AI Chatbots and Data Privacy: What Do Chatbots Do With Your Data?

As a reflection of the rapid transformation in the field of technology, AI chatbots are on their way to becoming an indispensable part of daily life. While these applications have reached a level where they can respond to all kinds of user needs, their constant data collection structures have also given rise to serious concerns. These concerns are increasingly being discussed among data protection authorities and experts working in the field of personal data security and privacy.

The question of how AI-powered chatbots collect and process user data remains relevant, as evidenced by published decisions, academic studies, and press releases. In this context, the Personal Data Protection Authority (KVKK) published a study titled "Information Note on Chatbots (ChatGPT Example)" on November 8, 2024, focusing on the personal data collection and processing activities of these applications that enable human-technology interaction. This information note contains various findings regarding AI-powered chatbots and also guides practitioners and developers on their obligations under personal data protection law.

Chatbots can be defined as artificial intelligence applications that interact with users, answering questions and providing information. The organization, however, described these applications as "software that attempts to execute tasks and instructions given by the user through an interface, simulating a human-like dialogue with the end user."

It is known that data plays a central role in artificial intelligence systems. The main reason for this is that these systems, by their very nature, need extensive and diverse datasets to function optimally. In this context, data is processed for various purposes, including providing a higher quality user experience, conducting analysis, improving existing services, and developing new products. The main types of data processed include: name and contact information, payment card information, IP address, browser type and settings, location data, access times, information about the device used, search history, cookie data, and text, audio, and similar content transmitted by users. This list is not exhaustive, and the data processed does not end there.

When it comes to AI chatbot applications like ChatGPT, approaches to personal data protection vary from country to country. In Turkey, these applications cannot be exempt from the principles and rules of the Personal Data Protection Law (KVKK); they must be thoroughly examined and evaluated within the framework of the Law. These regulations protect individuals' rights regarding data privacy and security while also imposing various obligations on chatbot providers. These applications must be meticulously evaluated in terms of the fundamental principles regarding the processing of personal data, within the framework of the "General Principles" regulated under Article 4 of the Law.

Under the Personal Data Protection Law (KVKK), obtaining explicit consent in the collection and processing of user data is a fundamental obligation. Obtaining explicit consent from users interacting with chatbots and transparently disclosing data processing processes to the public are among the key principles for ensuring compliance with the Law. Transparency depends on providing users with sufficient and understandable information regarding the purposes for which their data is processed, with whom it is shared, the duration of its storage, and the rights of data subjects. These information notices, which must be carefully prepared to enable users to maintain control over their data, must be clear and understandable, and comply with the Communiqué on the Procedures and Principles Regarding the Fulfillment of the Obligation to Inform and related legislation.

In addition to the obligation of transparency, data processing activities must also comply with the general principles stipulated in the Law. In this context, personal data must be processed for specific, explicit, and legitimate purposes, be relevant to the purpose for which they are processed, and not exceed the extent required by that purpose.

An examination of ChatGPT's privacy policy reveals that data collected from users is processed for purposes such as providing services, analytical activities, developing new product features, communicating with users, preventing misuse, fulfilling legal obligations, and protecting the company's legitimate interests. Furthermore, users are given the option to change their preferences if they do not wish for their data to be used for model training purposes. At this point, it can be said that data processing is carried out within a legal framework and users are given a certain degree of control over whether their chat history is used in application development processes. Granting users this choice should be considered a positive step in terms of personal data protection. Regarding the issue of data deletion; while it is stated that data will be stored for a maximum of 30 days for security purposes if the temporary chat mode is chosen, whether this guarantee provides sufficient protection for users in Türkiye remains debatable. This matter also requires further evaluation within the framework of the principle of "retention only for the period necessary for the purpose" regulated in the Law.

In conclusion, it is clear that AI-based chatbot applications still contain unresolved uncertainties in the field of personal data protection, and that greater care should be taken to ensure data privacy during the development and deployment of these applications. The information note published by the Authority has served as an important starting point for discussions in this area. Indeed, in this document, the Authority, in addition to warning users against excessive sharing of their personal data, also included fundamental principles for chatbot development processes such as "conducting a risk assessment before handling personal data," "acting in accordance with the principle of accountability and the general principles stipulated in the Law," and "fully fulfilling the obligation to inform."

It is crucial that such applications are designed in accordance with the stated principles and that the necessary steps are taken decisively to protect user data. Data protection authorities should also conduct regular audits and studies in this area to ensure the system operates in compliance with the legislation. Given the increasing complexity of artificial intelligence technologies, the preparation of more detailed and comprehensive guidance documents will contribute to the protection of individuals' personal data and privacy, and will significantly contribute to shaping practices in the sector in accordance with personal data protection principles.

Attorney Selin Ünverdi