When GDPR came into force in 2018, most European businesses treated it as a compliance exercise. Cookie banners went up. Privacy policies were updated. Legal teams signed off on data processing agreements. Then things settled down, and privacy became a background concern — something you managed, not something you led with.
That's changing.
The rise of AI tools on business websites has reopened the conversation. Visitors are more aware than they were five years ago of how their data is collected and used. Businesses are starting to realise that the AI assistant on their homepage may be collecting conversation data in ways they haven't thought through. And regulators in Europe — and now India — are paying attention.
What GDPR Actually Requires From an AI Tool on Your Website
GDPR's data minimisation principle (Article 5(1)(c)) is direct: personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
For an AI chatbot operating on a website, this has a clear practical meaning. Data collected during a visitor interaction — the content of their messages, any personal details they share, their browsing patterns — should only be collected to the extent needed to serve that interaction. Using that data to train AI models, improve a vendor's product, or pass to third parties requires separate, explicit consent.
In practice, a lot of AI tools deployed on business websites collect data well beyond what the immediate interaction requires. Some use it to improve their underlying models. Some share it with subprocessors. Most don't disclose this in the chat window where the interaction happens.
The business deploying the tool is acting as a data controller. They're responsible for what the tool does — not just for what the tool's marketing page says it does.
The DPDP Act and What It Signals
India's Digital Personal Data Protection Act, which came into force in 2023, is worth understanding even if your primary market is European.
The Act takes a stricter line on consent than GDPR in one important respect: implied consent doesn't work. A visitor who uses your website hasn't automatically consented to having their interaction data collected, processed, or used for model training. Consent must be freely given, specific to each purpose, and clearly obtained.
The practical implication is that a visitor who agrees to chat with your AI assistant hasn't agreed to that conversation being used to train the model behind it. These are separate processing activities and require separate consent.
This direction of travel — more specificity, less implied consent — is not unique to India. It reflects where data protection law is heading more broadly, and businesses that build for it now will have less to retrofit later.
The Gap Between Marketing Language and Reality
Most AI vendors describe their data practices in reassuring but vague terms. "Enterprise-grade security." "We take your privacy seriously." "Data is handled responsibly."
None of that answers the questions that actually matter:
- Does the vendor use visitor conversation data to train or improve the underlying model?
- Which third-party subprocessors receive data, and under what agreements?
- Where is data stored geographically, and which country's laws govern it?
- What is the retention period, and what triggers deletion?
- Does the tool provide a GDPR-compliant consent flow before collecting any interaction data?
If you can't find clear answers to these questions in the vendor's data processing agreement — not the homepage, the DPA — that's worth taking seriously before you deploy the tool on your website.
What Consent-Driven Design Looks Like in Practice
Consent-driven design isn't a checkbox or a banner. It's a set of decisions made before the product is built.
It means collecting only what's needed for the stated purpose. A chatbot handling pre-sales questions doesn't need to build a persistent profile of every visitor, track browsing behaviour across sessions, or retain conversation history longer than necessary to answer the question.
It means purpose limitation — if data is collected to answer a visitor's question, it can't be repurposed for model training or advertising without going back to the visitor and asking again.
It means transparency before the interaction, not buried in a privacy policy. The visitor should know they're talking to an AI, what will be collected, and why — in plain language, before they type anything.
And it means a genuine opt-out. Not a pre-ticked consent box. Not consent that's required to access the website. A real choice.
Why This Is a Commercial Issue, Not Just a Legal One
Visitors who trust how their data is handled interact more openly and honestly. They give better information. They're more likely to take the next step. They're less likely to disengage the moment something feels intrusive.
The opposite is also true. A visitor who feels that their conversation is being logged, analysed, and possibly used in ways they didn't agree to becomes guarded. They answer questions carefully. They don't share what you'd need to give them a useful answer. They form a poor impression of the business — regardless of whether the technical answers the chatbot gave were correct.
Privacy, handled well, improves the quality of every interaction. It's not separate from customer experience. It's part of it.
The Standard Is Moving
What was considered careful or forward-thinking two or three years ago — consent-based data collection, no third-party model training, transparent data handling — is becoming the expected standard for AI tools deployed in serious business contexts.
Healthcare, legal, financial services, and education already operate under sector-specific regulations that go further than GDPR's baseline. For businesses in those sectors, the evaluation of any AI tool should be identical to the evaluation of any other data processor: data processing agreement, subprocessor list, data residency, retention periods, breach notification procedures.
For everyone else, the direction of travel is clear enough that building for it now is simpler than waiting until you're required to.
CYBOT is built on a consent-first model, does not use visitor interaction data to train third-party models, and is designed to meet GDPR requirements for businesses operating in the EU. Learn more →