18 January 2021
A new law in California will affect how businesses use bots. Bots are automated accounts that interact with users of websites, apps, and social media platforms. The Bot Disclosure Law could apply to your company whether you're based in California or not.
If your company uses bots as part of its customer services or sales operations, you need to know about this law. Violating the Bot Disclosure Law could lead to a reprimand or fine from the California Attorney General.
California's Bot Disclosure Law (California Business and Professions Code § 17940) is about transparency. It aims to ensure California consumers know whether they're talking to a real person or a piece of software.
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
California is at the forefront of regulating online business practices. Other California laws, such as the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA), also call for greater transparency online.
Bots are becoming more prevalent and more sophisticated.
Just a few years ago, it was easy to tell whether you were talking to a bot. Responses were instantaneous. Most replies were some variant of "I'm sorry, I can't help you with that." Frustration ensued after three or four minutes.
However, tech companies have made major advancements in the fields of artificial intelligence, natural language processing, and machine learning. Bots are becoming more convincing and more persuasive.
In fact, research by Salesforce and others suggests that consumers prefer speaking with a bot in certain contexts.
The Bot Disclosure Law emerges out of concerns that, as technology improves, bots will get even better at influencing consumers and voters.
The Bot Disclosure Law is a California state law. However, its effect extends well beyond California.
The law only applies to bots that interact with California consumers. But it doesn't only apply to California businesses. Like many internet laws, the scope of the Bot Disclosure Law is not specified. So, although the consumer needs to be Californian, the bot doesn't.
You could never guarantee that your website was completely inaccessible within California. And nor, most likely, would you want to.
Any company violating California law in respect of California consumers risks legal action. The simplest solution is to comply with the law.
The law doesn't specifically refer to any penalties. It also doesn't provide a right for people to bring private legal claims.
It's likely that, at least in the commercial context, the law will be enforced under the false advertising rules of California Business and Professions Code § 17500. If so, this would mean fines of up to $2,500 per violation.
This might not sound like a lot. But imagine, for example, that a bot spoke to just a hundred users without making a disclosure. This could result in a total fine of $250,000.
It's always good to be transparent in your business practices. But the Bot Disclosure Law only applies in certain contexts. Even if you do use bots on your website or app, you might not need to comply.
The Bot Disclosure Law defines a "bot" as:
"an automated online account where all or substantially all of the actions or posts of that account are not the result of a person."
Bots are used for many purposes:
A major reason for the law is that bots on social media can attempt to influence voter behavior. Twitter started a major program of deleting bot accounts in 2018. It closed over 70 million within three months.
The Bot Disclosure Law covers bots operating "online." It defines "online" as:
"any public-facing Internet Web site, Web application, or digital application, including a social network or publication."
This can safely be assumed to include:
It's not clear yet whether the law covers Internet of Things devices and voice assistants.
Bot disclosure isn't necessary in all contexts. The law requires a bot to disclose when it used to:
"incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election."
This sounds straightforward. You should know whether your bot is involved in "incentivizing a purchase" or "influencing a vote."
This provision clearly isn't designed to cover bots used for tech support. Bots that launch a playlist or provide weather updates are also unlikely to need to disclose.
However, the boundaries get blurrier in certain areas.
For example, a bot that helps you book a table in a restaurant might not be incentivizing the purchasing of services. But what about a bot that helps you find a restaurant? A bot that handles refunds might not be incentivizing the sale of goods. But what about a bot that suggests an alternative item?
The boundaries will become clearer once enforcement actions start to take place. California's Attorney General may also release guidance in the future. Until then, it's better to take a cautious approach. If in doubt, disclose.
Certain California laws have been clearly aimed at large tech companies. The California Consumer Privacy Act (CCPA) is a perfect example. The CCPA mainly targets companies with an annual turnover exceeding $25 million.
California's Bot Disclosure Law does the opposite. Many large companies are exempt. "Service providers of online platforms" are not required to comply with the disclosure requirement.
The law defines an "online platform" in a very specific way.
"any public-facing Internet Web site, Web application, or digital application, including a social network or publication, that has 10,000,000 or more unique monthly United States visitors or users for a majority of months during the preceding 12 months."
Ten million monthly unique US visitors is a lot of visitors. Let's consider the scale of that.
According to Quantcast, only the top 80 most popular websites in the US meet this threshold.
Facebook, the most popular US website, receives over 635 million unique monthly US visitors. Google comes in at second with around 252 million.
The exemption doesn't apply to the users of these popular platforms. It only applies to the providers of them. It means that Facebook is not required to disclose every single bot on its website. But it appears that corporate Facebook users must disclose their use of bots on Messenger.
The Bot Disclosure Law states that a bot must make a disclosure that is:
"clear, conspicuous, and reasonably designed to inform persons with whom the bot communicates or interacts that it is a bot"
The law itself doesn't define the terms "clear" or "conspicuous." For this, we can look to the guidance on online advertising from the Federal Trade Commission (FTC).
According to the FTC, the following factors are relevant when considering whether a disclosure is clear and conspicuous:
Bots aren't mentioned in the FTC's guidance, but it's still highly relevant to the Bot Disclosure Law.
The Bot Disclosure Law is about deceptive practices.
"It shall be unlawful for any person to use a bot to communicate or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication [...]"
Let's consider the phrases "intent to mislead" and "knowingly deceiving." At first glance, they suggest a prohibition on lying. This would merely require a bot to be honest when asked if it is a bot.
However, the law requires a bot to proactively disclose that it is a bot.
"A person using a bot shall not be liable under this section if the person discloses that it is a bot."
If a bot only disclosed when asked, most of its interactions with users would not contain a disclosure. So, most of these interactions would not be legally compliant.
This means a disclosure must be made at the beginning of each interaction with a user.
The FTC requires that disclosures are easy to understand. Your bot's disclosure must not contain overly technical language or "legalese."
Here's an example of how Donut makes a bot disclosure:
Note that the word "bot" appears under "operator." This is certainly not deceptive. Donut obviously has no desire to trick its customers. However, this disclosure may not be enough to satisfy the Bot Disclosure Law.
The Bot Disclosure Law doesn't provide any standard text that a bot should use when making a disclosure. It's not even clear that the word "bot" will be easily understood by consumers.
Assuming that the word "bot" is acceptable, here are some examples of disclosures that might be appropriately clear:
In addition to this proactive disclosure, you should teach your bot to respond appropriately when asked if it is a bot.
Something like "Yes, I'm a bot" would be a better answer. This is just an example. Sephora is not required to make a disclosure here.
Here's a better example, from Amicable:
Amicable is not required to disclose in this context. But this level of transparency is just good customer relations.
The FTC requires that a disclosure must be in close proximity to an "advertisement." In this case, we can consider the bot's chat text to be the "advertisement." A bot will need to disclose within the text itself.
Here's an example of an in-text disclosure from Slack's bot:
The FTC also requires you to make repetitive disclosures if required.
Repeating a disclosure might be necessary if your bot is engaged in a long interaction with a customer. It might also be necessary if an interaction spans more than one visit.
Your bot must make a disclosure during its interaction with your users. And there are other important ways to disclose information about your use of bots.
Travel company Halo explains that using its bot means sharing personal information with a third party:
Some companies use a Terms and Conditions agreement to govern their use of bots.
If your customers agree to your Terms and Conditions, they agree to be subject to your rules. They also agree that your company is not legally liable for certain things.
It's very important that your company has a Terms and Conditions agreement. This is true whether you use bots or not, but a T&C can be especially helpful if you use bots.
The bot's responses are not entirely within your control. This is even truer if your bot uses sophisticated AI and has access to a large variety of responses. You may want to let people know that your bot can make mistakes and you can't be held legally liable for them.
If your bot functions as a pop-up window on your website, it might be difficult to obtain clear agreement with your Terms and Conditions via clickwrap. Your users might be able to argue that they didn't agree to your Terms and Conditions before using the bot. This could be a problem if you need to rely on the agreement in court.
To avoid this, you could also make a disclaimer that your users are highly likely to see before using the bot. Here's an example from Eviebot:
Your bot needs to be clear that it's a bot. And you can use your Terms and Conditions to make sure that your customers are fully informed of any risks before they use your bot.
The true significance of the Bot Disclosure Law will become clearer in the coming years. When bots become virtually indistinguishable from humans online, consumers will welcome these disclosures.
For now, you must ensure your bots disclose their status even if it might seem obvious.
California's Bot Disclosure Law:
A bot covered by the law must disclose that it is a bot. The disclosure must be:
You should also take these additional steps to ensure full transparency:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.