France’s CNIL, Commission Nationale de l’Informatique et des Libertés, has issued guidance on data protection in the use of chatbots.

Key Takeaways
  • Consent for cookies isn’t necessary if they are strictly required to operate the chatbot, but is required for all other cookies.
  • Retain the data only for as long as required for the purpose.
  • Don’t use a chatbot for decision making which may have a significant effect on the person as this would fall under Art 22 GDPR (automated processing).
  • If collected special category data, see if any exception of Art 9 applies (ie express consent because that is the purpose of the particular chatbot).
  • If special category data might be inputted as part of ‘free text’, you don’t need consent but you should:
    • Warn people to refrain from communicating sensitive data.
    • Immediately and/or regularly purge the data.

Details from CNIL.