CCPA and Chatbot Data Collection: What Businesses Must Disclose in 2026
Every AI chatbot on your website is collecting personal information from California users — conversation content, inferred intent, device signals, and more. CCPA requires specific disclosures about all of it, and most businesses running chatbots haven't updated their privacy policies to reflect what those chatbots actually collect.
What Chatbots Actually Collect
Most businesses think of chatbot data as support tickets or chat logs. Under CCPA, the data profile a chatbot creates is much broader. A single conversation session generates multiple distinct categories of personal information, many of which businesses haven't thought to disclose because they never thought of chatbots as "data collection" tools.
Directly Collected During Conversation
- •Names, email addresses, phone numbers provided during the chat
- •Account credentials or customer IDs used to authenticate
- •Health, financial, or legal details shared to get assistance
- •Complaint or issue content (often sensitive business or personal context)
- •Purchase intentions and product preferences stated explicitly
Inferred or Generated by the Chatbot Platform
- •IP address and approximate geolocation
- •Device type, browser, and operating system
- •Session timing and conversation length
- •Sentiment and emotional tone inferred from language
- •Behavioral intent and purchase stage inferred from conversation patterns
- •User profiling data shared with the chatbot vendor's analytics systems
The inferred data category is where most businesses are exposed. CCPA's definition of personal information explicitly includes "inferences drawn from any of the information identified" to create a profile of a consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. An AI chatbot that infers a user's purchase intent, emotional state, or likely objections is generating personal information under that definition.
The CCPA Disclosure Requirements for Chatbot Operators
If your business meets any CCPA threshold (annual gross revenues over $25M, processes data of 100,000+ consumers or households, or derives 50%+ of revenue from selling personal information) and your chatbot serves California residents, these disclosure requirements apply.
Update Your Privacy Policy
Your privacy policy must specifically disclose the categories of personal information your chatbot collects (conversation content, inferred characteristics, device data), the purposes for collection (customer support, marketing analytics, AI model improvement), and whether you share this data with third parties — including your chatbot platform vendor. The existing privacy policy that says 'we collect website usage data' almost certainly doesn't cover this adequately.
Disclose Third-Party Sharing
When your chatbot platform vendor receives conversation data — which they do by definition, since they're processing it — that's sharing personal information with a third party. Your CCPA disclosures must identify this. Check your chatbot vendor contract: if they use conversation data to train their AI models, improve their product, or share it with their own analytics systems, that use must be disclosed to California consumers.
Honor Consumer Rights Requests
California residents have the right to know what personal information you've collected about them (which includes chatbot conversation data), the right to delete that data, and the right to opt out of certain types of data sharing. Your internal processes must be able to retrieve, delete, and stop sharing a specific user's chatbot conversation data in response to a verified consumer request.
Sensitive Personal Information Handling
Under CPRA, California consumers have the right to limit the use of sensitive personal information. If your chatbot collects health information, financial account details, precise geolocation, or government ID numbers during conversations — which support chatbots commonly do — that data receives heightened protection. You must offer a 'Limit the Use of My Sensitive Personal Information' opt-out if this applies.
The Chatbot Vendor Problem
Most businesses using third-party chatbot platforms (Intercom, Drift, Zendesk, custom AI chat widgets) haven't fully investigated what their vendor does with conversation data. This matters for CCPA compliance because what the vendor does determines what you need to disclose and what rights California users have.
The key questions to get answered in writing from your chatbot vendor:
- ?Does the vendor use conversation data to train or improve their AI models? (If yes, this is likely 'sharing' for CCPA purposes)
- ?Does the vendor share conversation data with any of their own third-party analytics or advertising partners?
- ?Can they fulfill a CCPA deletion request for a specific user's conversation data within 45 days?
- ?Can they provide a data export of all conversation data collected for a specific California consumer?
- ?Does the vendor process data under a Business Service Provider agreement that restricts them to using data only on your behalf?
- ?What is their data retention period for conversation logs, and can it be shortened contractually?
CCPA Chatbot Compliance Checklist
Privacy Policy Updates
- ☐Add chatbot conversation content to the list of personal information categories collected
- ☐Add inferred characteristics and behavioral profiles to the list
- ☐Identify your chatbot vendor as a third party receiving data
- ☐Disclose all purposes for chatbot data use (support, analytics, AI training if applicable)
- ☐List retention period for conversation logs
- ☐Add chatbot data to your data categories table or chart
Consumer Rights Infrastructure
- ☐Build or verify a process to retrieve all chatbot conversation data for a named California user
- ☐Build or verify a deletion workflow that also triggers vendor deletion
- ☐Add a 'Do Not Sell or Share My Personal Information' link if chatbot data is shared/sold
- ☐Add a 'Limit Use of Sensitive Personal Information' mechanism if applicable
- ☐Log and respond to consumer rights requests within 45 days
- ☐Train customer support on CCPA chatbot data request handling
The AI Training Data Wrinkle
Many AI chatbot platforms — especially those built on foundation models — use customer conversation data to fine-tune or retrain their models. This practice has become a flashpoint under CCPA: if conversation data containing personal information about California consumers is used to train an AI model, that use may need to be disclosed, and consumers may have rights to opt out or request deletion.
The complication: deletion rights and AI training data don't fit cleanly together. If a consumer's conversation data was used in AI model training, "deleting" that data from the training dataset may be technically infeasible — the learned weights are baked into the model. California's approach to this tension is still evolving, but the safe practice is to: (1) not use customer conversation data for AI training without disclosure, (2) get contractual commitments from vendors about their training data practices, and (3) build opt-out mechanisms before regulators mandate them.
Frequently Asked Questions
Our chatbot doesn't ask users to identify themselves. Does CCPA still apply?
Likely yes. CCPA's definition of personal information includes any information 'that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.' IP address, device fingerprint, cookie identifiers, and browser signals collected during a chatbot session can meet this standard even without a name or email address. If you can link the session to an individual — even probabilistically — that data is personal information.
We use a chatbot only for internal employee support. Does CCPA apply?
CCPA provides a limited exemption for employee personal information used strictly in the employment context — B2B data and employment-related data are treated differently. However, if your internal chatbot handles California employees and processes their personal information (health queries, HR matters, payroll questions), the employment data exemption doesn't eliminate all obligations. California's employee privacy protections continue to evolve.
Our chatbot vendor says they're CCPA compliant. Do we still need to do anything?
Your vendor being 'CCPA compliant' means they're managing data in a way that helps their business comply. It doesn't complete your compliance obligations. You're the data controller (business) responsible for disclosing what data you collect and how you use it, offering consumer rights, and ensuring your vendor relationships are properly structured with data processing agreements. Your vendor's compliance attestation is an input to your compliance program, not a substitute for it.
What if a California user asks to delete their chatbot conversation history?
You must honor the request within 45 days (extendable to 90 with notice). This means retrieving all conversation data tied to the user, deleting it from your systems, and directing your chatbot vendor to delete their copies. If your vendor can't fulfill deletion requests within this window — or doesn't offer per-user deletion at all — that's a material CCPA compliance gap in your vendor relationship.
Most Chatbot Privacy Policies Are Already Out of Date
Chatbots have been deployed faster than privacy policies have been updated. If your privacy policy was last updated before your chatbot went live — or was never updated to reflect chatbot-specific data collection — California users have been interacting with an undisclosed data collection system.
The fix is more achievable than it sounds: audit what your chatbot collects, find out what your vendor does with that data, update your policy to reflect reality, and add deletion request handling to your consumer rights workflow. Most of this is policy and process work, not engineering — and the California AG's enforcement focus on AI-related privacy violations makes it worth doing now.