Gadget

Is your Chatbot POPIA compliant?

Artificial intelligence is transforming the business landscape. Many new technologies are being created to streamline customer engagement, such as chatbots. Given the quantity of personal information which a chatbot may acquire, how do you ensure that your chatbot is POPIA compliant?

What is a chatbot?

A chatbot is an operating system that automates and simulates a conversation with humans in written or spoken form.  This enables the user to interact with digital devices in the same way they would communicate with a real person. These interactions typically take place over messaging applications, or they may be embedded functions on a website. The chatbot is insentient – it allows you to chat with it about the product or service that is being offered.

Why would a business consider using a chatbot?

A chatbot enables the end-user to receive an instant response to a question or issue. The intended result is that the end-user saves time, which is intended to increase his or her satisfaction and translate into increased business sales and leads. For example, an e-commerce retail business may consider using a chatbot to direct end-users to the specific pages of the website when the end-user asks about a particular clothing item he or she wishes to purchase, or it will give information on a product when an end-user queries the product’s applications.

Why is POPIA relevant in the context of chatbots?

When a business uses a chatbot, a lot of real-time data about end users may be obtained during the conversation.

In some instances, the data obtained by the chatbot includes the personal information of an end-user. Accordingly, if your business uses a chatbot service, you must ensure compliance with the Protection of Personal Information Act, 2013 (POPIA), which becomes fully operational on 1 July 2021. The chatbot service provider is also required to comply with POPIA.

There are essentially three parties involved in the chatbot service and it is important to distinguish them to comply with POPIA. Firstly, there is the end-user, the data subject to whom the personal information relates and who is typically identified through an identifier such as a name or identification number. The end-user is protected by POPIA, and organisations that process the end user’s personal information must comply with the Act.  Secondly, there is the responsible party, the organisation using the chatbot service to process the end user’s data for a specific purpose (for the purposes of this article, we will refer to this party as the chatbot customer). Lastly, there is the operator, the entity providing the chatbot service to the chatbot customer. The distinction between the latter two parties is important in determining who attracts liability in the event of a data breach.

It is also important to determine the type of information that is processed by the chatbot, as organisations have a duty to protect personal information under POPIA. This includes biometric information (i.e. information that identifies a person based on physical, physiological or behavioural characteristics), basic identifying information (name and surname; any identifying number; e-mail address; location; etc.) and information relating to a person’s racial and ethnic origin, religious beliefs and health.

The chat session and sharing of personal information will typically unfold in a three-step process. Firstly, prior to a chat session, the chatbot is able to obtain and identify the end user’s information such as name, location, phone numbers and email addresses. Notably, this may differ from platform to platform. Secondly, when the chat session has commenced and the end-user and the chatbot are conversing, further personal information or files may be introduced to the chat.  Lastly, when the chat session is concluded, the chatbot may integrate the data received from the end-user with the Customer Relationship Management (CRM) software (which administers interactions with end-users) used by the chatbot customer, and other related technologies, to improve business relationships with end-users.

Considerations for chatbot operators in ensuring POPIA compliance

There are various measures that a chatbot operator and its customers should take in order to ensure POPIA compliance.  The considerations discussed below should not be considered exhaustive.

Purpose– Records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected.  If a chatbot informs an end-user that it will be using their email address to provide further information about the chatbot customer’s services, it should be used for that purpose only.

Consent– Importantly, because the chatbot will request personal information from the end-user, he/she should consent to the personal information being used, unless there is another justification for the chatbot to process the end user’s personal information.  Before the conversation commences, the chatbot should provide the end-user with a link to the Terms of Service, which should include appropriate consent provisions to the processing of the end user’s personal information.

Although chatbots are innovative and transform aspects of the online business landscape, it is crucial to consider the rights of the end-user, and the obligations of the chatbot customer and provider under POPIA. The purpose of POPIA is to protect the constitutional right to privacy. However, this should not stifle innovation, and organisations using chatbots and those that provide this service should receive appropriate legal advice to ensure POPIA compliance.

Exit mobile version