Skip to main content

Are You Talking To A Bot? New CA Law Makes Disclosure the Best Option

Welcome to July.   While the California Consumer Protection Act (“CCPA”) is certainly one of the most important pieces of privacy legislation affecting many businesses today, we want to remind our readers of another California initiative that may affect their operations, which we are calling the “Disclose Your Bots” law. 

A. What is the “Disclose Your Bots” law?

Starting today, it will be unlawful to use a “bot” defined as an “an automated online account where all or substantially all of the actions or posts of that account are not the result of a person” to communicate or interact with people, corporate entities, or government in California with the intent to deceive regarding the “artificial identity” of the bot to incentivize the sale of goods or services or influence votes in an election.    Good disclosure is a “safe harbor”:  The law specifically states that persons shall not be liable if they provide clear, conspicuous, disclosure designed to inform persons that the bot is a bot. 

B. How do I know if the “Disclose Your Bots" law applies to my situation?

We recommend looking at three aspects of the conduct: (1) where it is occurring, (2) how it is implemented, and (3) your goals of interacting with the person.   

  1. Where is the conduct occurring?

The “Disclose Your Bots” law regulates communicating with another person “online.”  Online is defined as meaning “appearing on any public-facing Internet Web site, Web application, or digital application, including a social network or publication.”  Thus if the conduct is occurring on a website, or app, it would be need this definition.  It is not clear if the use of interactive voice recognition via a telecommunications service would qualify.  The lines between voice communications delivered via Voice over Internet Protocol (“VOIP”) and a “digital application” as called out by the statute are blurry, for example:   

It is certainly probable that the law will apply to “internet of things” devices that use interactive voice features provided by software to allow the user to purchase goods or services. 

  1. How is it implemented?

Consider whether the communication is taking place without substantial human interaction.  If it is, it likely that implementation meets the definition of “an automated online account where all or substantially all of the actions or posts of that account are not the result of a person.” 

  1. Are you selling goods or services or trying to influence voting in an election? 

The “Disclose Your Bots” law speaks to “incentiviz[ing] a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”  As such, if you have a purely information website, for example, it would not apply. 

C. Should I disclose that I am using a bot?

Although it will be unlawful to use a bot “with the intent to deceive the ‘artificial identity’” of the bot under the circumstances as set forth in the law, you are not required to disclose that you are using a bot.   However, “a person using a bot shall not be liable under this section if the person discloses that it is a bot.” Disclosure should be clear and conspicuous.  The exact form of the communication will likely depend on how the bot is implemented, and the style of your communications service.  Consider using terms that make it clear that the bot is a piece of software, and not human, such as “virtual service provided by artificial intelligence.” 

D. How will enforcement take place? 

Enforcement and penalties are not specifically discussed.  However, if violations were to be enforced under California's false advertising law then penalties could include imprisonment up to six months (a misdemeanor offense) and/or fines not to exceed $2,500 per violation as provided by Business and Professions Code § 17500.

If you have any questions as to how your business may need to “Disclose Your Bots,” please do not hesitate to contact the team at Mintz.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.