Make sure your bot respects users' privacy
Privacy considerations are important with any software application, but this is extremely so with bots. Bots are a unique interface that can learn a great deal of personal information from users. Due in large part to the trust that bot creators should always be trying hard to create, users may share more information with bots than they would with other services. The legislative world is aware of this, and legal frameworks are keeping pace with bot development and are demanding user privacy be respected.
As a matter of ethical and sound legal principle, you should be careful with any information that your bot collects from users.
Your bot should only collect information from users that it needs to do its job
It’s also important to design user privacy controls into the bot. Users should be able to find out, easily and without having to jump through hoops, all the information that the bot knows about them, so design this right into the bot. You should also obtain and privacy reviews before going too far into development to ensure your bot is compliant with relevant laws in your own jurisdiction, as well as any locale that users will be operating in.
Implementation
Inform users up-front about what data is being collected, and what it’s being used for. Always give your users the option of which external services to share your data with and an option to opt out where possible. And don’t make a bot that’s dependent on sharing data with outside services where you can’t verify data security or user privacy.
As mentioned above in “Design”, you should include in your deployment the opportunity to share with users all the data that the bot has collected on them. Sharing might be best implemented as a “profile page” that includes the ability to manage privacy settings, plus any relevant legal information pertaining to their data.
As well as giving users the option to see what personal data the bot collects, you should also make it possible for the bot to forget about any information that the user has entered erroneously, or simply wants to be forgotten.
A key tenet is not to store any more information that you need to perform the function of the bot. If you're concerned about whether or not your are compliant, it’s advised to get a privacy expert involved in your project.
Sometimes, a user’s desire for privacy will conflict with the ability for your bot to provide a service to them. If that happens, that’s OK. It’s better for your bot to be upfront and transparent with privacy and personal information, and offer the user complete (secure) control over what to do with that information. In the long run, this will build trust and help prevent abuse.