How Does the GDPR Apply to Messenger Bots?

If you have any subscribers from the EU and/or EEA then the General Data Protection Regulation (GDPR) applies to you, also if you’re not based in Europe yourself.

There are a bunch of articles on the internet on how the GDPR applies to Email Marketing, but I couldn’t find much about how the GDPR applies to Messenger Bots.

That’s why I wrote this guide for you.

But please keep in mind I’m not a lawyer, I can be wrong. I recommend seeking an independent consultant to determine how the GDPR affects your business.

Things to keep in mind

1) Subscribers have the right to be forgotten

Which means you have to delete ALL their data when they ask you to.

ManyChat launched some new tools with which you can easily delete the data of your subscriber when they ask you to.

how to delete user profile in ManyChat

But don’t forget that you might also have their data in Zapier, Google Sheets, and your ESP (email service provider).

2) Subscribers have the right to access all their data

In ManyChat you can export someone’s data when you go to Audience > Their profile > 3 dots > Download User Data. It will export as a JSON-file that you can send to your subscriber.

How to download user data in ManyChat

3) Subscribers have the right to change their data

You could create a little flow where they can change custom field values.

4) Subscribers have the right to opt-out of marketing communications at all time

With Messenger Bots, that’s nothing new because it’s already in the Messenger Platform Rules.

“A user may opt-out of receiving subscription messages from a Page at any time.”

Make sure everybody knows that they can unsubscribe by typing – stop. I also like to put a unsubscribe button in my Main Menu.

unsubscribe menu messenger marketing

So that’s all great, but don’t forget to mention it in your Privacy Policy too.

Most Privacy Policies explain how to unsubscribe from an email list, so it would only logic to also include an explanation of how they can unsubscribe from your Messenger Bot.

I added this;

You may unsubscribe to my Messenger Bot at any time by typing “Stop” inside Messenger or by clicking “Unsubscribe” in the persistent menu. You will then be asked for your confirmation to be unsubscribed.

5) Make sure you signed Data Processing Agreement’s

Make sure you have Data Processing Agreement’s (DPA) with all the tools you export data to. For example with Zapier or Google Sheets if you’re using that in combination with ManyChat or Chatfuel.

If you’re using ManyChat then you can sign their DPA here.

6) Have the FB Pixel on your website?

This one is processing personal data, which means you have to ask for people their explicit consent to place marketing cookies like this. A tool I can recommend to regulate this is Cookiebot.

Below is an example how I ask for the consent for marketing-cookies. You’ve probably seen it if you’re from Europe.

Example of marketing cookies consent box for GDPR

7) Permission-based marketing

With email marketing, you need someone’s permission to send them future emails. Let’s assume this also applies to Messenger Bots, which means you need to have people their permission to send them messages.

That they got your download inside Messenger doesn’t mean they want to receive future messages.

You might want to change your flows to make sure you always ask for this permission. Simply asking ‘would you like to receive furthers tips & tricks?’ should be enough. This is also a great way to filter out leads that are not interested anyway.

With email marketing, you can also get consent in the form they sign-up with. So maybe we can also use “Subscribe to our bot and receive tips & tricks X times a week”. That would count as consent I guess.

8) Privacy Policy

Make sure your privacy policy is updated & easily accessible.

I’ve created an item in my Main Menu called “The Website” with a sub-item called “Privacy Policy”.

Main Menu in ManyChat for privacy

9) Personal data processing consent

In ManyChat their GDPR-article they mention you need to have personal data processing consent from your subscribers. Also, you’ll need to be able to prove you’ve obtained consent from existing subscribers to continue messaging them after May 25th.

A name is personal data, so every Messenger Bot is processing personal data.

In my welcome message I ask this;

“Before we start, I want to tell you that these messages are automated & personal data is used to personalize your experience. You can always unsubscribe by typing – stop. Ok?”

I’m not a 100% sure if this message is compliant because there aren’t any resources or examples of how this applies to Messenger Bots.


To help you I’ve also created a step-by-step GDPR Checklist, you can get it here by email.

Leave a comment if you’ve any questions, input, feedback or additional resources on this.

Good luck!

Want my GDPR Checklist for Messenger Bots?

I’ll explain what the GDPR is, and how you can apply it in ManyChat.

    Avatar of Max van Collenburg
    Max van Collenburg

    I'm addicted to travel, love a good cappuccino, have two cute cats, and craft actionable content for online business owners that want to grow their business with non-sleazy chat marketing. More weird facts about me here.

    3 thoughts on “How Does the GDPR Apply to Messenger Bots?”

    1. Avatar of Mark Collins

      You make it so easy to understand. Keep up the great work and thanks for delivering value like always 🙂

      • Avatar of Max van Collenburg

        You’re welcome, Mark!

    2. Avatar of Giang Tran

      Please kindly help me to give an example of a Chatbot that complied with GDPR according to your description. Many thanks

    Leave a Comment