Privacy Policy for Chatbots

A chatbot is a computer program that mimics chatting with a real person.

This form of artificial intelligence is used often in web applications to conduct customer service and collect information via chat. Because of the personal data collected through a chatbot, a Privacy Policy might be mandatory.

If you have an iPhone and use Siri, you're using a chatbot. Cortana with Windows is another popular chatbot you may be familiar with.

Chatbots can also be used in mobile apps and games to simulate real conversation, in commerce apps to help you buy goods or services, and to do things like book a doctor's appointment, hail a taxi or order takeout.

SMS chatbots like Magic make it possible to do a ton of different things just by texting the chatbot, such as booking a plane ticket or getting groceries delivered to your home or office.

Chatbots are even popping up in our homes as with Amazon's Echo with Alexa Skills to do things like turn on your lights and other automated tasks.

In the future, chatbots are expected to be used far more regularly and with a wider range of abilities and uses.

Is a Privacy Policy required for a chatbot?

Your chatbot will require a Privacy Policy in one of two situations:

1. If your chatbot collects personal data from users, you are legally required by a number of international laws to include a Privacy Policy, or

2. If your chatbot operations within a framework that requires a Privacy Policy as part of its Terms and Conditions of Use, you will be required by the platform to provide a Privacy Policy.

   For example, Facebook Messenger requires any chatbots used on the Messenger platform to include a Privacy Policy whether or not your chatbot collects personal information.

First let's look at the legal requirements if your chatbot collects personal information.

Personal information includes any information that can be used to identify a user such as a birth date, email address, first or last name, home address, IP address, and other pieces of data.

US CalOPPA

In the United States, the California Online Privacy Protection Act (CalOPPA) requires that if any personal information is collected and used from a user located in the state of California, a Privacy Policy must be present.

Because of the global nature of the internet and most chatbot platforms, it's very likely that a user in the state of California may use your chatbot.

This means that if you collect user information at all through your chatbot, you need to include a Privacy Policy to ensure you're compliant with CalOPPA. It doesn't matter which country your business is located in -- CalOPPA will apply.

Canada PIPEDA

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that dictates how businesses in the private sector must handle personal information of its users.

Among the requirements of PIPEDA is that businesses must let users know what personal information is going to be collected, and why it's going to be collected.

A Privacy Policy is the perfect and compliant way to do this for your chatbot.

Australia's Privacy Act

Australia has their thirteen Privacy Principles that regulate how personal information is handled.

The very first principle covers "the open and transparent management of personal information including having a privacy policy."

This means that if you collect personal information through your chatbot, Australia's Privacy Act requires a Privacy Policy.

EU Privacy Directives

In the EU and the UK, there following laws require you to have a Privacy Policy for your chatbot if you collect personal data from users through a bot:

• In the EU, the Data Protective Directive and the ePrivacy Directive
• In the UK, the DPA Act

The very first principle requires a fair and lawful processing of personal information. Best practices here call for transparency in order to be fair and lawful. Transparency can easily be achieved by including a complete, accurate and informative Privacy Policy whenever personal information is collected.

No matter what platform you use for your chatbot, you'll need to include a Privacy Policy if you collect and use any personal information from users.

Chatbot Platforms

If you want to create a chatbot for your business or organization, there are a number of different platforms or SDKs (software development kits) that allow you to create one. Oftentimes these platforms/SDKs require you to include a Privacy Policy for the chatbots you create through them.

Here are a few of the more common and popular platforms with chatbots and their requirements for Privacy Policies.

Microsoft Dev Framework

Microsoft has a Bot Framework in its "Developer Tools" that allows you to "build and deploy high quality bots for your users to enjoy wherever they are talking."

The Microsoft Bot Framework includes a Bot Builder SDK, a Bot Connector, Developer Portal, Bot Directory, and an emulator to test your bot.

When you use the Microsoft Bot Framework to create your chatbot, you're going to be subject to the "Microsoft Bot Framework Preview Online Services Agreement".

Within this agreement is a section that explicitly covers Privacy Policy requirements. Section 5 covers "Your Duty to Obtain Consent" and states that "you will provide End Users with access to your privacy policy through your Application."

The agreement then goes on to discuss what's required of the Privacy Policy, including the requirements:

"such privacy policy must comply with all applicable laws and regulations, and at a minimum, must disclose to End Users that the Data collected by the Application will be sent to you and you may share Data with third parties nationally or in another country or region, and describe the controls the End Users have over the use and sharing of the Data and how they may access their information."

Microsoft also requires that you promptly notify both Microsoft and the end users of any material changes to your Privacy Policy.

Facebook Messenger

In early 2016, Facebook introduced a Bots for Messenger platform that allows developers to create chatbots that connect with end users via the Facebook Messenger application.

Developers who work within the Facebook platform must adhere to the Facebook Platform Policy.

This policy includes a section (2.) titled "Give People Control." The fourth requirement in this section is that developers must "provide a publicly available and easily accessible privacy policy that explains what data you are collecting and how you will use that data."

Sections 6, 7 and 8 also deal with Privacy Policy requirements and make it mandatory that developers:

• "include your privacy policy URL in the App Dashboard,"
• "link to your privacy policy in any app marketplace that allows you to," and
• "comply with your privacy policy."

Here is a screenshot of Facebook's Platform Policy:

Slack

Slack is a cloud-based collaboration tool that a lot of organizations and companies use for projects. It allows bots to be created and used, and includes lists of available bots and "Brilliant Bots."

While a lot of Slack bots are created to be used solely within that organization, there are Privacy Policy requirements for bots that are made available for use by other Slack users.

If you use Slack to create a bot that you intend to be used by people anywhere, the Slack API Terms of Service agreement state that "you must maintain a user agreement and privacy policy for your Application."

This Privacy Policy "must meet applicable legal standards and accurately describe the collection, use, storage and sharing of data."

Depending on what framework you build your chatbot on, and whether or not you collect and use personal information through your bot, your Privacy Policy requirements may differ.