Chatbots vs GDPR

Author avatar
Henry Charatan

Is your Chatbot GDPR compliant? Probably not.

In this article we will explore why this is the case, and then how to change it.

What’s a Chatbot

In simple terms, a chatbot is software that automates and simulates conversation with humans, typically over a messaging app or an embedded function on a website.

What that means in plain English: if you use a messaging app like WhatsApp or Facebook Messenger to message your friends, you can also add ‘artificial’ contacts that you can chat with. These contacts aren’t human, they’re computers (or ‘bots’) and they let you have a chat with them about the company or product they represent.

One of the major technological trends that chatbots have rode over the last few years has been the growth of messaging apps. Every month, more than 3 billion people use messaging apps like WhatsApp, Facebook Messenger, WeChat and Viber. A staggering feat, and something that eclipses even the behemoth Facebook’s user base.

But the rising popularity in chatbots has converged with another digital phenomenon, the introduction of the General Data Protection Regulation (GDPR) in May 2018.

And with the introduction of GDPR, you’d be right to wonder how the chatbot industry has been affected especially when you consider the countless amount of private information that is traded over messaging.


What is GDPR?

GDPR is a legal framework that sets the guidelines for the collection and procession of personal information of individuals within the European Union (EU).

GDPR’s introduction crucially means that businesses need opt-in permission from consumers to use their data, as opposed to the opt-out system that it had been up until recently. Ultimately, ensuring that all personal data will be processed consensually and lawfully, in a transparent manner. Furthermore, once the purpose of the data has been served, the data should then be instantly deleted.

Even though its introduction was way back in May 2018, it has taken some time for the new regulations to really sink in, and many businesses still openly do not adhere to it. However, with Google’s recent financial hit at the hands of GDPR its currently not only one of the most talked about topics in tech, but in the entire business world. Businesses are now held to higher, stricter standards concerning personal data, and failure to comply can result in hefty financial penalties.

So, what next? Is this a landmark moment for data protection? Does every CEO now have to be hot on GDPR? It’s still unclear, and it’s not surprising that many still don’t know how seriously to take GDPR when some reports claim that crazily well under 1% of all data breaches have been penalised since GDPR’s introduction! Here, I will explore how GDPR will affect the chatbot space.


Chatbots as a Data List

Chatbots can be used in a whole host of different ways. In our blog, we have posted time and time again about the vast menagerie of unique and nuanced ways you can use your multi-faceted chatbot. However, at Chatamo we consider that the three primary functions of our chatbots are their ability to:

  1. Increase your sales
  2. Connect with customers
  3. Better understand customers

And as you can imagine, no.3 relies on storing and breaking down large amounts of data gathered from interactions with users.

Not only this, but chatbots easily facilitate this rapid exchange of data between customers and businesses through their easy-to-use, instant-message form. Furthermore, chatbots can easily come equipped with web analytics, ours certainly does. Meaning that using a chatbot, businesses can attain a vast amount of real-time data on users and leads.


Before a chat session Some chatbots can identify user details such as location IP Address and company. Furthermore, email addresses, phone numbers, names and address are often captured data. However, this varies from channel to channel. For example, a Facebook chatbot might supply different an email whilst a What’s App chatbot would supply a phone number.

During a chat session – Once a user has actively conversed with a chatbot, some remaining customer data can be pulled. Furthermore, for the sake of the e-commerce or customer service functions, other types of information may be introduced to the chat to answer a request. Such as a telephone number, email, address, even files etc…

After a chat session – The chatbot service will ordinarily provide a section to access this data on their application or website. Quite often this data can be integrated with CRMs or similar technologies. This data would quite likely be used for sales reports and future strategies. This can mean that the user and lead related data can be extracted from the original website.


Essentially, a chatbot has the potential to collect a large variety of consumer data. And for this reason, businesses that use chatbots and businesses that provide chatbots have got to know their GDPR.

These businesses area now known as ‘controllers’. In the sense that they are natural or legal person, public authority, agency… etc that determines the purposes and means of the data.

The chatbot users that are tracked by the controllers are now classed as ‘data subject’. In short, these are the individuals who directly or indirectly identified through the data collected about them.

Importantly: From May 2018, controllers are under obligation, are less free to do what they like with this data, and must be GDPR compliant.

So what can Chatbots Providers do?

These are our top tips for providing a chatbot service that is totally GDPR compliant.

Privacy by Design – Follow the Privacy by Design approach which takes privacy into account throughout the entire engineering process. Ensuring that data protection measures are designed into the development of business processes for products and service.

Right to Erase – Adhere to Article 17 of the GDPR which provides that the data subject has the right to request erasure of personal data related to them. Data that has been sufficiently anonymised is excluded.

Consent – When users add a bot to a channel and begin the conversation, they should agree to Terms of Service which ensure that valid consent is explicitly provided for personal data collected and the purposes that data is used for.

Notice Requirements – Whilst retaining personal data for a fixed period of time is not untoward at all. It is a nice gesture of good will provide the details of your data controller and data protection officer somewhere clearly on your website.

Controlling and Processing Information – When processing personal information on behalf of another data controller – do so only in accordance with the instructions of that data controller and otherwise in accordance with the GDPR. The data controller that the data is being processed on behalf of should provide relevant information to the user about how their data is being shared.

Author avatar
Published byHenry Charatan

More Category Articles