Are chatbots GDPR compliant?

Are chatbots GDPR compliant?

Compliance with GDPR, Europe’s recently implemented major privacy regulation, is proving extremely challenging and onerous to companies of all shapes and sizes.  

Any company that does business in Europe or with European customers is affected – no ifs or buts about it.

There has been much talk about the tremendous work created by the new rule but very little about technical solutions facilitating compliance.   

This article focuses on chatbots and how they are well suited to significantly facilitate compliance with GDPR in several ways.

Excited yet?

Right to data portability and to be forgotten:

Among other things, GDPR requires that businesses respect a data subject’s (i.e., you, any website visitor or customer, etc.) right to be forgotten and right to data portability.

Put simply, upon request from a data subject your business needs to be able to report as to all information you have on the data subject and delete all such information.

This sounds easy but, as any business owner will tell you, once you collect data (such as a customer’s name) it goes in many different directions within your business (and if you offer software the data can ultimately end up in many different parts of your backend and frontend).

Finding that personal information, e.g., customer name, in every database, spreadsheet, document, etc. is hard to do after the fact unless your system was designed to allow it to automatically track and then delete a name everywhere it might appear years after initial collection.  

Same applies to other personal information such as email address, Home address, telephone number, etc.

So you need a controlled strategy or mechanism for accepting personal information, tracking it, reporting on it, and ultimately deleting it.  

You can see how relying on a person to do this may not be ideal.

Your customer service representatives, for example, may collect customer personal information and take notes or pass on this information to different parts of your business in inconsistent ways.

One rep may keep notes on his hard drive, another rep may keep notes on sticky or notepad, etc.

Also, a website visitor’s email address may make its way around the company, for example, a newsletter subscription list, a list of high potentials for outreach, a customer service log, etc.

So yes, personal data comes in through many doors and then makes its way to remote corners of your company and sits there out of sight, out of mind.

And now, GDPR requires that upon request from a data subject you promptly find it, report on it, and delete it!

If you don’t, you are subject to a steep fine – the higher of 20M Euro or 4% of your annual revenue!  

GDPR Fines
Image Source

Yes, that last sentence is worthy of a double take.

Calgon, take me away.

Ok, take a deep breathe and let’s talk solutions.

Have no fear… chatbots are here.

The key is that you can use chatbots to collect personal information in a systematic, traceable way.  

For example, to greet a visitor on your website you can use a chatbot rather than a popup, form or live agent.  

The chatbot can be programmed to recognize personal information and tag it in your system so, when the time comes, you can honor your visitor or customer’s right to be forgotten and data portability.

Note that not all chatbots are created equal in this regard as many were designed before implementation of GDPR, so choose your bot carefully.

Many pre-existing bot platforms are either not compliant or have been Jerry rigged or otherwise reworked in response to GDPR (but this is not the same as focused, original design).

But wait, the right to be forgotten and data portability is just one piece of the compliance puzzle.

Chatbots can be used quite effectively to manage other tricky GDPR requirements.

Shift from opt out to opt in.

The GDPR requires specific consent to use a data subject’s personal information.

Gobot GDPR Consult Consent Details Feature

Gone are the days when you collect a data subject’s email, e.g., to subscribe to a newsletter, and then send him or her materials completely unrelated to the newsletter, e.g., promotional materials.

In other words, say goodbye to the opt out – and hello to the opt in, specific consent required, please!

If you want to use that collected email, in this example, for anything other than that newsletter (which is the reason the data subject originally volunteered his email), you will need to specifically ask the data subject for permission.

This may be good in some ways for data subjects, but it makes life challenging for businesses or marketers looking to actively share their content.  

You can expect that shifting from opt out to opt in will dramatically reduce conversion rates.

So, you either accept this reduction or find a more engaging way to address data subjects and convince them to opt in!  

Again, chatbots are the solution!

Chatbots allows for much more engagement than traditional forms.  

Sometimes an example is worth a million words!

Consider a website offering rock climbing equipment.

A popup appears with an invitation to subscribe to a newsletter focused on outdoor sports.

A data subject visiting this site subscribes to the newsletter.  

The website owner historically would follow up with an email offering life insurance (figuring that risk junky rock climbers might be interested in some insurance!).

This is no longer allowed under GDPR.

The reason the website owner didn’t previously ask for permission in his popup to send follow up emails regarding insurance was because he knew conversions would be low, and more importantly, he knew that asking about insurance would likely dissuade visitors from subscribing to the newsletter.   

Now, contrast this popup approach to an engaging chat bot on the same rock climbing website.

Chatbot: Hi. Welcome to Rock Climbers R’ Us!
Visitor: Thanks!
Chatbot: Not sure you’re aware, but we produce a monthly newsletter with reviews of rock climbing gear.  Click here to check out last month’s.
Visitor: Awesome, how do I sign up?
Chatbot:  Cool, just enter your email below.
Chatbot:  Nice, how often you go out climbing?
Visitor: A couple times a year…
Chatbot: Impressive!  As you know, climbing is dangerous. Approximately x climbers die a year, so be safe!
Visitor: Thanks but I use solid safety gear
Chatbot: Smart man…do you also have life insurance to protect your family?
Visitor: Not really
Chatbot: Don’t feel bad, this is very common…can I email you about an inexpensive policy tailored made for climbers just like you?
Visitor: Absolutely!

Do you see now how an engaging chatbot can be so much more effective than a popup form offering insurance?  

So much so that asking for specific permission does reduce conversions (or at least it mitigates any reduction).  

The above example also highlights another way chat bots facilitate GDPR compliance – they can be used to create a clear record of consent

Record of clear consent

The GDPR requires clear record of consent (yes, it requires a lot!).

Bot transcripts certainly qualify.  

Gobot Consent Logging Functionality

The transcript reflects the entire conversation between your bot and the data subject.  

If you are ever questioned or accused of sending unsolicited emails all you have to do is show your accuser the transcript where he or she definitively provided specific consent.   

Of course, you have to make sure to script your bot appropriately so your questions and opt ins are entirely clear, but this is readily achievable.

Of note, in order to assure a clear record, you may want to script your bot rather than rely on AI or a live rep/agent.

Live agents are not always consistent in seeking consent in a clear way.  

AI is great to address customer questions but, at its current stage of evolution, not always predictable.

Go for a bot builder platform that at least provides a scripted bot option where you can literally script all of the branches of your bots conversation.

Gobot utilizes bot scripting in combination with AI.


GDPR also requires under certain circumstances that businesses only retain personal data for as long as reasonably necessary to achieve the original purpose for which the data was volunteered.

Gobot Data Retention Functionality

As detailed above, chat bots are especially useful for collecting personal data in a consistent, trackable way.

Additionally, they can be programmed to assign different retention periods for different types of data consistent with the data subjects’ intent.  

For example, consider the following bot script used on a runners website.

Chatbot: Welcome to Marathons R’ Us!  The next marathon in your city is next month.  Do you want us to send you a reminder ahead of the marathon?
Chatbot: Great, what is your email?
Chatbot: Ok, look for a reminder in your inbox next week. Also, interested in our runners newsletter?
Chat bot: No worries, let us know if you change your mind

In the above example, the data subject requested a reminder next week but nothing else.

In this situation it would be inappropriate under GDPR to hold onto this data subject’s email after sending the reminder email unless additional authorization is provided.

Your chatbot can be tailored to set an appropriate retention based on the response your visitor provides.

In the above example retention is set such that the email is deleted after sending the initial email.  

If the data subject would have subscribed to the newsletter retention would have been set until the user unsubscribed.

Your bot offers exactly what GDPR requires- precision control of personal data.

This is another advantage over live chat where the agent may not consistently enter the proper retention for each piece of data collected in accordance with the data subject’s consent.

Geographic trigger

Now that you have a better sense as to how burdensome GDPR actually is, you might be tempted to avoid collecting personal data all together.  

No worries, this would not make you a bad person, just risk averse!

This all or nothing approach is understandable if you don’t have the time to implement an appropriate bot with all of the above GDPR settings.  

There is a better less dramatic solution, however.

Rely on a bot with a geographic trigger!

Set your bot so as to only appear for visitors outside the EU!

Gobot Geographic Specific Functionality

Of note, Gobot offers geographic triggers that easily allow you to set your bot to only appear outside the EU.  

You can also create different bots for different geographic regions and tailor your data collection based on the location of your data subject.

Opt out opportunity

Finally, GDPR requires that you allow data subjects to opt out.

Of course, emails you send should include opt out links.

Gobot Email Opt-Out Link

But what about while your visitor is on your site?

A bot can readily receive and process opt out requests and facilitate compliance.

This would certainly help you avoid any allegation by a data user that it was unreasonably challenging to remove himself from a list.  

Plus, if you make opt out more accessible you are likely to receive fewer requests to be forgotten!

Gobot includes all of the above GDPR- related functionality. Learn more about this here.

Given Gobot’s email functionality, leveraging Gobot will also immediately reduce privacy compliance risks tied to your email marketing campaigns.

A two for one special!

Violation of GDPR may result in enough of a fine to knock you out of business or at minimum have a bad year.  

It’s time to take an active look at how you collect, store and utilize personal information and leverage the power of bots to keep you out of trouble!

This website is not intended to provide legal advice. You should not rely on this website for such, nor as a recommendation as to a particular legal understanding. Our goal is to provide background information to help you understand how Gobot has addressed some important legal points. This information is not the same as legal advice where a lawyer applies the law to your particular circumstance. Therefore, we suggest that you consult a lawyer to seek assistance in the interpretation of this information including its accuracy.

Leave a Reply

Your email address will not be published. Required fields are marked *