Is your chatbot POPIA compliant?
By Maison Samuels, candidate attorney, Webber Wentzel.
Artificial intelligence and digitisation are transforming the business landscape. Many new technologies are being created to streamline customer engagement, such as chatbots. Given the quantity of personal information which a chatbot may acquire, how do you ensure that your chatbot is POPIA compliant?
What is a chatbot?
A chatbot is an operating system that automates and simulates a conversation with humans in written or spoken form. This enables the user to interact with digital devices in the same way they would communicate with a real person. These interactions typically take place over messaging applications, or they may be embedded functions on a Web site. The chatbot is insentient – it allows you chat with it about the product or service that is being offered.
Why would a business consider using a chatbot?
A chatbot enables the end-user to receive an instant response to a question or issue. The intended result is that the end-user saves time, which is intended to increase his or her satisfaction and translate into increased business sales and leads. For example, an e-commerce retail business may consider using a chatbot to direct end-users to the specific pages of the Web site when the end-user asks about a particular clothing item he or she wishes to purchase, or it will give information on a product when an end-user queries the product’s applications.
Why is POPIA relevant in the context of chatbots?
When a business uses a chatbot, a lot of real-time data about end-users may be obtained during the conversation.
In some instances, the data obtained by the chatbot includes personal information of an end-user. Accordingly, if your business uses a chatbot service, you must ensure compliance with the Protection of Personal Information Act, 2013 (POPIA), which becomes fully operational on 1 July 2021. The chatbot service provider is also required to comply with POPIA.
There are essentially three parties involved in the chatbot service and it is important to distinguish them to comply with POPIA. Firstly, there is the end-user, the data subject to whom the personal information relates and who is typically identified through an identifier such as a name or identification number. The end-user is protected by POPIA, and organisations that process the end-user's personal information must comply with the Act. Secondly, there is the responsible party, the organisation using the chatbot service to process the end-user's data for a specific purpose (for the purposes of this article, we will refer to this party as the chatbot customer). Lastly, there is the operator, the entity providing the chatbot service to the chatbot customer. The distinction between the latter two parties is important in determining who attracts liability in the event of a data breach.
It is also important to determine the type of information that is processed by the chatbot, as organisations have a duty to protect personal information under POPIA. This includes biometric information (ie, information that identifies a person based on physical, physiological or behavioural characteristics), basic identifying information (name and surname, any identifying number, e-mail address and location, etc) and information relating to a person's racial and ethnic origin, religious beliefs and health.
The chat session and sharing of personal information will typically unfold in a three-step process. Firstly, prior to a chat session, the chatbot is able to obtain and identify the end-user's information such as name, location, phone numbers and e-mail addresses. Notably, this may differ from platform to platform. Secondly, when the chat session has commenced and the end-user and the chatbot are conversing, further personal information or files may be introduced to the chat. Lastly, when the chat session is concluded, the chatbot may integrate the data received from the end-user with the customer relationship management (CRM) software (which administers interactions with end-users) used by the chatbot customer, and other related technologies, to improve business relationships with end-users.
Considerations for chatbot operators in ensuring POPIA compliance
There are various measures that a chatbot operator and its customers should take in order to ensure POPIA compliance. The considerations discussed below should not be considered as exhaustive.
Purpose – Records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected. If a chatbot informs an end-user that it will be using their e-mail address to provide further information about the chatbot customer's services, it should be used for that purpose only.
Consent – Importantly, because the chatbot will request personal information from the end-user, he/she should consent to the personal information being used, unless there is another justification for the chatbot to process the end-user's personal information. Before the conversation commences, the chatbot should provide the end-user with a link to the terms of service, which should include appropriate consent provisions to the processing of the end-user's personal information.
Access to and deletion of information – POPIA provides data subjects with the right to request access to their personal information once collected. It is common practice to enable the end-user to download their data in digital form by making use of a query and response format in the chatbot. Further, POPIA provides data subjects with the right to request the deletion of their personal information. The end-user may be provided with an option to request that his, her or its personal information be deleted. A download feature and the ability to request the deletion of personal information are recommended features to enable POPIA compliance.
Automated decision-making – A data subject may not be subject to a decision that may adversely affect him/her, which is based solely on the automated processing of personal information. Therefore, it is prudent that chatbot operators ensure there is human oversight or involvement over the chatbot.
Trans-border information flows – The chatbot customer should determine whether any personal information is being transferred to a third party outside South Africa when using the chatbot service. A responsible party may not transfer personal information of a data subject to a third party who is in a foreign country, unless certain conditions are met.
Although chatbots are innovative and transform aspects of the online business landscape, it is crucial to consider the rights of the end-user, and the obligations of the chatbot customer and provider under POPIA. The purpose of POPIA is to protect the constitutional right to privacy. However, this should not stifle innovation, and organisations using chatbots and those that provide this service should receive appropriate legal advice to ensure POPIA compliance.