A new law in California will affect how businesses use bots. Bots are automated accounts that interact with users of websites, apps, and social media platforms. The Bot Disclosure Law could apply to your company whether you're based in California or not.

If your company uses bots as part of its customer services or sales operations, you need to know about this law. Violating the Bot Disclosure Law could lead to a reprimand or fine from the California Attorney General.

There are two main reasons why you need a Privacy Policy:

✓ Privacy Policies are legally required. A Privacy Policy is required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Generate an up-to-date 2024 Privacy Policy for your business website and mobile app with our Privacy Policy Generator.

One of our many testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P. generated a Privacy Policy



Understanding California's Bot Disclosure Law

California's Bot Disclosure Law (California Business and Professions Code § 17940) is about transparency. It aims to ensure California consumers know whether they're talking to a real person or a piece of software.

California is at the forefront of regulating online business practices. Other California laws, such as the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA), also call for greater transparency online.

Why the Law Was Passed

Bots are becoming more prevalent and more sophisticated.

Just a few years ago, it was easy to tell whether you were talking to a bot. Responses were instantaneous. Most replies were some variant of "I'm sorry, I can't help you with that." Frustration ensued after three or four minutes.

However, tech companies have made major advancements in the fields of artificial intelligence, natural language processing, and machine learning. Bots are becoming more convincing and more persuasive.

In fact, research by Salesforce and others suggests that consumers prefer speaking with a bot in certain contexts.

The Bot Disclosure Law emerges out of concerns that, as technology improves, bots will get even better at influencing consumers and voters.

Where Does the Law Apply?

The Bot Disclosure Law is a California state law. However, its effect extends well beyond California.

The law only applies to bots that interact with California consumers. But it doesn't only apply to California businesses. Like many internet laws, the scope of the Bot Disclosure Law is not specified. So, although the consumer needs to be Californian, the bot doesn't.

You could never guarantee that your website was completely inaccessible within California. And nor, most likely, would you want to.

Any company violating California law in respect of California consumers risks legal action. The simplest solution is to comply with the law.

What are the Penalties for Violating the Law?

The law doesn't specifically refer to any penalties. It also doesn't provide a right for people to bring private legal claims.

It's likely that, at least in the commercial context, the law will be enforced under the false advertising rules of California Business and Professions Code § 17500. If so, this would mean fines of up to $2,500 per violation.

This might not sound like a lot. But imagine, for example, that a bot spoke to just a hundred users without making a disclosure. This could result in a total fine of $250,000.

The California Bot Disclosure Law and Your Company

The California Bot Disclosure Law and Your Company

It's always good to be transparent in your business practices. But the Bot Disclosure Law only applies in certain contexts. Even if you do use bots on your website or app, you might not need to comply.

What is a Bot?

The Bot Disclosure Law defines a "bot" as:

"an automated online account where all or substantially all of the actions or posts of that account are not the result of a person."

Bots are used for many purposes:

  • Lyft's bot can help you order a cab
  • Mastercard's bot can tell you your latest transactions
  • Sephora's bot provides makeup tutorials

A major reason for the law is that bots on social media can attempt to influence voter behavior. Twitter started a major program of deleting bot accounts in 2018. It closed over 70 million within three months.

The Bot Disclosure Law covers bots operating "online." It defines "online" as:

"any public-facing Internet Web site, Web application, or digital application, including a social network or publication."

This can safely be assumed to include:

  • Websites
  • Mobile apps
  • Desktop apps
  • Social media
  • Instant messaging apps

It's not clear yet whether the law covers Internet of Things devices and voice assistants.

What Types of Bots Need to Disclose?

Bot disclosure isn't necessary in all contexts. The law requires a bot to disclose when it used to:

"incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election."

This sounds straightforward. You should know whether your bot is involved in "incentivizing a purchase" or "influencing a vote."

This provision clearly isn't designed to cover bots used for tech support. Bots that launch a playlist or provide weather updates are also unlikely to need to disclose.

However, the boundaries get blurrier in certain areas.

For example, a bot that helps you book a table in a restaurant might not be incentivizing the purchasing of services. But what about a bot that helps you find a restaurant? A bot that handles refunds might not be incentivizing the sale of goods. But what about a bot that suggests an alternative item?

The boundaries will become clearer once enforcement actions start to take place. California's Attorney General may also release guidance in the future. Until then, it's better to take a cautious approach. If in doubt, disclose.

Are Certain Companies Exempt?

Certain California laws have been clearly aimed at large tech companies. The California Consumer Privacy Act (CCPA) is a perfect example. The CCPA mainly targets companies with an annual turnover exceeding $25 million.

California's Bot Disclosure Law does the opposite. Many large companies are exempt. "Service providers of online platforms" are not required to comply with the disclosure requirement.

The law defines an "online platform" in a very specific way.

"any public-facing Internet Web site, Web application, or digital application, including a social network or publication, that has 10,000,000 or more unique monthly United States visitors or users for a majority of months during the preceding 12 months."

Ten million monthly unique US visitors is a lot of visitors. Let's consider the scale of that.

According to Quantcast, only the top 80 most popular websites in the US meet this threshold.

Facebook, the most popular US website, receives over 635 million unique monthly US visitors. Google comes in at second with around 252 million.

The exemption doesn't apply to the users of these popular platforms. It only applies to the providers of them. It means that Facebook is not required to disclose every single bot on its website. But it appears that corporate Facebook users must disclose their use of bots on Messenger.

Making a Compliant Disclosure

Making a Compliant Disclosure

The Bot Disclosure Law states that a bot must make a disclosure that is:

"clear, conspicuous, and reasonably designed to inform persons with whom the bot communicates or interacts that it is a bot"

The law itself doesn't define the terms "clear" or "conspicuous." For this, we can look to the guidance on online advertising from the Federal Trade Commission (FTC).

According to the FTC, the following factors are relevant when considering whether a disclosure is clear and conspicuous:

  • How close the disclosure is placed to where the claim is made
  • How prominent the disclosure is
  • How unavoidable the disclosure is
  • Whether other parts of the ad pull attention away from the disclosure
  • Whether the disclosure needs to be repeated more than once
  • Whether the language used is understandable to the intended audience

Bots aren't mentioned in the FTC's guidance, but it's still highly relevant to the Bot Disclosure Law.

Proactive Disclosure

Proactive Disclosure

The Bot Disclosure Law is about deceptive practices.

"It shall be unlawful for any person to use a bot to communicate or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication [...]"

Let's consider the phrases "intent to mislead" and "knowingly deceiving." At first glance, they suggest a prohibition on lying. This would merely require a bot to be honest when asked if it is a bot.

However, the law requires a bot to proactively disclose that it is a bot.

"A person using a bot shall not be liable under this section if the person discloses that it is a bot."

If a bot only disclosed when asked, most of its interactions with users would not contain a disclosure. So, most of these interactions would not be legally compliant.

This means a disclosure must be made at the beginning of each interaction with a user.

Clear Disclosure

Clear Disclosure

The FTC requires that disclosures are easy to understand. Your bot's disclosure must not contain overly technical language or "legalese."

Here's an example of how Donut makes a bot disclosure:

Screenshot of Donut website Bot chat box

Note that the word "bot" appears under "operator." This is certainly not deceptive. Donut obviously has no desire to trick its customers. However, this disclosure may not be enough to satisfy the Bot Disclosure Law.

The Bot Disclosure Law doesn't provide any standard text that a bot should use when making a disclosure. It's not even clear that the word "bot" will be easily understood by consumers.

Assuming that the word "bot" is acceptable, here are some examples of disclosures that might be appropriately clear:

  • "I'm a bot. This means my responses are automated. Let me know if you want to talk to a human."
  • "Just to let you know, you're talking to a bot. These responses aren't coming from a real person."
  • "I might not understand everything you ask me. I'm an automated piece of software known as a 'bot.' Please be patient!"

In addition to this proactive disclosure, you should teach your bot to respond appropriately when asked if it is a bot.

Here's an example from the Sephora bot on messaging app Kik. Unfortunately, Sephora's bot isn't very self-aware:

Screenshot of Sephora chat bot on kik messenger app

Something like "Yes, I'm a bot" would be a better answer. This is just an example. Sephora is not required to make a disclosure here.

Here's a better example, from Amicable:

Amicable Alex chatbot disclosure example

Amicable is not required to disclose in this context. But this level of transparency is just good customer relations.

Conspicuous Disclosure

Conspicuous Disclosure

The FTC requires that a disclosure must be in close proximity to an "advertisement." In this case, we can consider the bot's chat text to be the "advertisement." A bot will need to disclose within the text itself.

Here's an example of an in-text disclosure from Slack's bot:

Slack: Slackbot messenger disclosure

The FTC also requires you to make repetitive disclosures if required.

Repeating a disclosure might be necessary if your bot is engaged in a long interaction with a customer. It might also be necessary if an interaction spans more than one visit.

Being Fully Transparent

Being Fully Transparent

Your bot must make a disclosure during its interaction with your users. And there are other important ways to disclose information about your use of bots.

Your Privacy Policy

You should disclose your use of bots in your Privacy Policy. This will also help your users understand how and why you use bots.

If you don't have a Privacy Policy, you need to create one. It's an essential part of complying with privacy laws all over the world. For example:

Failing to create and maintain a Privacy Policy is a serious breach of privacy law.

Here are some basic things you must disclose in your Privacy Policy:

  • What personal information you collect. The following types of personal information are commonly collected by bots:
    • Name
    • Location
    • Contact details
    • Personal preferences
  • How you collect personal information, including via a bot
  • Whether you share personal information with third parties. This is relevant if the software for your bot is provided via a third party such as Facebook

Evertrue's Privacy Policy lists some of the ways it collects personal information. This includes when users provide personal information to its bot:

Evertrue Privacy Policy: Information you provide in relation to inquiries, surveys or customer support - Chat bot clause

Travel company Halo explains that using its bot means sharing personal information with a third party:

Halo Privacy and Cookies Policy: Social media - chat bot clause

PlannerBot uses software provided by the Microsoft Bot Framework. Its Privacy Policy makes the following standard disclosure:

PlannerBot Privacy Policy: Microsoft Bot Framework disclosure

Your bots should be disclosing up-front that they're bots. And your Privacy Policy provides essential further information about how and why you use the bots. Together, these will work to provide solid disclosure.

Your Terms and Conditions

Some companies use a Terms and Conditions agreement to govern their use of bots.

A Terms and Conditions agreement allows you to make disclaimers and provide information to your customers. Unlike a Privacy Policy, a Terms and Conditions agreement is not legally mandatory. However, because the agreement is a contract between you and your customers, it can be enforced in court.

If your customers agree to your Terms and Conditions, they agree to be subject to your rules. They also agree that your company is not legally liable for certain things.

It's very important that your company has a Terms and Conditions agreement. This is true whether you use bots or not, but a T&C can be especially helpful if you use bots.

The bot's responses are not entirely within your control. This is even truer if your bot uses sophisticated AI and has access to a large variety of responses. You may want to let people know that your bot can make mistakes and you can't be held legally liable for them.

UPS provides a Terms of Use agreement specifically for its bot. Here's a short excerpt from the agreement:

UPS Bot Terms of Use: Risk of Inaccurate Information clause

If your bot functions as a pop-up window on your website, it might be difficult to obtain clear agreement with your Terms and Conditions via clickwrap. Your users might be able to argue that they didn't agree to your Terms and Conditions before using the bot. This could be a problem if you need to rely on the agreement in court.

To avoid this, you could also make a disclaimer that your users are highly likely to see before using the bot. Here's an example from Eviebot:

Eviebot use at your own risk and bot disclosure

Your bot needs to be clear that it's a bot. And you can use your Terms and Conditions to make sure that your customers are fully informed of any risks before they use your bot.

Summary

The true significance of the Bot Disclosure Law will become clearer in the coming years. When bots become virtually indistinguishable from humans online, consumers will welcome these disclosures.

For now, you must ensure your bots disclose their status even if it might seem obvious.

California's Bot Disclosure Law:

  • Applies to any bot used to incentivize a sale or influence a vote
  • Applies to any bot that interacts with a California consumer
  • Applies regardless of the bot's "home country"
  • Does not apply to providers of online platforms with more than 10 million monthly US visitors

A bot covered by the law must disclose that it is a bot. The disclosure must be:

  • Proactive - made at the start of an interaction with a user
  • Clear - made using language that the user can understand
  • Conspicuous - made within the interaction itself (e.g. within the chat window)

You should also take these additional steps to ensure full transparency:

  • Disclose how your bots process personal information in your Privacy Policy
  • Use your Terms and Conditions to govern how your customers use your bots

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy