France’s CNIL, Commission Nationale de l’Informatique et des Libertés, has issued guidance on data protection in the use of chatbots.
- Consent for cookies isn’t necessary if they are strictly required to operate the chatbot, but is required for all other cookies.
- Retain the data only for as long as required for the purpose.
- Don’t use a chatbot for decision making which may have a significant effect on the person as this would fall under Art 22 GDPR (automated processing).
- If collected special category data, see if any exception of Art 9 applies (ie express consent because that is the purpose of the particular chatbot).
- If special category data might be inputted as part of ‘free text’, you don’t need consent but you should:
- Warn people to refrain from communicating sensitive data.
- Immediately and/or regularly purge the data.