AI chatbots are everywhere. Intercom, Drift, Zendesk, Tidio, ChatGPT-powered widgets, custom GPT assistants — millions of websites now greet visitors with an AI-powered chat window. But most website owners have not updated their privacy policies to account for the data these chatbots collect and process.

That was acceptable two years ago. It is no longer. As of 2026, multiple jurisdictions now have laws that specifically require AI chatbot disclosures. Failing to comply can result in fines, consumer complaints, and enforcement action.

Why AI Chatbots Need Special Privacy Disclosures

AI chatbots are not like traditional contact forms or live chat. They introduce unique privacy concerns that regulators have identified:

Users may not realise they are talking to a machine. Many chatbots are designed to feel human. Without clear disclosure, users may share sensitive personal information believing they are speaking to a person.
Chatbots collect and process conversational data. Every message a user types is sent to an AI model for processing. This data may include names, email addresses, account details, complaints, health information, or financial details — whatever the user volunteers.
Data may leave your control. If your chatbot uses a third-party AI provider (OpenAI, Anthropic, Google, etc.), user messages are sent to external servers for processing. Your privacy policy must disclose this.
Conversation logs may be stored and analysed. Most chatbot platforms store conversation transcripts for analytics, training, and improvement. Users have a right to know this.
Some providers use chat data for model training. Depending on your vendor agreement, user conversations may be used to train or improve AI models. This is a critical disclosure point.

Legal Requirements by Jurisdiction

California (AB 2885 — effective 1 January 2026)

California law now requires any business operating an AI chatbot to clearly and conspicuously disclose that users are interacting with artificial intelligence. This applies to:

Customer service chatbots
AI sales assistants
AI companion chatbots
Any conversational AI interface on a website or app

The disclosure must be provided before or at the start of the interaction — not buried in a privacy policy. However, your privacy policy must also contain details about data collection and processing by the chatbot.

EU AI Act (transparency obligations in effect)

Article 52 of the EU AI Act requires that users interacting with an AI system be informed that they are doing so. For chatbots specifically, users must be notified “in a timely, clear and intelligible manner” that they are interacting with an AI system, unless this is “obvious from the circumstances.”

Combined with GDPR requirements for transparency about data processing, this means your privacy policy must detail what data the chatbot collects, how it is processed, where it is sent, and the legal basis for processing.

GDPR (Articles 13, 14, and 22)

If your chatbot serves users in the EU or UK, GDPR requires you to disclose:

The categories of data collected (chat messages, metadata)
The purpose of processing (customer support, lead qualification)
The legal basis (legitimate interest, consent, contractual necessity)
Any automated decision-making based on chat interactions
Data transfers to third countries (e.g., US-based AI providers)
Data retention periods for conversation logs

US State Laws (Colorado, Virginia, Connecticut, and others)

Multiple US states now have comprehensive privacy laws that require disclosures about automated processing. Colorado’s AI Act (enforcement began February 2026) specifically requires notification when consumers interact with AI systems and when AI is used for consequential decisions.

What Your Privacy Policy Must Include About AI Chatbots

Based on current law across all major jurisdictions, here are the specific items your privacy policy should address:

1. Disclosure That a Chatbot Is AI-Powered

State clearly that your chat feature uses artificial intelligence. Do not use euphemisms like “smart assistant” or “automated helper” — use the words “artificial intelligence” or “AI.”

2. What Data the Chatbot Collects

List the types of data collected through the chatbot:

Text of messages sent by the user
Name and email (if the user provides them)
IP address and device information
Conversation timestamps and session duration
Any files or images shared in chat
User behaviour data (pages visited before opening chat)

3. How the Data Is Processed

Explain that messages are sent to an AI model for processing and that responses are generated by artificial intelligence. If the AI provider is a named third party (e.g., OpenAI, Anthropic), disclose this.

4. Data Sharing and Third-Party Transfers

If chat data is sent to an external AI provider, you must disclose:

The name or category of the provider
Where their servers are located (especially for EU–US transfers)
What safeguards are in place (Standard Contractual Clauses, DPA, etc.)

5. Data Retention

State how long conversation logs are stored. Many chatbot platforms retain conversations indefinitely by default. If you have not configured a retention period, now is the time.

6. Model Training Disclosure

Disclose whether user chat data is or may be used to train AI models. If you use an AI provider’s business API (which typically does not use data for training), state this explicitly. If data may be used for training, disclose it and explain how users can opt out.

7. User Rights

Explain how users can:

Request deletion of their conversation data
Opt out of chatbot interactions (e.g., request human support)
Access transcripts of their conversations
Object to AI processing of their data

Template Clauses for AI Chatbot Privacy Policies

Basic AI Chatbot Disclosure

“Our website uses an AI-powered chatbot to assist visitors with questions and support requests. When you use our chat feature, you are communicating with an artificial intelligence system. Your messages are processed by [AI Provider] to generate relevant responses. We store conversation transcripts for [X days/months] to improve our service and for quality assurance purposes.”

Data Training Disclosure

“We use [AI Provider]’s business API to power our chatbot. Under our data processing agreement, your conversations are not used to train or improve [AI Provider]’s AI models. Conversation data is processed solely to generate responses to your queries and is subject to [AI Provider]’s enterprise data handling policies.”

User Rights Clause

“You may request deletion of your chatbot conversation history at any time by contacting us at [email]. You may also choose not to use the chatbot and instead contact us directly via email or phone. If you prefer to speak with a human agent, you can request this at any time during a chat interaction.”

Common Mistakes With AI Chatbot Privacy Policies

No disclosure at all. The chatbot widget appears on the site, but the privacy policy makes no mention of AI or chatbots. This is the most common violation.
Disclosure only in the chat window. A small “powered by AI” label in the chat widget is not sufficient. Your privacy policy must contain detailed disclosures about data collection and processing.
Using a generic privacy policy template. Most free privacy policy generators do not include AI chatbot clauses because the legal requirements are so new. If your privacy policy was generated before 2025, it almost certainly does not cover chatbot disclosures.
Not disclosing the AI provider. Users have a right to know if their messages are being sent to OpenAI, Google, or another third party. Omitting this is a GDPR transparency violation.
Ignoring data retention. Chatbot platforms often store conversations indefinitely. If you have not set a retention policy, you are likely storing more data than necessary — a violation of GDPR’s data minimisation principle.

Generate an AI Chatbot Privacy Policy in 60 Seconds

AI chatbot privacy requirements are new, specific, and enforced. Most template privacy policies do not cover them. Drafting these clauses manually requires understanding regulations across multiple jurisdictions.

LegalForge generates privacy policies that include comprehensive AI chatbot disclosure clauses. Tell us which chatbot platform you use, whether it connects to a third-party AI provider, and what data it collects — and we produce a compliant policy covering GDPR, CCPA, the EU AI Act, and US state laws. One-time payment, no subscription.

AI Chatbot Privacy Policy: What You Must Include in 2026