AI Chatbots: Legal Duty to Notify Users of Personal Data Collection

As AI chatbot services rapidly spread across all industrial sectors, including finance, commerce, and customer support, the importance of the legal obligation to notify users about personal information collection and use is growing. Chatbots collect and analyze various data, including sensitive personal information such as conversation content and usage history, to understand user intent and provide personalized responses. Users have the right to be clearly informed about how their data is used and to consent to it. This obligation for transparent information provision is stipulated in the 'Personal Information Protection Act' and related guidelines, which service providers must strictly adhere to. Notably, the 'AI Service Personal Information Processing Guidelines' announced by the Personal Information Protection Commission in December 2023 provide specific directives considering the characteristics of AI services like chatbots, clarifying the standards for legal notification obligations.

Current Status and Legal Issues of Personal Information Processing by AI Chatbots

Technical Characteristics of AI Chatbots and the Inevitability of Personal Information Collection

AI chatbots operate based on advanced natural language processing technology and vast amounts of training data. They understand context through natural conversations with users and provide optimal information or perform services by analyzing individual preferences, past usage history, and the content of questions. This ability to provide personalized services heavily relies on the quantity and quality of data essential for improving chatbot performance, thus making personal information collection a core function of chatbot services. Chatbots possess technical characteristics that allow them to collect even sensitive personal information that users may not have intended to share during conversations, and to automatically analyze and process it.

Basic Principles of Notification Obligation Under the Personal Information Protection Act

South Korea's Personal Information Protection Act prioritizes the protection of data subjects' rights and mandates clear and transparent notification when processing personal information. Before collecting or using users' personal information, chatbot service providers must clearly inform users of: ▲ the purpose of collection and use, ▲ the personal information items being processed, ▲ the retention and usage period of personal information, and ▲ the recipient, purpose of provision, and items provided when personal information is shared with a third party. This legal mechanism is designed to help users accurately understand how, for what purpose, and for how long their information will be processed, enabling them to make informed decisions about their consent.

Information That Must Be Notified When Introducing AI Chatbots

Clarification and Specificity of Purpose for Collection and Use

Chatbot service providers should not provide vague and abstract notifications for the purpose of personal information collection and use, such as 'service improvement.' Instead, they must specifically and clearly state for which specific functions or services what types of personal information are collected and used. For example, they should notify purposes directly linked to specific service functions, such as 'collecting and using purchase history and search records for personalized product recommendations' or 'enhancing consultation service efficiency by analyzing consultation content.' This helps users accurately understand for what specific benefits their information is being used.

Detailed Notification of Personal Information Items Processed

AI chatbots can process various personal information, including conversation content, IP addresses, cookie information, and device information. Service providers must inform users in detail about which personal information items are collected and used so that users can clearly understand. During this process, they must clearly distinguish between information that is necessarily collected and information whose collection depends on service selection (optional information). Furthermore, they must also inform users that they will not be disadvantaged in using the service even if they do not consent to the collection of optional information. For instance, they can guide users by stating, 'If you refuse to provide optional information for personalized recommendation services, only non-personalized general information may be provided.'

Clarification of Personal Information Retention and Usage Period

Clear notification about how long collected personal information will be stored and for what purpose it will be used is a key element in protecting users' right to self-determination over their personal information. Chatbot service providers must clearly specify the concrete retention and usage period, such as the legally mandated retention period or until the purpose of use is achieved. Additionally, they must notify users that the personal information will be promptly destroyed after the specified period has passed or the purpose of use has been achieved. This is a critical procedure to preemptively block the risks of indefinite personal information retention and misuse.

Special Notification Obligations Related to Automated Decision-Making

Notification Obligation Regarding Key Processing Logic and Decision Criteria

When AI chatbots perform automated decision-making, such as loan assessments, product recommendations, or service eligibility judgments, based on users' personal information, they must explain the key processing logic and criteria of these decisions to a level understandable by users. In other words, it is important to ensure transparency regarding 'what factors are considered and how they are used to make a particular decision.' This contributes to users recognizing potential irrationality or bias in AI-based decision-making processes and identifying potential disadvantages that may arise from excessive automation. The Personal Information Protection Commission is providing guidelines aimed at strengthening this 'explainability.'

Guidance on Procedures for Objecting and Requesting Re-examination

It is a legal requirement to provide clear procedures and channels for users to object to the results of automated decisions made by AI chatbots or to request human re-examination. Considering that AI system decisions may not always be perfect or fair, users' rights to request correction and reconsideration of decisions they deem unreasonable or incorrect must be guaranteed. These procedures should be easily accessible within the chatbot service, and timely and appropriate responses must be provided when objections are raised.

Practical Measures for Fulfilling AI Chatbot Personal Information Notification Obligations

Application of User-Friendly Notification Methods

Simply listing legal notification items as text makes it difficult for users to understand. Chatbot service providers must adopt methods that allow users to understand easily and clearly while fulfilling their legal obligations. For example, they can utilize pop-up messages, confirmations through questions, or provision of key information summaries during conversations with the chatbot. Additionally, providing separate transparency reports, FAQs, or informational videos before service usage begins is an effective way to enhance information accessibility. It is important to maximize the efficiency of information delivery by utilizing various visual materials or interactive elements.

Enhancing Accessibility of Personal Information Processing Policy

A clear link should be provided so that the personal information processing policy can be easily accessed at any time from within the chatbot service screen. Instead of using complex legal jargon, it is advisable to provide a summarized version that users can easily understand. Furthermore, providing a function that allows users to directly view how their personal information is being used (e.g., personal information usage history lookup) can further enhance transparency. These efforts contribute to gaining user trust and substantially guaranteeing users' right to self-determination over their personal information.

Compliance Checks and Reflection of Latest Trends

The Personal Information Protection Act and related guidelines are continuously evolving with the advancement of AI technology. Therefore, it is essential to thoroughly check and understand the latest amendments to relevant laws before introducing or operating a chatbot. Efforts are required to continuously identify and reflect new regulatory trends and legal interpretations related to AI ethics, explainability, and data privacy in chatbot system design and operation. Potential legal risks should be preemptively prevented through periodic compliance checks.