Information Note on Chatbots such as ChatGPT Published

On 08.11.2024, the Personal Data Protection Authority published an Information Note on Chatbots (Example: Chatgpt) (Information Note).

According to the Information Note, a chatbot is software that attempts to simulate human conversation with the end-user through an interface, performing tasks and instructions given by the user. Accordingly, chatbots like ChatGPT, Siri, Alexa, and Gemini provide quick solutions to users in areas such as customer support, information retrieval, text creation, code writing, translation, and sentiment analysis.

AI-powered chatbots, which require large amounts of data to improve their performance, may process various personal data such as users' names, contact information, social media information, and IP addresses for purposes like providing services, improving user experience, ensuring information security, fulfilling legal obligations, and developing new services. Within this framework, the Information Note emphasizes that developers, manufacturers, service providers, and decision-makers must fulfill their legal obligations, with a particular emphasis on the following points:

• Before collecting data, users must be transparently informed about how personal data is used, with whom it is shared, for what purposes it will be processed, the retention period, the identity of the data controller, and the rights of the individuals concerned.
• Given that chatbots may also be used by children, proactive measures must be taken to ensure age verification and prevent negative experiences. Raising awareness among users is important to prevent data breaches and cybersecurity risks that may arise due to low user awareness.
• While developing Chatbot applications, a risk assessment should be conducted before starting to process personal data, activities should comply with the accountability principle and personal data processing activities should be carried out by the general principles and legal bases set out in Law No. 6698 on the Protection of Personal Data (KVKK). If personal data is being processed, the legal basis for this should be explicitly stated.
• Data security requires necessary technical and administrative measures. In this context, it is important to comply with certain internationally accepted standards to ensure privacy and data security and to have relevant certifications. Additionally, chatbots should use secure methods for storing and transmitting data inputs, such as text, audio, speech, and images, in secure environments.
• Attention should be paid to the Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence set by the Personal Data Protection Boards, and obligations under the KVKK should be fulfilled.