ChatGPT
Claude
Perplexity
Gemini
GrokWhat an AI chatbot actually collects about your prospects
An AI chatbot deployed on a Canadian post-secondary recruitment website begins collecting personal data from the very first interaction — long before a prospect types their name. IP address, session timestamp, typed messages, program consulted: each of these elements constitutes personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for institutions operating in Québec, under Loi 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels).
72% of questions submitted to school chatbots are automatable FAQ inquiries, 21% require institution-specific context, and 7% require a human. (Source: automated classification of 12,000 Skolbot conversations, 2025.) Each of those 12,000 conversations is a processing activity subject to PIPEDA. The chatbot holds a decisive operational advantage over other channels: average response time of 3 seconds, 24/7, versus 47 hours by email and 72 hours by web form (Source: Skolbot mystery-shopping audit, 2025, 80 Canadian institutions). Capturing that advantage requires a privacy-compliant data collection infrastructure.
Typical data categories collected by a post-secondary chatbot in Canada:
- Conversational data — message text, timestamps, session language, session duration
- Voluntarily provided identifiers — first name, last name, email address, phone number (when a prospect shares these to be followed up)
- Interest data — program(s) browsed, target credential level, study mode sought (full-time, co-op, online)
- Voluntarily provided demographics — citizenship status, province of residence, country of origin (when collected via an embedded form)
- Technical data — IP address, device type, browser, session identifier
The Office of the Privacy Commissioner of Canada (OPC) requires that each processing activity carried out via a chatbot rest on an identified legal basis, and that individuals be informed of that processing at the outset of the interaction. Québec's Commission d'accès à l'information (CAI) imposes parallel obligations under Loi 25, with stricter requirements around automated decision-making disclosure. For a complete map of the personal information your institution processes, see our complete PIPEDA and student data guide.
The legal bases applicable to each data category
PIPEDA is a consent-based statute, but it recognises that consent is not always required. The Act identifies circumstances in which collection, use, or disclosure is permitted without consent. Four scenarios cover nearly all chatbot processing at a Canadian institution:
Consent (PIPEDA Principle 3 / Loi 25 art. 12) — The individual has provided meaningful, informed, and freely given consent. This is the appropriate basis for subsequent marketing communications (re-engagement, newsletters, open house invitations) triggered by chatbot interactions. Consent must be obtained through an active mechanism (unchecked checkbox), timestamped, and retained as evidence. Under Loi 25, consent must be manifest, free, and enlightened — and may not be obtained as a condition of service.
Contractual necessity / reasonable purpose (PIPEDA Principle 4.3.4) — Collection is for a purpose that a reasonable person would consider appropriate in the circumstances. A prospect requesting program fee information or admission requirements: processing their email to send the requested documentation satisfies this standard.
Legitimate business purpose (PIPEDA Principle 4.3.5) — Processing is necessary for a legitimate purpose, provided individual interests are not overridden. Analysis of anonymised conversations to improve chatbot quality may fall under this basis. Note: the interest-balancing analysis should be documented, particularly if the institution is subject to Loi 25, which requires a Privacy Impact Assessment (PIA) before any new processing involving personal information.
Legal obligation — Rarely applicable to the chatbot itself, but relevant if data collected must be retained for regulatory traceability (e.g., evidence of pre-contractual disclosure to an international student under IRCC requirements).
For sensitive personal information — see the following section — Loi 25 and PIPEDA both require explicit consent or a specific statutory authority.
The minimisation principle: collect only what is necessary
Data minimisation — the principle that only adequate, relevant, and limited personal information should be collected — is the most frequently violated principle in post-secondary chatbot deployments. PIPEDA's Principle 4.4 (Limiting Collection) and Loi 25 Article 5 both impose this standard.
What this means concretely for your institution's chatbot:
- The chatbot must not require an email to answer a question about programs. An email address is necessary only if the prospect wants to be followed up or receive a document.
- Citizenship status should not be collected systematically. It becomes relevant only when a prospect asks about scholarships restricted to specific nationalities, study permits under IRCC, or provincial differential fees for out-of-province students.
- Precise date of birth is unnecessary if the chatbot merely needs to determine whether the prospect is a high school student or already holds a college-level credential. A study-level indicator is sufficient.
- Full conversation logs must not be retained indefinitely. The purpose of retention (service improvement, CRM transfer) must be defined before the chatbot goes live, not after.
The CAI has issued guidance specific to AI systems emphasising that a PIA must precede deployment and that privacy-by-design is mandatory under Loi 25 — minimisation must be built in, not retrofitted.
Sensitive personal information: citizenship, health, socioeconomic status
Some information collectible via a post-secondary chatbot falls into categories that require heightened protection under both PIPEDA and Loi 25.
Citizenship and immigration status: citizenship is not inherently sensitive personal information under PIPEDA or Loi 25. However, where its collection can reveal national or ethnic origin, both statutes apply stricter rules. A chatbot that collects citizenship to segment prospects (e.g., "domestic vs. international") must assess whether this constitutes indirect ethnic profiling.
Health and disability: prospects seeking information about accessibility services, exam accommodations, or disability support services may inadvertently share health-related information. The chatbot should be configured to not record such information in unprotected free-text fields. Where collection is necessary (routing to a disability services office), it must be based on explicit informed consent under Loi 25 Article 12, with a clear prior disclosure.
Financial situation: requests about bursaries, OSAP eligibility, provincial student loans, or fee waivers may reveal socioeconomic circumstances. While not categorically "sensitive" under all provincial frameworks, such information requires a robust legal basis and appropriate security measures.
Practical rule: configure your chatbot to detect sensitive topics and redirect to a human agent or a secure form, rather than collecting this information through the standard conversational interface.
Data categories, legal bases, and retention periods
| Data type | Legal basis | Retention period | Notes |
|---|---|---|---|
| Conversation messages (anonymised) | Legitimate purpose (PIPEDA 4.3.5) / Loi 25 art. 12 | <12 months | For service improvement — anonymisation mandatory |
| Email + name (qualified prospect) | Consent or contractual necessity | 3 years after last active contact | Automated purging required |
| Phone number | Consent (CASL for electronic marketing) | 3 years after last active contact | Separate consent required for telemarketing |
| Program(s) of interest | Legitimate purpose | Linked to prospect profile | Document in privacy management record |
| Citizenship / immigration status | Consent or contractual necessity | Linked to prospect profile | Assess risk of ethnic origin inference |
| Age / study level | Legitimate purpose | Linked to prospect profile | Necessary to direct prospect to correct program |
| IP address (non-anonymised) | Legitimate purpose | <13 months | OPC recommends prompt anonymisation |
| Health or disability data | Explicit informed consent (Loi 25 art. 12) | Strictly necessary | Do not collect in standard chatbot interface |
| Technical session logs | Legitimate purpose | <3 months | Security and debugging only |
Privacy Impact Assessment (PIA): when does your chatbot trigger one?
Under Loi 25 (Article 3.3), a Privacy Impact Assessment (PIA — évaluation des facteurs relatifs à la vie privée, EFVP) is mandatory before any new technology project involving personal information, including deploying or significantly modifying a chatbot. This is not a risk threshold — it is a blanket requirement for Québec-based institutions, regardless of scale.
Under PIPEDA, the OPC strongly recommends a PIA for high-risk processing activities, including:
- Large-scale processing: a chatbot handling thousands of conversations monthly at a post-secondary institution readily qualifies
- Profiling: if the chatbot qualifies the prospect (warm/cold, program recommendation, enrolment probability) from their interactions, this is profiling under PIPEDA
- Sensitive information: collection of information that could reveal immigration status, disability, or financial situation
- Transfers outside Canada: if your chatbot provider uses servers or language models hosted in the United States or elsewhere, this triggers a cross-border transfer obligation under PIPEDA Section 4.1.3 and Loi 25 Article 17
The PIA documents: the processing description, necessity and proportionality assessment, identified risks, and mitigation measures. If residual risks cannot be mitigated, Québec institutions must consult the CAI before proceeding (Loi 25 Art. 3.3.1).
For technical and organisational obligations, our PIPEDA audit checklist for Canadian schools covers the 20 key points, including the chatbot PIA.
Implementing compliant data collection: the chatbot interface
PIPEDA and Loi 25 compliance for a chatbot operates at three levels: prior disclosure, consent mechanism, and individual rights.
Prior disclosure (transparency)
Before the first exchange, the chatbot must display a welcome message including:
- The identity of the organisation collecting data (the institution)
- The purpose of the processing (answering questions, qualifying the prospect)
- A link to the full privacy policy
- The disclosure that the interlocutor is an artificial intelligence system (required under Loi 25 Art. 22.1 for automated processing involving personal information; reinforced by Canada's proposed AIDA framework)
Compliant example: "I'm [Chatbot Name], [Institution]'s AI assistant. Your conversation is processed according to our [privacy policy]. To exercise your rights, contact privacy@[institution].ca."
Integrated consent mechanism
Where the chatbot collects email or phone number, an active consent mechanism must precede that collection:
- Unchecked checkbox for marketing communications
- Separate disclosure for each purpose (re-engagement, newsletter, open house invitation)
- Timestamp and retention of proof of consent (mandatory under Loi 25)
Individual rights: access, correction, deletion
Prospects must be able to exercise their rights through a simple channel. Common practice: display the privacy contact address in the chatbot interface and the privacy policy. A response to a deletion request must occur within 30 days (Loi 25) and cover all systems: chatbot logs, CRM, email platform, analytics with identifying data, and backups.
Test Skolbot on your institution in 30 seconds
FAQ
Does PIPEDA or Loi 25 require a PIA for a chatbot that only answers FAQs without collecting email addresses?
Under Loi 25, a PIA is required for any new technology involving personal information — including a chatbot that processes IP addresses and conversation logs, regardless of whether it collects an email address. PIPEDA does not impose the same blanket requirement but strongly recommends a PIA where there is a real risk to individuals. Practically, any chatbot processing session data at scale in Québec requires a PIA before going live. Document the scope, purpose, and data flows; this is the first document the CAI will request in an investigation.
What are the retention periods for chatbot conversations in Canada?
The OPC and CAI both require that personal information be retained only as long as necessary for the identified purpose. For service improvement: anonymised logs may be retained up to 12 months. For qualified prospects (email provided): 3 years after last active contact aligns with general commercial practice and OPC guidance. Technical logs (debugging, security) should not be retained beyond 3 months. These periods must appear in your privacy management record (required under Loi 25) and be enforced through automated purging — not annual manual cleanup.
Can the chatbot transfer prospect data to the CRM without additional consent?
This depends on the original legal basis and the purpose of the CRM use. If initial collection was for a purpose consistent with enrolment follow-up, transfer to the CRM for admissions tracking is generally compatible under PIPEDA's consistency principle. However, using that data for marketing campaigns not directly related to the original request (advertising retargeting, promotional emails) requires specific consent — and that consent must have been collected before the transfer. Under CASL, any commercial electronic message requires express or implied consent. Document the CRM transfer purpose explicitly in your privacy management record.
How must a Canadian institution disclose that a prospect is interacting with an AI?
Loi 25 (Article 22.1) requires disclosure when personal information is processed in a way that involves exclusively automated decision-making that significantly affects the individual. More broadly, Canada's draft Artificial Intelligence and Data Act (AIDA, Bill C-27) — anticipated to be adopted in some form — and general OPC transparency guidance require that users understand when they are interacting with an AI system. Best practice: a chatbot name that signals AI (e.g., "Skolbot, AI Assistant"), a welcome message explicitly identifying the system as AI, and a visual indicator. This single well-designed welcome message can satisfy both the Loi 25 transparency obligation and the AI disclosure requirement simultaneously.
What happens if a prospect spontaneously discloses health or disability information in the chatbot?
Configure your chatbot to detect sensitive topic keywords (health, disability, financial hardship) and trigger a redirect response: "To best support you on this, our accessibility services team will reach out directly. Would you like to leave your contact details?" Do not store the sensitive disclosure in standard conversation logs. If full session logging is technically unavoidable, the sensitive field must be masked or deleted before archiving. The risk: health or disability information finding its way into a marketing CRM without the explicit consent required under Loi 25 and PIPEDA.
