What we learned from making our chatbot GDPR compliant
You know the acronym, the 4 letter word that took over the internet late May 2018. It is a progressive privacy law put in place by the EU that empowers users and curbs the way companies can collect data. For most of us though, it is caused a bit of a headache. As a maker, you need to make sure you adhere to complex and sometimes unclear rules. And as a user, you have to put up with even more popups and policies to accept that you, most probably, still won’t read.
If you are a small startup, this can put plenty of strain on your product and development efforts. Not to mention all the energy you’ll spend looking up best practices and what you need to do in the first place. In the last couple of months we learned and iterated quite a bit, so it is timely to share what we think is a good approach. Let me show you how we did it for our Facebook Messenger female health chatbot, Super Izzy.
Check what data you collect
First, look into what data you collect on your users that qualifies as personally identifiable information under GDPR. For us, this is how our user table looks like:
{
“context”: “period_start_confirmation_notification_send”,
“cycle_length”: “28”,
“it_context”: “it”,
“locale”: “en_GB”,
“period_length”: “5”,
“pill_break”: 1,
“pill_reminder_corrected_hour”: 21,
“pill_reminder_corrected_minute”: 0,
“pill_reminder_corrected_time”: “9 PM”,
“pill_reminder_notification”: false,
“pill_reminder_number”: 43,
“pill_reminder_time”: “9 PM”,
“short_term_memory”: “9 PM”,
“takes_pill”: true,
“timezone”: “1”,
“user_id”: “1147257392018760”,
“uuid”: “38f3595c-42c4–444a-a3a0–6a48c20cd7e4”,
“wd2017”: “wd_read”
}As you can see, we collect quite a bit of data that one might find sensitive, like how long their menstrual cycle is, how long does their period take and if they are taking contraceptive pills. However, under GDPR, none of this is considered personally identifiable information.
We still, however, consider our UUID and Facebook’s user_id as such information and thus clearly explain why we need it in our Privacy Policy, along with other items, to make our users feel comfortable using our service and providing us with all this information.
All right, but how do you put this all in place in your chatbot? What is the best approach? Well, I can tell you what we came up with and what seems to be working for us so far.
Optimise onboarding for UX
We thought about a number of scenarios for our onboarding, and ended up with one that uses a web view inside Messenger for displaying the legal stuff.
We start out with an introduction to Super Izzy and get the user to engage with the bot by tapping “Sounds great!”. Then we present them with the prompt to view and accept our T&S while teasing what they can expect once they do. If the user chooses to view it, we pop up a half size web view inside Messenger, thus not taking the user out of context completely.
How does this fare?
This is our second version, in the first, we tried to link directly to the T&S from the copy of the bot. Little did I know, we can’t do that. And sending a PDF attachment would also be aweful. This is how we settled on the web view method.
According to our analytics data, 90% of users who make it to the step where they have to accept our T&S do. This is quite a phenomenal number and I think it would take considerable effort to improve it further, so for now we left it like this.
Other GDPR considerations and how we dealt with them
At first, we had a way to decline our T&S which would result in the user getting a message if they are sure. Obviously, they could not use our service. After some consideration we decided to remove this and simply expect users who do not agree to our T&S to abandon our bot.
A rather time consuming part of adhering to GDPR is to collect the relevant documentation from third parties who you share sensitive information with. This could include services like Mailchimp, or Google Analytics. Most of these companies make it pretty easy to obtain what you need on their website, but if you’re using more obscure services it could be a challenge.
Another point in GDPR that we had to adress is the right of users to access and request deletion of their data. We adressed this in our T&S under the section detailing the users’ legal rights. We have it as a manual process for now, the user writes us an email, we ask them information that helps us identify them in our DB and remove the user manually.
And now we have arrived to the point where we can talk about how we could improve in the future.
Areas of improvement
The above example describing our manual user lookup and deletion process a prime thing to improve in the future. As our scale will increase, we expect these requests to increase as well to the point where it makes sense to invest in product development to automate it. We plan on implementing a flow in the bot where the user can request their info to be shown and deleted.
Another improvement we could make relates to our web view. Today, the user needs to manually close it and then tap accept in the bot. We plan to include a sticky footer in the web view with a button to accept the T&S. This would then close the web view and link back to the bot with a state that indicates that the user accepted the T&S.
Is your chatbot GDPR complient? Did you do it differently? Let us know in the comments what do you think and what we could improve.
