1 Recommendations

Chatbots can be a valuable source of actionable marketing information, but user data privacy principles must be observed in chatbot deployment. Consider that:

• Chatbots will likely be processing personally identifiable information (PII).
• Chatbots that process PII must be able to inform users and collect their consent.
• Chatbots’ consent collection routines should not introduce an unacceptable level of friction in the process Where possible, consent to process PII should be obtained at the earliest feasible point in a user journey (e.g. during registration).
• Enabling users to give granular consent per purpose may be necessary in order to authorize data processing for various purposes.
• Privacy must be designed into chatbot applications, and default configuration settings should minimize PII collection.
• PII data may need to be anonymized for certain uses.
• Some social networks offer APIs to connect their messengers with third party chatbots. Check relevant privacy policies and evaluate whether GDPR obligations for data controllers and processors or “joint controllership” will apply.
• When evaluating cloud-based chatbot solutions, look for vendor certifications and codes of conduct related to data protection and information security.
• Use a chatbot for marketing purposes only if it is actually helpful for your prospects and customers. If this is the case, a chatbot app may promote repeat business. Otherwise the chatbot could be seen as just an annoying gadget or may tarnish your reputation if users believe that it is mainly designed to collect their data.