What we learned from making our chatbot GDPR compliant
How does this fare?
This is our second version, in the first, we tried to link directly to the T&S from the copy of the bot. Little did I know, we can’t do that. And sending a PDF attachment would also be aweful. This is how we settled on the web view method.
According to our analytics data, 90% of users who make it to the step where they have to accept our T&S do. This is quite a phenomenal number and I think it would take considerable effort to improve it further, so for now we left it like this.
Other GDPR considerations and how we dealt with them
At first, we had a way to decline our T&S which would result in the user getting a message if they are sure. Obviously, they could not use our service. After some consideration we decided to remove this and simply expect users who do not agree to our T&S to abandon our bot.
A rather time consuming part of adhering to GDPR is to collect the relevant documentation from third parties who you share sensitive information with. This could include services like Mailchimp, or Google Analytics. Most of these companies make it pretty easy to obtain what you need on their website, but if you’re using more obscure services it could be a challenge.
Another point in GDPR that we had to adress is the right of users to access and request deletion of their data. We adressed this in our T&S under the section detailing the users’ legal rights. We have it as a manual process for now, the user writes us an email, we ask them information that helps us identify them in our DB and remove the user manually.
And now we have arrived to the point where we can talk about how we could improve in the future.
Areas of improvement
The above example describing our manual user lookup and deletion process a prime thing to improve in the future. As our scale will increase, we expect these requests to increase as well to the point where it makes sense to invest in product development to automate it. We plan on implementing a flow in the bot where the user can request their info to be shown and deleted.
Another improvement we could make relates to our web view. Today, the user needs to manually close it and then tap accept in the bot. We plan to include a sticky footer in the web view with a button to accept the T&S. This would then close the web view and link back to the bot with a state that indicates that the user accepted the T&S.