Is your Chatbot POPIA compliant?
MAIN IMAGE: Maison Samuels of Webber Wentzel attorneys
Artificial Intelligence and digitisation are transforming the business landscape. Many new technologies are being created to streamline customer engagement, such as chatbots. Given the quantity of personal information which a chatbot may acquire, how do you ensure that your chatbot is POPIA compliant?
What is a Chatbot?
“A chatbot is an operating system that automates and simulates a conversation with humans in written or spoken form. This enables the user to interact with digital devices in the same way they would communicate with a real person. These interactions typically take place over messaging applications, or they may be embedded functions on a website. The chatbot is insentient – it allows you chat with it about the product or service that is being offered,” says Maison Samuels of Webber Wentzel attorneys.
Chatbots are not here to replace humans, but to help people by providing accurate information and expediting all kinds of transactions.
An area where it is just beginning to gain ground is in the real estate industry. Many real estate agents are already interested in taking advantage of this technology.
Chatbots can do much of the work and tasks that agents used to do, such as doing follow ups for potential clients online, evaluating and rating the potential client and retrieving information from databases.
Once the lead is captured and qualifying questions are answered, the new contact may be ready for the agent, who receives an instant notification of a new lead.
When buying or selling houses, most people turn to the Internet, but are reluctant to complete the registration forms. However, a lot of them are willing to talk with a chatbot.
According Samuels a chatbot enables the end user to receive an instant response to a question or issue. The intended result is that the end user saves time, which is intended to increase his or her satisfaction and translate into increased business sales and leads.
“For example, an e-commerce retail business may consider using a chatbot to direct end users to the specific pages of the website when the end user asks about a particular clothing item he or she wishes to purchase, or it will give information on a product when an end user queries the product’s applications.
“When a business uses a chatbot, a lot of real-time data about end users may be obtained during the conversation.
“In some instances, the data obtained by the chatbot includes personal information of an end user. Accordingly, if your business uses a chatbot service, you must ensure compliance with the Protection of Personal Information Act, 2013 (POPIA), which becomes fully operational on 1 July 2021. The chatbot service provider is also required to comply with POPIA,” he warns.
There are essentially three parties involved in the chatbot service and it is important to distinguish them to comply with POPIA. Firstly, there is the end user, the data subject to whom the personal information relates and who is typically identified through an identifier such as a name or identification number. The end user is protected by POPIA, and organisations that process the end user’s personal information must comply with the Act. Secondly, there is the responsible party, the organisation using the chatbot service to process the end user’s data for a specific. Lastly, there is the operator, the entity providing the chatbot service to the chatbot customer. The distinction between the latter two parties is important in determining who attracts liability in the event of a data breach.
Samuels says it is important to determine the type of information that is processed by the chatbot, as organisations have a duty to protect personal information under POPIA. This includes biometric information, basic identifying information (name and surname; any identifying number; e-mail address and location etc.) and information relating to a person’s racial and ethnic origin, religious beliefs and health.
Ensure POPIA compliance
There are various measures that a chatbot operator and its customers should take in order to ensure POPIA compliance.
- Purpose: records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected. If a chatbot informs an end user that it will be using their email address to provide further information about the chatbot customer’s services, it should be used for that purpose only.
- Consent: Importantly, because the chatbot will request personal information from the end user, he/she should consent to the personal information being used, unless there is another justification for the chatbot to process the end user’s personal information. Before the conversation commences, the chatbot should provide the end user with a link to the Terms of Service, which should include appropriate consent provisions to the processing of the end user’s personal information.
- Access to and deletion of information: POPIA provides data subjects with the right to request access to their personal information once collected. It is common practice to enable the end user to download their data in digital form by making use of a query and response format in the chatbot. POPIA provides data subjects with the right to request the deletion of their personal information. The end user may be provided with an option to request that his, her or its personal information be deleted.
- Automated decision-making: A data subject may not be subject to a decision that may adversely affect him/her, which is based solely on the automated processing of personal information. Therefore, it is prudent that chatbot operators ensure that there is human oversight or involvement over the chatbot.
- Transborder information flows: The chatbot customer should determine whether any personal information is being transferred to a third party outside South Africa when using the chatbot service. A responsible party may not transfer personal information of a data subject to a third party who is in a foreign country unless certain conditions are met.
A chatbot can obtain the most important information that the agent needs, and the client receives an answer to his questions. Chatbots can do the job when support and sales teams cannot or do not have time to do it, and they always capture information of potential clients.
Although chatbots are innovative and transform aspects of the online business landscape, it is crucial to consider the rights of the end user, and the obligations of the chatbot customer and provider under POPIA.