If you have any subscribers from the EU and/or EEA then the General Data Protection Regulation (GDPR) applies to you, also if you’re not based in Europe yourself.
There are a bunch of articles on the internet on how the GDPR applies to Email Marketing, but I couldn’t find much about how the GDPR applies to Messenger Bots.
That’s why I wrote this guide for you.
But please keep in mind I’m not a lawyer, I can be wrong. I recommend seeking an independent consultant to determine how the GDPR affects your business.
Things to keep in mind
1) Subscribers have the right to be forgotten
Which means you have to delete ALL their data when they ask you to.
ManyChat launched some new tools with which you can easily delete the data of your subscriber when they ask you to.
But don’t forget that you might also have their data in Zapier, Google Sheets, and your ESP (email service provider).
2) Subscribers have the right to access all their data
In ManyChat you can export someone’s data when you go to Audience > Their profile > 3 dots > Download User Data. It will export as a JSON-file that you can send to your subscriber.
3) Subscribers have the right to change their data
You could create a little flow where they can change custom field values.
4) Subscribers have the right to opt-out of marketing communications at all time
With Messenger Bots, that’s nothing new because it’s already in the Messenger Platform Rules.
“A user may opt-out of receiving subscription messages from a Page at any time.”
Make sure everybody knows that they can unsubscribe by typing – stop. I also like to put a unsubscribe button in my Main Menu.
Most Privacy Policies explain how to unsubscribe from an email list, so it would only logic to also include an explanation of how they can unsubscribe from your Messenger Bot.
I added this;
You may unsubscribe to my Messenger Bot at any time by typing “Stop” inside Messenger or by clicking “Unsubscribe” in the persistent menu. You will then be asked for your confirmation to be unsubscribed.
5) Make sure you signed Data Processing Agreement’s
Make sure you have Data Processing Agreement’s (DPA) with all the tools you export data to. For example with Zapier or Google Sheets if you’re using that in combination with ManyChat or Chatfuel.
If you’re using ManyChat then you can sign their DPA here.
6) Have the FB Pixel on your website?
This one is processing personal data, which means you have to ask for people their explicit consent to place marketing cookies like this. A tool I can recommend to regulate this is Cookiebot.
Below is an example how I ask for the consent for marketing-cookies. You’ve probably seen it if you’re from Europe.
7) Permission-based marketing
With email marketing, you need someone’s permission to send them future emails. Let’s assume this also applies to Messenger Bots, which means you need to have people their permission to send them messages.
That they got your download inside Messenger doesn’t mean they want to receive future messages.
You might want to change your flows to make sure you always ask for this permission. Simply asking ‘would you like to receive furthers tips & tricks?’ should be enough. This is also a great way to filter out leads that are not interested anyway.
With email marketing, you can also get consent in the form they sign-up with. So maybe we can also use “Subscribe to our bot and receive tips & tricks X times a week”. That would count as consent I guess.
9) Personal data processing consent
In ManyChat their GDPR-article they mention you need to have personal data processing consent from your subscribers. Also, you’ll need to be able to prove you’ve obtained consent from existing subscribers to continue messaging them after May 25th.
A name is personal data, so every Messenger Bot is processing personal data.
In my welcome message I ask this;
“Before we start, I want to tell you that these messages are automated & personal data is used to personalize your experience. You can always unsubscribe by typing – stop. Ok?”
I’m not a 100% sure if this message is compliant because there aren’t any resources or examples of how this applies to Messenger Bots.
To help you I’ve also created a step-by-step GDPR Checklist, you can get it here by email.
Leave a comment if you’ve any questions, input, feedback or additional resources on this.
3 thoughts on “How Does the GDPR Apply to Messenger Bots?”
You make it so easy to understand. Keep up the great work and thanks for delivering value like always 🙂
You’re welcome, Mark!
Please kindly help me to give an example of a Chatbot that complied with GDPR according to your description. Many thanks