authentication
  • biometric authentication
  • end-to-end encryption
  • self-destructing messages.

These were some of the tips on how you can make your chatbot GDPR compliant. Note that GDPR is not a single regulation for data security.

More on Chatbot Security and Regulations

There are a plenty of other legal systems protecting user privacy on a local or industry level.

Internet covers the whole world so, it's very likely that a user in any country may use your chatbot.

As for local privacy requirements, such include:

1. US CalOPPA

The California Online Privacy Protection Act (CalOPPA) requires that if any personal information is collected and used from a user located in the state of California, a Privacy Policy must be present. In addition to CalOPPA, businesses must also ensure CCPA compliance, which provides broader privacy rights and protections for California residents, including the right to know what personal data is being collected and the ability to opt out of the sale of their data

2. Canada PIPEDA

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that dictates how businesses in the private sector must handle the personal information of their users.

3. Australia's Privacy Act

Australia has its Privacy Principles that regulate how personal information is handled. The first principle clearly requires "the open and transparent management of personal information including having a privacy policy."

4. EU Privacy Directives

Apart from GDPR, more regulations include:
- In the EU, the Data Protective Directive and the ePrivacy Directive
- In the UK, the DPA Act

Apart from local regulations, there might be additional industry-based laws. For example, if a chatbot is applied within healthcare and processes patient information, the HIPAA Privacy Rule comes in charge. It sets security standards for protecting specific health information that is held or transferred online.

As patients entrust their data to healthcare organizations, it must be protected in a few ways to maintain the data of practitioners and patients. These mean:

  • annual self-audits and revision of security status;
  • actionable fixes in case any insecurities were uncovered;
  • described policies and processes of crew training regarding data security;
  • documents that witness the efforts for providing data safety;
  • the procedure of data protection in case of breaches.

In case of HIPAA violation, which is any breach in an organization’s compliance program, may result in penalties.

Some chatbot platforms have their own privacy policies described in Developer Tools. Microsoft Bot Framework requires terms and conditions to provide the privacy policy. Section 5 covers "Your Duty to Obtain Consent" and states that "you will provide End Users with access to your privacy policy through your Application."

Facebook Messenger Bot platform has a full section titled "Give People Control". It requires companies to “provide a publicly available and easily accessible privacy policy” and "include your privacy policy URL in the App Dashboard".

Need help in preparing a privacy policy or making your chatbot GDPR Compliant? Contact us to get started.

Chatbot Guide