Note: This article does not constitute legal advice
GDPR is an acronym that strikes fear into compliance officers across the EU (and UK). GDPR is the new “health and safety” - people are quick to cite it, without really understanding how to apply it to their own organisation. For organisations adopting chatbots, PECR is less well known but equally relevant. I will cover both sets of regulations here and how they relate to Chatbots.
What is GDPR?
The General Data Protection Regulations (GDPR) cover data protection and privacy. It’s an EU regulation (as opposed to a directive) which makes it legally binding, in its entirety across EU member states. GDPR regulates the collection and storage of personal information, also known as personally identifiable information (PII). Personal information is any information that relates to a specific, identifiable person.
As with most privacy related matters, the UK Information Commissioners Office (ICO) has extensive guidance relating to GDPR.
Does GDPR apply after Brexit?
Yes - the UK was a member of the EU at the time the regulations came into force. The EU Withdrawal Act transposed EU law into national UK law, as direct effect would no longer apply. This means GDPR, now known as UK GDPR continues to apply, along with the Data Protection Act (see below)
What is personally identifiable information (PII)?
Many people offer views as to what constitutes PII, but I believe the best source is the GDPR itself. Specifically Article 4 (“Definitions”):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
I would like to draw your attention this phrase:
who can be identified, directly or indirectly
Indirect identification, also known as jigsaw identification is an aspect of GDPR that is often overlooked.
What is the Data Protection Act?
The Data Protection Act 2018 sits alongside GDPR. GDPR gave some flexibility to national governments in relation to data protection. The Data Protection Act 2018 “fills in the gaps” by specifying rules for the processing of “sensitive information” e.g medical data, some exemptions and the rules for the police and intelligence services.
What is PECR?
The Privacy and Electronic Communications Regulations (PECR) cover electronic marketing and cookies (the dreaded cookie banners). PECR also regulates public network operators (telcos and ISPs). Whilst GDPR covers the collection and storage of personal information, PECR regulates the use of personal information via electronic means.
Some examples of activities that fall under PECR include:
- Sending marketing emails to individuals
- Sending marketing SMS messages.
- Using cookies on a website
These are just some examples. As we’ll see later, the definitions are deliberately broad in scope. Many activities, including chatbot messages fall under PECR (and GDPR).
The UK Information Commissioner also publishes guidance covering PECR
How does GDPR apply to chatbots?
Any time you collect and store personal information you fall within the scope of GDPR. It should be obvious that if your chatbot asks users for personal information, you fall within GDPR. However, I want to highlight some aspects of GDPR that are often overlooked by chatbot developers.
Many chatbots rely on neural networks, in particular natural language understanding. The training stage relies on manual labelling of data, typically chat transcripts. This is usually to aid Named Entity Recognition. As the work of labelling the data is low skilled and typically low paid, much of it is done overseas in less developed countries.
If your organisation does this, think carefully about the implications. Are you sending personal data outside the UK or EU? GDPR covers not only the collection and processing of data, but also international transfers. The UK Information Commissioners office has issued guidance on international data transfers.
Even if you don’t explicitly request personal information, it might be provided to you in the form of metadata. Take WhatsApps business API as an example. The profile object contains the senders profile name. Is a profile name a form of personal information? Well maybe. It depends on what the user chooses to use as a profile name. “TheBigMan” cannot be used to identify an individual, at least not directly. However, “John Doe” is definitely personal information.
This isn’t to say that you can’t store metadata like profile name. GDPR doesn’t prevent you from storing or using personal information, it just regulates it. Going back to the example of a profile name, you need to ask “why do I need this information?“. In most cases a user’s profile name is not much use, yet it could identify the individual.
I mentioned earlier that indirect identification is often overlooked by developers. If you can identify an individual by piecing together various bits of information you are collecting personal information. This is sometimes known as “jigsaw identification” or “re-identification”. Let me give you an example where this may be an issue:
A user is logged into your website. You store some personal information e.g. an email address but this is GDPR compliant and covered by your privacy policies.
The same user uses your onsite chatbot. The chatbot doesn’t record any personal information and has no link or id pointing back to the website profile. The user is anonymous. However, both the website and the bot log the User-Agent and IP address of the visitor along with the timestamp.
By comparing the data from the website and chatbot logs you could identify the individual accessing your bot. You now need to have a lawful reason to store the users chat history and make this clear in your privacy policies. You must also delete the data if requested to do so by users.
Another example of re-identification would be asking a user for their order number. The moment the user provides this information you can tie their chat history to their personal information.
Data that has been anonymized typically falls outside the scope of GDPR and wider data protection laws. Anonymization is not trivial, however. Broadly speaking it falls into 3 categories:
Data masking - Partially redacting personal information from a document. For example redacting an email address from a chat transcript, but retaining a date of birth. Vulnerable to jigsaw re-identification
Pseudonymization - Replacing PII e.g. email addresses with a random identifier, e.g. a UUID. The UUID allows the data to be associated with a particular individual, whilst not actually identifying the individual. Also vulnerable to jigsaw re-identification.
Aggregation - Data is aggregated, and the aggregation stored. For example the total number of Safari vs Chrome users in a given period. There is a relatively low risk of re-identification with this approach.
Anonymisation is covered by the ICO in a pretty extensive guide.
Chatbots present a particular challenge when it comes to anonymization. Unlike websites and apps, the data is entered in freeform format. You might ask the user for their email address and reasonably expect to receive personal information in the reply. However, the user may just as easily volunteer this information when you are not expecting it. For example
hello i placed an order but used the wrong email, it should be …
For this reason you need to think carefully about first screening all data before deciding what to anonymize. Pattern matching could work well for email addresses and phone numbers. For other data such as names, you might want to use artificial intelligence, in particular named entity recognition (NER). You can train an NER model specifically for this purpose.
How does PECR apply to chatbots?
In short, you must not send marketing type messages to users unless they have explicitly given consent. You must also give users the option of opting out at any time. The ICO recommends a website checkbox asking users if they wish to receive marketing messages. This checkbox should be unchecked by default. They also advise adding the typical unsubscribe link to all marketing emails. How should this guidance be applied to chatbots?
The definition of “electonic mail” is deliberately broad:
any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service.
Note: this definition is not limited to email and SMS. It also covers instant messages and direct messages on social networks. It will be interesting to see if “tagging” someone in a post falls under the scope of the rules. Whilst there has not yet been a test case, I imagine it’s only a matter of time before “tagging” is deemed to be within the scope of PECR.
If asking website users for consent, you should explicitly mention your chat channels e.g. SMS, WhatsApp etc. You should also allow users to give selective consent to different channels, e.g. Email but not SMS.
What about asking for consent by chat itself? It’s perfectly acceptable to ask for consent during a chat conversation. This is assuming the user initiated the conversation. You are not allowed to initiate a conversation asking for consent.
What if the user initiates the conversation? If a user sends a message to your bot, you are of course free to reply with suitable messages, without explicitly asking for consent. However, you do need to ask for consent if you plan to send subsequent, unsolicited messages after the end of the conversation.
A little known, and often overlooked aspect of PECR is soft opt-in.
PECR allows for so called “soft opt-in” by previous customers. You can assume that customers would be interested to receive marketing material related to their previous purchases. However, you must allow customers to opt-out. The examples given by the ICO are the typical website checkbox.
So for example, on an order confirmation screen you can ask the user if they want to receive marketing communications. Unlike other areas of your site you can use a check box which is checked by default.
You must allow users to withdraw consent at any time. The example given by the ICO is an unsubscribe link in an email. How does this apply to chatbot messages? When you first instigate a conversation, you should make the user aware of their right to withdraw consent. Users could withdraw consent either by visiting a website link (provided in the message) or by typing a specific phrase e.g. “opt out” which your bot will look out for.
Indirect or referral messaging
PECR prevents you from sending messages to individuals, who’s details have been provided by others. The once popular “send this to a friend” type popups are explicitly banned by PECR. In fact, collecting contact details in this way would also be a breach of GDPR.
The rules also prevent the instigation of messaging by third parties. In other words - even if you don’t send an unsolicited message yourself, but encourage someone else to do so, you ar breaching PECR. So don’t be tempted to ask users to forward messages to friends! Of course users are still able forward messages, and you won’t be liable unless you encouraged them to do so.
So in simple terms it’s best to offer content which can be shared easily. You can even tell the user your content can be shared. Just don’t ask them to forward it.
GDPR governs the collection and storage of personal information, whereas PECR regulates electronic marketing. Both apply to chatbot developers. You should be sure you don’t inadvertantly collect personal information. This might happen if a user supplies personal information through metadata or through general chat. Individual pieces of information may not identify an individual, but when put together do provide for identification. This is known as jigsaw identification. PECR prevents you from sending unsolicited marketing messages without explicit consent. The only exception being for previous customers. All users must be able to opt out at any time. You must not encourage users to forward messages onto other people.
Frequently Asked Questions
Does GDPR apply after Brexit?
Yes, absolutely! GDPR was implemented whilst the UK was still an EU member state. The EU Withdrawl Act transposed most EU laws (including GDPR) into national UK law. GDPR is now referred to as UK GDPR. The supplementary Data Protection Act 2018 also continues to apply.
What is jigsaw identification?
Jigsaw identification is the identification of an individual by piecing together information. For example a name alone may not be enough to identify a person (especially if it’s a very common name). Likewise a date of birth is not enough to identify someone. However, the name and date of birth together allows you to identify someone.
Does PECR apply to WhatsApp messages
Yes! although PECR refers to “electronic mail”, the definition is deliberately broad. It covers all forms of direct electronic messaging including WhatsApp, Facebook messenger etc.
Do I need permission to send marketing messages?
Yes. In most cases you need explicit consent to send marketing messages. However, you can send marketing messages to previous customers so long as you give them the option of opting out. This is covered by the Privacy and Electronic Communications Regulations (PECR).
Do I need permission to send customer service messages?
No. However, you must allow users to opt out at any time.