Privacy And Security Considerations For Consumer Facing Chatbots

Privacy And Security Considerations For Consumer-Facing Chatbots

One of the most critical considerations while building consumer facing chatbots is ensuring privacy and security. This is even more important for industries like retail, CPG, banking, healthcare, travel etc. where chatbots capture sensitive user information.

Lack of a robust security and privacy framework in chatbots can result in:

  1. Data breaches and loss of sensitive personal data
  2. Increased Mean Time To Detect and Respond (MTTD & R)
  3. Reduced consumer trust
  4. Compliance and regulatory violations
  5. Heavy fines and penalties

Recently Delta Airlines sued their chatbot technology provider for millions of dollars for a 2017 data breach. The airline stated that credit-card details and other personal information from up to 825,000 customers were exposed. Hackers accessed the vendor’s systems, modified the source code and scraped Delta customer’s data from the airlines’ website chatbot.

With the global average cost of a data breach having grown to $3.92 million and with chatbots becoming a must-have tool in customer service operations, organizations need to ensure there are standardized security procedures and protocols while building and deploying chatbots.

Having helped with several medium and large organizations in deploying consumer facing chatbots, we share some of our experiences and security best practices to follow while building a chatbot.

Take A Phased Approach To Ensuring Chatbot Security

Bot Development Life Cycle Image V1

There are different phases involved in building an enterprise chatbot. Right from capturing requirements, creating CUX, building Natural Language (NL) models to User Acceptance Testing (UAT) and Go-Live, each phase involves different activities.

And in each phase, you need to perform the right security-related activities and collaborate with relevant stakeholders. This streamlined approach ensures you’re getting the needed approvals from the right people at the right stage of the development cycle and nobody throws a spanner when you’re about to go live.

For instance, here’s a story we recently heard of. The marketing team at a multinational CPG company which offers health and beauty products built a super powerful consumer chatbot and invested heavily in it. The chatbot asks consumers to upload their headshots and analyzes their skin quality. Upon the analysis, it generates a score which rates their skin out of 10.

Just when the chatbot was about to be deployed, their legal team intervened, determined that the conversations were not in line with the company’s privacy policies and asked marketing to scrape the project.

All the efforts and resources that the company invested in building the chatbot went wasted.

Now that we’ve understood the importance of a phased approach to ensuring privacy and security, let’s deep dive and understand the different phases and related activities involved in each of them.

a. Data Protection Analysis with DPO

Once you’ve identified and formalized the business requirements, you need to create the chatbot’s base data. At this stage, you need to address important data security and privacy aspects like:

  • Data Residency
  • Data Encryption
  • Data Retention
  • PII Data handling
  • Local Regulations: GDPR, BDSG etc

Collaborate with your Data Protection Officer (DPO) to

  • Ensure that collection & processing of data from consumers follows compliance standards of that country
  • Get recommendations and guidance on above areas

Some related security best practices you can follow include:

  • End-to-End Encryption: E2EE system provides secure communication by encrypting messages or the information that is transferring through the channel. Only the sender and the recipient can read the information; no third-party can view or intercept the transmitted data.
  • Intent Level Privacy (GDPR Compliance): GDPR laws forced organizations to preserve the privacy of the personal details shared. With intent level privacy, critical data will not be revealed even from the backend. However, the intents will be logged for audit purposes.

Learn More:

b. Public Relations Risk Assessment

Once you’ve converted your base content into conversational templates, collaborate with your Public Relations (PR) and External Affairs teams for a thorough review of these templates. Ask them to do an in-depth PR risk analysis and discrimination assessment.

c. User Consent and Legal Analysis

After your PR team’s approval, you can proceed to building conversation mockups and powerful Conversational User Experience (CUX). At this stage, you need to address key user consent and privacy aspects related to your chatbot. Below are some must-follow practices:

  • It is mandatory for every consumer chatbot to seek user consent before you
  • Ask for consumer data
  • Store consumer data (including their name!)
  • Send ads or emails
  • Send notifications
  • Share data to 3rd party services
  • Typically a bot should provide a link to the privacy policy very early in the conversation
  • Before taking any data from the consumer, the chatbot should explicitly ask for consent in the conversation flow
  • Consent and privacy applicability should change based on the age of the consumer

In addition, you also need to take your legal team’s feedback at this point. Ask them to review:

  • The chatbot’s Terms & Conditions
  • Privacy policy
  • The chatbot platform’s Terms & Conditions
  • All documentation exposed to public
  • Advertisement guidelines
  • Chatbot’s conversation responses

d. Accessibility Review

Before you’re able to go-live with the chatbot, collaborate with the relevant stakeholders who can analyze if the chatbot is accessible to people with special needs. Ex: People with visual impairments, seizures, and mobility, cognitive and auditory disabilities.

Partner With Experienced Chatbot Implementation Vendors

Chatbot security considerations should be taken into account throughout the entire bot building life cycle. Instead of partnering with creative digital agencies which may not completely understand the potential risks involved in deploying a chatbot, consider partnering with an experienced chatbot implementation vendor who understands the technological nitty gritties.

The right partner can guide you throughout the entire process and advise you on collaborating with the right stakeholder at the right time and ensures your chatbot is fully secure.

If you’d like to learn about this topic, please feel free to get in touch with one of our enterprise chatbot consultants for a personalized consultation. You may also be interested in exploring our chatbot builder platform (BotCore) for further insights.

Learn More: