Chatbots: how to be GDPR compliant

GDPR chatbot compliant

The General Data Protection Regulator came into effect on the 25th May 2018. Any company domiciled in the European Union or processing personal data relating to EU nationals must comply with this regulation. Chatbots must therefore be compliant too.

But, in practical terms, what procedures should be implemented to ensure you’re your conversational robot complies with the GDPR?

Case n°1: The collected data does not allow to identify the user

If the chatbot does not collect personal data from the user, the aim is to dissuade the end-user from delivering any personal information during the dialogue that would allow their identification, by informing them of this before the dialogue begins.

Example with the OUI sncf chatbot :

oui sncf chatbot GDPR

Case n°2: The collected data allows to identify the user

This is the most frequent scenario, because to provide precise and personalised answers, the chatbot generally needs to access the user’s personal data. This is achieved via an automated process (webservice, SAML…) or non-automated (questions about the user’s identity during the dialogue).

Any information that makes the end user directly or indirectly identifiable falls under the category of so-called “data of a personal nature”, such as first and last name, address (for the delivery of a product for example) and e-mail address, as well as geolocation (for an itinerary), social security number (for health insurance), or even IP address (via cookies). Certain main principles of the GDPR must therefore be respected by chatbots:

  • the obtention of user consent
  • transparency about all processing operations performed
  • the implementation of tools for the respect of users’ rights
  • limit of data retention to that which is strictly necessary
  • data security

Information and obtaining consent

Putting in place a welcome message informing users conversing with a chatbot for the first time of the collection and processing of their data is absolutely essential. This message should include information about why and how data is collected, the recipients of this data (chatbot publisher and third-party host if applicable), the retention period, as well as a reminder of the person’s rights. The message should be simple and easy to understand by all. It is recommended to add a link to your data protection policy (that can provide further details about data processing).

A Call To Action should feature below this message: “I accept” or “I understand”. Consent is given when the user clicks on this CTA. A variable should be associated in order to record the time and date of consent and keep a log of consent.

This is not mandatory, but we recommend creating one or several knowledge articles about the GDPR and data retention for your chatbot. This is an additional way to inform end-users of their rights.

Data processing and purposes

Personal data of end-users may be collected, recorded and stored by chatbot publishers for the companies that own the bot. They are collected primarily to meet two objectives:

  • Personalise dialogues

Name, dialogue history, geolocation… Chatbots seek any information that will help contextualise the request, interpret it more precisely and provide a personalised answer.

  • Improve the understanding of user requests

Machine learning enables chatbots to memorise dialogue situations to improve the matching between user questions and the knowledge base’s existing answers. The more analysed data, the more efficient the bot becomes. Under no circumstances should data be used for commercial purposes without informing users beforehand and obtaining their consent.

Hosting and security

The Datacentres used for hosting Cloud solutions should be located within the European Union, or a country deemed adequate by the European Union (see CNIL map). For “On Premise” solutions, a service security audit should be carried out (encrypted data, complex password, access permissions, intrusion tests, etc.)

Security should be reinforced for anything relating to minors and sensitive data such as health records or political opinions. Such cases entail additional obligations, particularly in terms of hosting (data stored with a host approved for this purpose).

Data anonymisation retention period

In order to comply with the GDPR, a retention period of a user’s dialogue history must be defined. At the end of that period, a purge or anonymisation of these dialogues should be carried out (we recommend a 15 to 30 day period at the most). A disclaimer should be put in place to inform users of the dialogue retention period.

Respecting user rights

Chatbot users, whether company customers or employees, should be able to access their data (right to portability) and to ask for this data to be removed (right to be forgotten). CTAs should be included in the chatbox for this purpose. When a user asks for access, they should receive an email with their dialogue history. When they exercise their right to be forgotten, all their dialogues with the bot should be deleted, followed by a confirmation email from the company informing the user.

Cookie management

The chatbox generates cookies in order to personalise the service (session cookies, login history). These cookies can be blocked by the end user at any moment, or by the company implementing the chatbot on their website, without hindering the instantaneous use of the bot. In order to comply with the regulation, it is recommended to manage chatbot cookies via a tag manager, in order to inform and obtain consent from users prior to integrating cookies. This is also true of any ancillary services generating cookies (for example, social media, videos, analytics, etc.).

Final advice: your data protection policy

In the ongoing interest of transparency, it is advisable to include references to your chatbot service in your data protection policy (or confidentiality policy) on your website, web application or intranet. This will provide additional and more detailed information to that included in the welcome message.

The GDPR entails a certain number of technical and legal constraints, but it is also the best way to gain your users’ trust, and to therefore encourage as many as possible to adopt your chatbot.

communication officer
Lucie Choulet
Communications officer