ChatGPT
Claude
Perplexity
Gemini
GrokWhat data does an AI chatbot collect on your college website?
An AI chatbot deployed on your college or university website starts collecting personal data the moment a prospective student types their first message. In the United States, that data collection sits at the intersection of several overlapping legal frameworks — and the framework that applies depends critically on whether the person interacting with your chatbot is a prospective student, an enrolled student, or someone in between.
Four categories of personal data flow through a typical higher education chatbot:
- Contact information volunteered by the user — name, email address, phone number.
- Academic interest data — program of interest, campus preference, enrollment timeline, degree level.
- Conversation content — the full text of the exchange, including questions and responses.
- Technical metadata — IP address, session timestamp, session ID, browser type, referral source.
72% of chatbot interactions on school websites are standard FAQ queries — each one a data processing event that must comply with applicable federal and state privacy law. (Source: Automated classification of 12,000 Skolbot conversations, 2025)
Understanding which law governs each data type is the first compliance obligation. For a comprehensive overview of privacy law across the full student data lifecycle, see our complete student data privacy guide.
The legal framework: FERPA, state laws, and the prospect/student distinction
The single most important compliance distinction for a college chatbot is this: FERPA governs education records of enrolled students — not prospective student data.
FERPA (Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g) protects education records maintained by institutions that receive federal funding. A high school junior asking your chatbot about tuition or campus housing is not an enrolled student — their data is not an education record, and FERPA does not protect it. Once that person enrolls and your chatbot accesses their financial aid status, their academic standing, or any other record maintained by the institution, FERPA applies with full force.
For prospective student data — the overwhelming majority of chatbot interactions in an admissions context — the governing frameworks are:
- FTC Act: prohibits unfair or deceptive trade practices, including misrepresenting data practices in your privacy policy.
- State consumer privacy laws: California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Texas (TDPSA), Connecticut (CTDPA), and more than a dozen additional states as of 2026.
- COPPA: applies if your chatbot collects data from children under 13 — relevant for dual-enrollment programs, early college high school initiatives, or recruitment campaigns targeting younger audiences.
- State AI disclosure laws: California, Colorado, and other states now require disclosure that a user is interacting with an automated system.
Response time as a compliance incentive: an AI chatbot responds in 3 seconds, 24/7. Email averages 47 hours; contact forms, 72 hours. (Source: Skolbot mystery shopping audit, 2025, 80 FR institutions.) That speed advantage disappears immediately if a privacy enforcement action requires you to suspend your chatbot while an investigation proceeds.
What legal basis applies to each data type?
Unlike the EU's GDPR — which requires a documented legal basis for every processing activity — US law generally permits data collection with disclosure and opt-out rights rather than requiring opt-in consent. That said, the practical compliance approach for US higher education increasingly mirrors GDPR-style documentation, particularly for institutions operating in California or recruiting nationally.
| Data type | Applicable legal framework | Key compliance requirement | Retention best practice |
|---|---|---|---|
| Name and email (volunteered by prospect) | FTC Act, state privacy laws | Clear privacy notice at point of collection | <12 months after last active contact if no application |
| Phone number | FTC Act, state privacy laws, TCPA | Explicit opt-in for text/SMS marketing required under TCPA | <12 months after last active contact |
| Program interest and campus preference | FTC Act, state privacy laws | Disclose use in privacy notice; honor deletion requests | <12 months if no application submitted |
| Full conversation content | FTC Act, FERPA (if enrolled student), CCPA | Pre-chat privacy notice; auto-delete at 12 months | 12 months max; anonymize sensitive content within <30 days |
| IP address and session metadata | FTC Act, state privacy laws | Disclose in privacy policy; honor GPC signals under CPRA | <30 days; anonymize promptly |
| Anonymized conversation analytics | Not personal data if truly anonymized | Verify de-identification meets state law standards | Unlimited if properly anonymized |
FERPA and the enrolled student chatbot: if your chatbot is accessible to enrolled students — and most institutional chatbots are — you need a second compliance track for enrolled student interactions. Any chatbot response that retrieves, confirms, or implies information from an enrolled student's education record requires FERPA authorization. The vendor providing your chatbot may need to be designated as a "school official" under FERPA with a legitimate educational interest, and your contract with that vendor must restrict use of the data to that educational purpose. The Student Privacy Policy Office at the US Department of Education provides specific guidance on third-party vendor designations under FERPA.
Data minimization: collecting less is a legal and competitive advantage
US law does not use the term "data minimization" with the same statutory force as GDPR, but the NIST Privacy Framework (2024) and the FTC's guidance on privacy-by-design both endorse the principle: collect only what you need, for the stated purpose, for as long as necessary.
For a college AI chatbot, data minimization means:
- Do not ask for a phone number if all follow-up communication happens by email.
- Do not ask for date of birth unless it is necessary to verify program eligibility (e.g., a program with a minimum age requirement).
- Do not retain full conversation transcripts indefinitely. Conversations that did not result in an application have no operational purpose after 12 months.
- Anonymize IP addresses promptly — ideally within 24–48 hours of the session.
- Do not run advertising pixels within the chatbot interface without a valid consent and opt-out mechanism.
Beyond legal compliance, data minimization reduces your breach exposure. A chatbot that retains five years of conversation transcripts is a substantially larger liability than one that auto-deletes after 12 months. For California residents, CCPA/CPRA also limits the use of personal information to purposes reasonably necessary and proportionate to the disclosed purpose — which functionally requires the same analysis.
Special categories: sensitive data that requires extra caution
Prospects frequently share information in chatbot conversations that they do not recognize as legally sensitive. Under CCPA/CPRA and several other state statutes, certain categories of personal information trigger heightened obligations:
- Health data and disability information: "I have a mobility impairment — is your campus accessible?"
- Racial or ethnic origin (sensitive personal information under CCPA): "As a first-generation college student from a Latino family…"
- Sexual orientation (sensitive personal information under CCPA): questions about LGBTQ+ campus resources.
- Financial hardship indicators: questions about emergency aid, food banks, or housing assistance.
- Immigration status: questions about DACA student support or visa requirements.
Under CCPA/CPRA, sensitive personal information has additional handling requirements: you must provide a right to limit its use and disclosure, and you may not use it for purposes beyond what is reasonably expected. For minors under 16, California requires opt-in consent before selling or sharing their sensitive personal information.
Practical configuration requirements for your chatbot:
- Implement automated scanning to flag conversations containing sensitive categories.
- Automatically anonymize or delete flagged content within <30 days.
- Do not use conversations containing sensitive personal information to train or fine-tune the AI model without explicit user consent.
- Restrict access to conversation archives to staff with a documented operational need.
AI risk assessment: the US equivalent of a DPIA
The EU's GDPR requires a Data Protection Impact Assessment (DPIA) before high-risk processing. The US does not have a single equivalent requirement, but three overlapping frameworks create a de facto obligation to conduct pre-deployment risk assessment for AI chatbots:
NIST AI Risk Management Framework (AI RMF 2.0, 2024) provides a structured approach to identifying and mitigating AI risks, including privacy risks from automated data collection. The NIST AI RMF is increasingly referenced by state regulators and federal agencies as the expected standard of care for AI deployments.
Colorado AI Act (effective 2026) requires deployers of high-risk AI systems — including systems that interact with consumers in employment, education, and financial services — to implement risk management policies and provide transparency disclosures. A college chatbot that influences admissions processes may qualify as a high-risk AI system under Colorado's definition.
FTC enforcement expectations: the FTC has signaled in multiple guidance documents and enforcement actions that AI deployments without documented risk assessment and bias testing are likely to be viewed as unfair or deceptive practices under Section 5 of the FTC Act.
Document your pre-deployment AI risk assessment and update it whenever the chatbot system undergoes material changes. This documentation is the first thing a regulator will request in any enforcement inquiry.
Transparency and user rights: what your chatbot must disclose
Every prospect interacting with your chatbot is entitled to specific disclosures before data collection begins. These disclosures are required by FTC transparency standards, multiple state privacy laws, and AI disclosure statutes.
The opening screen or first interaction of your chatbot must include:
- AI identity disclosure: "You are interacting with an AI assistant, not a human counselor." This is legally required in California, Colorado, and several other states — and is FTC best practice nationally.
- Data collection notice: what personal data is collected during the conversation and how it is used.
- Retention period: "Conversation content is retained for up to 12 months."
- Rights and contact: how to request access to, correction of, or deletion of conversation data.
Prospects have the following rights under applicable state law that your institution must be operationally capable of honoring:
- Right to access (CCPA and most state statutes): provide a copy of all data collected within 45 days of request.
- Right to deletion (CCPA and most state statutes): delete personal information upon verified request, within 45 days.
- Right to correction (CCPA/CPRA and several state statutes): correct inaccurate personal information.
- Right to opt out of sale/sharing (CCPA/CPRA and similar state statutes): stop sharing data with third-party advertising platforms.
- Right to limit use of sensitive personal information (CCPA/CPRA): restrict processing of sensitive categories.
For Common App users and students who interact with your chatbot after submitting an application through Common App, be aware that Common App's data sharing practices with member institutions create a separate layer of privacy obligations that your chatbot deployment should not conflict with.
Practical privacy checklist for a compliant US college AI chatbot
Use this checklist as a starting point for your internal audit. For a complete privacy and FERPA audit process, see our data privacy audit checklist for schools.
- Chatbot data processing documented in your institution's privacy policy and vendor inventory
- Pre-deployment AI risk assessment completed and documented (NIST AI RMF or equivalent)
- Data processing agreement with chatbot vendor in place, including FERPA school official designation if applicable
- Sub-processors (hosting provider, AI model provider) identified and subject to appropriate agreements
- AI identity disclosure present at start of every chatbot session
- Privacy notice displayed before or at first interaction (purpose, data types, retention, rights)
- Data retention limits technically configured (auto-delete after 12 months)
- Automatic anonymization of sensitive conversation content within <30 days configured
- "Do Not Sell or Share My Personal Information" opt-out mechanism for California residents
- Global Privacy Control (GPC) signal detection enabled
- COPPA compliance verified for any program recruiting under-13 users
- Process for responding to access, deletion, and correction requests within 45 days
FAQ
Does FERPA apply to our AI chatbot's conversations with prospective students?
No — FERPA applies to education records of enrolled students, not to data about prospective students who have not yet enrolled. A high school senior asking your chatbot about tuition, campus life, or application deadlines is providing personal information that is governed by FTC Act transparency requirements and applicable state privacy laws (primarily CCPA if they are a California resident), not by FERPA. FERPA enters the picture the moment the chatbot accesses, displays, or implies information from an enrolled student's education record. At that point, the chatbot vendor may need to be formally designated as a "school official" under FERPA, and your contract with that vendor must restrict data use to the legitimate educational purpose. The Student Privacy Policy Office publishes practical guidance on this distinction.
What disclosures are required before the chatbot collects data from a prospective student?
At minimum: a clear statement that the user is interacting with an AI system (not a human counselor), a description of what personal information is collected and how it is used, the retention period for conversation data, and instructions for exercising data rights (access, deletion, correction). Several states — including California, Colorado, and Texas — legally require the AI identity disclosure. The FTC considers failure to disclose that a consumer is interacting with an AI to be a deceptive practice under Section 5 of the FTC Act. Best practice is to display these disclosures in the chatbot's opening message, not just in a linked privacy policy that most users will never read.
How long can we retain chatbot conversation data under US law?
No federal statute sets a maximum retention period for prospective student conversation data. The FTC and state privacy laws require that data be retained only as long as necessary for the stated purpose. Consistent with NIST Privacy Framework principles and EDUCAUSE guidance: retain conversation data from prospects who did not apply for no more than 12 months after the last interaction; retain conversation data from applicants who did not enroll for up to 24 months; auto-delete or anonymize any sensitive personal information (disability status, financial hardship, health information) within 30 days regardless of the overall retention schedule. For enrolled students, FERPA record retention requirements apply — academic records must be permanently retained, but conversation logs that do not constitute education records should follow the same 12-month best practice. Document your retention schedule in your privacy policy and enforce it through automated CRM and vendor purging.
What happens if our chatbot collects data from a user under 13?
COPPA applies, and the compliance obligations are strict. Before collecting any personal information from a child under 13, you must obtain verifiable parental consent — not a checkbox, but documented parental authorization. For most four-year colleges, this situation arises in dual-enrollment programs, early college high school partnerships, or recruitment campaigns that reach younger audiences through social media. Practical steps: configure your chatbot to ask for age at the start of the session; if the user indicates they are under 13, suspend data collection and direct them to a non-data-collecting resource. Review your chatbot vendor's FTC COPPA compliance documentation and ensure your contract addresses COPPA obligations explicitly.
Does our college need a formal AI risk assessment before deploying a chatbot?
Yes — for any institution that takes privacy compliance seriously, and legally required for institutions subject to Colorado's AI Act (2026) or operating under a state regulatory framework that references NIST AI RMF. Beyond legal obligation, a documented pre-deployment risk assessment is the FTC's expected standard of care for AI deployments affecting consumers. The assessment should cover: data inputs and outputs, potential for bias in responses, security of conversation data, FERPA implications for enrolled student access, sub-processor data flows, and retention and deletion procedures. Update the assessment whenever the chatbot system undergoes material changes — new AI model, new data sources, new use cases. Our privacy audit checklist for schools includes an AI risk assessment template adapted for higher education.
AI chatbot privacy compliance for US colleges is not a one-time implementation task. The patchwork of federal and state privacy laws is expanding rapidly — more than five additional states are projected to enact comprehensive privacy legislation before the end of 2026, and federal AI legislation is advancing. The institutions that navigate this complexity best are those that build privacy into their chatbot infrastructure from the first conversation, treating data minimization and transparency not as compliance burdens but as trust signals for the prospective students they are trying to recruit.
Test Skolbot on your institution in 30 seconds
