skip to Main Content

How Does The GDPR Apply To Messenger Bots?

How Does The GDPR Apply To Messenger Bots?

Disclaimer: I’m not a lawyer and don’t have the education to read legal documents. This is just my interpretation of how this applies to Messenger Bots. You are 100% responsible for the data of your subscribers and customers. I highly recommend seeking an independent counsel to determine how GDPR affects your business.

If you have any subscribers from the EU and/or EEA then the General Data Protection Regulation (GDPR) applies to you.

But how can you make your Messenger Bot complaint? 😵

That’s what we are discussing in this article.

Things to keep in mind

1) Subscribers have the right to be forgotten

Which means you have to delete ALL their data when they ask you to.

ManyChat launched some new tools with which you can easily delete the data of your subscriber when they ask you to.

But don’t forget that you might also have their data in Zapier, Google Sheets, and your ESP (email service provider).

2) Subscribers have the right to access all their data

In ManyChat you can export someone’s data when you go to Audience > Their profile > 3 dots > Download User Data. It will export as a JSON-file that you can send to your subscriber.

3) Subscribers have the right to change their data

You could create a little flow where they can change custom field values.

4) Subscribers have the right to opt-out of marketing communications at all time

With Messenger Bots, that’s nothing new because it’s already in the Messenger Platform Rules.

“A user may opt-out of receiving subscription messages from a Page at any time.”

Make sure everybody knows that they can unsubscribe by typing – stop. I also like to put a unsubscribe button in my Main Menu.

So that’s all great, but don’t forget to mention it in your Privacy Policy too.

Most Privacy Policies explain how to unsubscribe from an email list, so it would only logic to also include an explanation of how they can unsubscribe from your Messenger Bot.

I added this;

You may unsubscribe to my Messenger Bot at any time by typing “Stop” inside Messenger or by clicking “Unsubscribe” in the persistent menu. You will then be asked for your confirmation to be unsubscribed.

5) Make sure you signed Data Processing Agreement’s

Make sure you have Data Processing Agreement’s (DPA) with all the tools you export data to. For example with Zapier or Google Sheets if you’re using that in combination with ManyChat or Chatfuel.

ManyChat said they’re still making final edits to their DPA.

6) Have the FB Pixel on your website?

This one is processing personal data, which means you have to ask for people their explicit consent to place marketing cookies like this. A tool I can recommend to regulate this is Cookiebot.

Below is an example how I ask for the consent for marketing-cookies. You’ve probably seen it if you’re from Europe.

7) Permission-based marketing

With email marketing, you need someone’s permission to send them future emails. Let’s assume this also applies to Messenger Bots, which means you need to have people their permission to send them messages.

That they got your download inside Messenger doesn’t mean they want to receive future messages.

You might want to change your flows to make sure you always ask for this permission. Simply asking ‘would you like to receive furthers tips & tricks?’ should be enough. This is also a great way to filter out leads that are not interested anyway.

With email marketing, you can also get consent in the form they sign-up with. So maybe we can also use “Subscribe to our bot and receive tips & tricks X times a week”. That would count as consent I guess.

8) Privacy Policy

Make sure your privacy policy is updated & easily accessible.

I’ve created an item in my Main Menu called “The Website” with a sub-item called “Privacy Policy”.

9) Personal data processing consent

In ManyChat their GDPR-article they mention you need to have personal data processing consent from your subscribers. Also, you’ll need to be able to prove you’ve obtained consent from existing subscribers to continue messaging them after May 25th.

A name is personal data, so every Messenger Bot is processing personal data.

In my welcome message I ask this;

“Before we start, I want to tell you that these messages are automated & personal data is used to personalize your experience. You can always unsubscribe by typing – stop. Ok?”

I’m not a 100% sure if this message is compliant because there aren’t any resources or examples of how this applies to Messenger Bots.

Any questions?

Let me know if you’ve any questions, input, feedback or additional resources on this.

And again, I’m not a lawyer. Don’t sue me if I’m wrong, lol.

Good luck!

P.S. Don’t forget that this law isn’t only for Messenger Bots, your website or email marketing. It probably also impacts other parts of your business.

Liked the article? Share!