When a business uses a chatbot, a lot of real-time data about end users may be obtained during the conversation.
In some instances, the data obtained by the chatbot includes personal information of an end user. Accordingly, if your business uses a chatbot service, you must ensure compliance with the Protection of Personal Information Act, 2013 (PoPIA), which becomes fully operational on 1 July 2021. The chatbot service provider is also required to comply with PoPIA.
There are essentially three parties involved in the chatbot service and it is important to distinguish them to comply with PoPIA. Firstly, there is the end user, the data subject to whom the personal information relates and who is typically identified through an identifier such as a name or identification number. The end user is protected by PoPIA, and organisations that process the end user's personal information must comply with the Act. Secondly, there is the responsible party, the organisation using the chatbot service to process the end user's data for a specific purpose (for the purposes of this article, we will refer to this party as the chatbot customer). Lastly, there is the operator, the entity providing the chatbot service to the chatbot customer. The distinction between the latter two parties is important in determining who attracts liability in the event of a data breach.
It is also important to determine the type of information that is processed by the chatbot, as organisations have a duty to protect personal information under PoPIA. This includes biometric information (i.e., information that identifies a person based on physical, physiological or behavioural characteristics), basic identifying information (name and surname; any identifying number; e-mail address and location etc.) and information relating to a person's racial and ethnic origin, religious beliefs and health.
The chat session and sharing of personal information will typically unfold in a three-step process. Firstly, prior to a chat session, the chatbot is able to obtain and identify the end user's information such as name, location, phone numbers and email addresses. Notably, this may differ from platform to platform. Secondly, when the chat session has commenced and the end user and the chatbot are conversing, further personal information or files may be introduced to the chat. Lastly, when the chat session is concluded, the chatbot may integrate the data received from the end user with the customer relationship management (CRM) software (which administers interactions with end users) used by the chatbot customer, and other related technologies, to improve business relationships with end users.
There are various measures that a chatbot operator and its customers should take in order to ensure PoPIA compliance. The considerations discussed below should not be considered as exhaustive.
Although chatbots are innovative and transform aspects of the online business landscape, it is crucial to consider the rights of the end user, and the obligations of the chatbot customer and provider under PoPIA. The purpose of PoPIA is to protect the constitutional right to privacy. However, this should not stifle innovation, and organisations using chatbots and those that provide this service should receive appropriate legal advice to ensure PoPIA compliance.