Skip to main content
Guest

What the EU’s latest data protection law means for chatbot makers and marketers

Image Credit: Shutterstock / SB_Photos
@silvioporcellan

Watch all the Transform 2020 sessions on-demand here.

What follows is an overview of the upcoming GDPR legislation and, above all, an invite to anticipate the consequences of this new regulation and start thinking about the actions you need to undertake. It is absolutely not legal advice; GDPR is a pretty serious matter (keep reading to see how serious it is) and so I strongly suggest you consult a lawyer who can give you professional guidance on this topic.

GDPR (the acronym for “General Data Protection Regulation“) is a new law from the European Union that will take effect on May 25, 2018, and it will change forever the way companies treat their users’ and customers’ data, and ultimately, how they do business online.

The main objective of this new regulation is to give EU citizens total control over the personal information about them that businesses worldwide collect, store, transfer, and use. This will allow consumers to be clearly informed about what kind of data companies acquire from them, how companies will use that data, and how they can have any trace of their records permanently deleted or easily transferred to other entities.

While this topic is very complex and its full impact on the way companies conduct business will not be completely understood for months after the law is implemented, in this article I want to give you an overview of its principles and explain why this is a very serious matter that, as a marketer, developer, and digital entrepreneur, you should pay close attention to. I’ll also discuss what it specifically means for professionals who deal with chatbots and conversational interfaces.

June 5th: The AI Audit in NYC

Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.

This matters, even if you’re not in the EU

This is not the first law from the European Union that prescribes how companies should handle privacy and consumer data, but it is actually the first time in the history of privacy and governments that such a regulation has teeth. Citizens and authorities now have a very powerful arsenal of tools they can use to enforce its application or punish any violation, mainly in the form of fees up to four percent of annual revenues or 20M € (whichever is greater). You can see for yourself that complying with its requirements is not just a matter of being a nice citizen or avoiding a mild slap on the wrist, as it has been so far, but rather a matter of life and death in case of an audit or frequent complaints from disgruntled users.

Now you might be thinking: “Thank God I live in America!” (or anywhere outside of the European Union). Well, think again. This regulation includes the “extraterritoriality principle,” which means that even if you, your company, and its servers are located on Mars (Elon?), once you deal with the data of EU citizens, you are subject to the GDPR and its fines. So, unless you are ready and willing to, and capable of, stopping any contact with European residents and companies (which, if it was even technically possible, would mean cutting off a continent with 300 million people, some of the largest corporations in the world, and millions of rich small and midsize businesses), you have to keep an eye on this regulation and be ready to implement it in your internal processes.

The core GDPR principles

To put things into context, let’s first list each of the GDPR core principles.

  1. Extraterritorial scope. As I said above, the GDPR applies to any organization in the world (no matter where it is located) that handles “personal data” of E.U. citizens.
  2. Clear and updated definition of “personal data” and “sensitive data.” According to the GDPR, “personal data is any information relating to an identified or identifiable individual.” While we would in general all agree with this definition, it is important to note that this “information related to an individual” now includes details once considered non-relevant, such as every single request to a server that contains an IP address. So, if you use a normal web server for your site or app that logs browsers’ requests, you’re dealing with personal data and will need to comply with the whole corpus of the GDPR. “Sensitive data” is anything even more personal that could identify the religion, the genetic data, or the political opinions of an individual. You don’t want to even get close to that unless you really have to.
  3. Individual rights to privacy. The GDPR lists a set of very clear and well-defined rights that consumers have. These include:
    (A) The right to be forgotten. Companies need to offer a simple way for users to have all the data stored about them permanently and completely deleted.
    (B) The right to object. An individual may prevent companies from storing certain information about them.
    (C) The right to rectification. Businesses need to provide an easy way for users to update and correct data they have about them.
    (D) The right of access. Individuals need to be able to know what data companies collect about them and how they handle it.
    (E) The right of portability. Companies need to provide a way for users to download all the data they have about them in a standard format such as CSV. This means everything, from posts to pictures to emails, as well as any database record specifically linked to that individual.
  4. Explicit consent. The age of pre-ticked checkboxes or phrases that sounded like “By clicking on this button you agree etc. etc.” in registration pages is over. Now, users need to explicitly express their consent and agreement to a very clear and detailed privacy policy, and the organization then needs to store permanently the record of such a consent as proof of that legally binding agreement. There’s even somebody who is suggesting taking and storing screenshots of the registration page with the checkbox ticked. Go figure.
  5. Strict processing requirements. Once a company receives an agreement and starts collecting data, it needs to make sure the data is handled in the most secure way and possibly encrypted in such a way that if somebody does get their hands on it, it’s not available in plain text.

Data controller vs. data processor

As we are getting closer to the core of the matter — how GDPR might affect marketing chatbots — we need to quickly touch on another topic that the regulation introduces: the difference between data controllers and data processors:

  • The “data controller” is the entity that decides what data a company collects about a user, where and how it stores the data, and how the internal system handles it.
  • The “data processor” is the entity that merely works as the system for acquiring the data but doesn’t decide what data a company collects and doesn’t act upon it.

This dichotomy is important because the majority of marketers who are building and using bots usually do so through a platform, so it’s essential to understand who is who. As you can imagine, data controllers have a larger set of rules that they need to comply with, including making sure that the data processors they are using are GDPR compliant. Otherwise, the government will hold them responsible and possibly fine them accordingly.

A GDPR checklist for chatbots

While this space is probably not so different than other marketing areas such as email or SMS marketing, I want to give you an initial checklist that could help you understand what areas you need to focus your attention on and help you determine actionable steps to become or remain GDPR compliant. Here are several questions you should ask in the process of GDPR-proofing your chatbot:

  1. Am I a data controller or a data processor? Most marketers will directly receive and handle the data collected through bots, so they will be considered data controllers and will therefore have to comply with the full GDPR rules and requirements.
  2. What kind of data am I collecting? How am I storing it? Am I using a GDPR-compliant platform?
  3. Do I offer people who engage with my bots a clear way to provide their consent for me to use their data? Do I allow them to contact me and ask me to be removed from the database or have their data transferred to them in a standard format?
  4. Am I using only GDPR-compliant data processors? Did I sign a legally binding document that clearly states they fulfill all requirements?
  5. Am I doing everything possible to make sure the data I collect is safe, possibly encrypted, and easily downloadable/portable in a standard format?

This is just the initial set of questions you should ask yourself to start adopting the “privacy by default” approach in your processes and operations. It offers a good start, especially for organizations that were not used to putting these issues at the center of their agendas.

A note about AI

Article 22 of the GDPR is titled “Automated Individual Decision-making, Including Profiling.” This article prescribes that artificial intelligence (the “automated individual” in question) cannot be used as the sole decision-maker in choices that have legal or similarly significant effects on users. What this means is that, for example, an AI algorithm cannot be the only process in place for deciding whether a consumer can receive a loan or is entitled to certain compensations or fines. The individual always has the right to request a manual intervention and challenge a decision made exclusively by automated systems; obviously, the burden of the proof that it wasn’t just an algorithm making the decision is on the company, not the user. So, if you are using or plan to use AI heavily in your internal processes, this is yet another thing to keep in mind.

Yes, you should worry

Worried? Well … sorry, but you should be, at least a little bit. Or better, you should be very alert on this regulation that will be enforceable in a couple of months. As I said before — and this is probably the most important element to consider right now — it’s the first time such a law has clear, real, and heavy penalties for companies that do not comply with its requirements. We are pretty sure authorities and consumers will be more than willing to see companies that keep stomping on their privacy rights pay for any illegal behaviors.

Silvio Porcellana is an entrepreneur, marketer, and coder working on the Interweb since 1999. He created The Maven System to help fellow entrepreneurs build successful online businesses.