December 6, 2022

Volume XII, Number 340


December 05, 2022

Subscribe to Latest Legal News and Analysis

Are You Talking To A Bot? – New CA Law Makes Disclosure the Best Option

Welcome to July.   While the California Consumer Protection Act (“CCPA”) is certainly one of the most important pieces of privacy legislation affecting many businesses today, we want to remind our readers of another California initiative that may affect their operations, which we are calling the “Disclose Your Bots” law. 

  1. What is the “Disclose Your Bots” law?

Starting today, it will be unlawful to use a “bot” defined as an “an automated online account where all or substantially all of the actions or posts of that account are not the result of a person” to communicate or interact with people, corporate entities, or government in California with the intent to deceive regarding the “artificial identity” of the bot to incentivize the sale of goods or services or influence votes in an election.    Good disclosure is a “safe harbor”:  The law specifically states that persons shall not be liable if they provide clear, conspicuous, disclosure designed to inform persons that the bot is a bot. 

  1. How do I know if the “Disclose Your Bots law applies to my situation?

We recommend looking at three aspects of the conduct: (1) where it is occurring, (2) how it is implemented, and (3) your goals of interacting with the person.   

Where is the conduct occurring?

The “Disclose Your Bots” law regulates communicating with another person “online.”  Online is defined as meaning “appearing on any public-facing Internet Web site, Web application, or digital application, including a social network or publication.”  Thus if the conduct is occurring on a website, or app, it would be need this definition.  It is not clear if the use of interactive voice recognition via a telecommunications service would qualify.  The lines between voice communications delivered via Voice over Internet Protocol (“VOIP”) and a “digital application” as called out by the statute are blurry, for example:   

  • It is certainly probable that the law will apply to “internet of things” devices that use interactive voice features provided by software to allow the user to purchase goods or services. 

How is it implemented?

Consider whether the communication is taking place without substantial human interaction.  If it is, it likely that implementation meets the definition of “an automated online account where all or substantially all of the actions or posts of that account are not the result of a person.” 

Are you selling goods or services or trying to influence voting in an election? 

The “Disclose Your Bots” law speaks to “incentiviz[ing] a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”  As such, if you have a purely information website, for example, it would not apply. 

 Should I disclose that I am using a bot?

Although it will be unlawful to use a bot “with the intent to deceive the ‘artificial identity’” of the bot under the circumstances as set forth in the law, you are not required to disclose that you are using a bot.   However, “a person using a bot shall not be liable under this section if the person discloses that it is a bot.” (emphasis added)  Disclosure should be clear and conspicuous.  The exact form of the communication will likely depend on how the bot is implemented, and the style of your communications service.  Consider using terms that make it clear that the bot is a piece of software, and not human, such as “virtual service provided by artificial intelligence.” 

How will enforcement take place? 

Enforcement and penalties are not specifically discussed.  However, if violations were to be enforced under California's false advertising law then penalties could include imprisonment up to six months (a misdemeanor offense) and/or fines not to exceed $2,500 per violation as provided by Business and Professions Code § 17500.


©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume IX, Number 182

About this Author

Cynthia Larose Privacy Attorney Mintz Levin
Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney

Brian Lam is a member of Mintz’s Privacy & Security Practice and Technology Transactions Practice. Brian focuses his practice on providing practical advice that enables companies to pursue their business in a competitive environment while reducing risk associated with the collection, use, storage, transfer, and potential loss of data. He frequently negotiates complex data-centric information technology agreements, and designs policies and corresponding controls for the implementation of best practices, compliance with state and federal law, and international considerations. He often...