{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,28]],"date-time":"2026-03-28T15:01:32Z","timestamp":1774710092834,"version":"3.50.1"},"reference-count":108,"publisher":"Association for Computing Machinery (ACM)","issue":"7","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2025,9,30]]},"abstract":"<jats:p>Ensuring data privacy is a major challenge for software developers, especially in chatbots, where balancing privacy protection with response quality is key, given the need for conversation-driven development and data protection regulations. This research identifies privacy requirements and techniques for chatbot development through a literature review, privacy policy analysis, and a practitioner survey. The methodology includes a Systematic Literature Review (SLR), an adapted Gray Literature Review (GLR), privacy requirement formulation, and validation via a survey. Based on the SLR and GLR, eight privacy requirements are proposed, covering personal information protection, user authentication, access control, secure communication, database safety, user rights empowerment, decentralized storage, and reliable infrastructure. Survey results highlight foundational measures like secure communication and scalable infrastructures as priorities, while advanced measures such as decentralized storage or privacy rights implementation scored lower due to complexity and cost. Practitioners also stressed clarity and verifiability, citing gaps in definitions, examples, and validation criteria as challenges to adoption.<\/jats:p>","DOI":"10.1145\/3730578","type":"journal-article","created":{"date-parts":[[2025,4,18]],"date-time":"2025-04-18T10:41:21Z","timestamp":1744972881000},"page":"1-44","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Privacy in Chatbot Conversation-Driven Development: A Comprehensive Review and Requirements Proposal"],"prefix":"10.1145","volume":"34","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0304-0804","authenticated-orcid":false,"given":"Geovana Ramos Sousa","family":"Silva","sequence":"first","affiliation":[{"name":"Universidade de Bras\u00edlia (UnB), Department of Computer Science, Brasilia, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2159-339X","authenticated-orcid":false,"given":"Edna Dias","family":"Canedo","sequence":"additional","affiliation":[{"name":"Universidade de Bras\u00edlia (UnB), Department of Computer Science, Brasilia, Brazil"}]}],"member":"320","published-online":{"date-parts":[[2025,8,14]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3078384"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1007\/s42979-020-00255-3"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/SIU.2018.8404430"},{"issue":"1","key":"e_1_3_2_5_2","first-page":"11","article-title":"An investigation of the accuracy of knowledge graph-base search engines: Google knowledge Graph, Bing Satori and Wolfram Alpha","volume":"12","author":"Musa Aliyu Farouk","year":"2021","unstructured":"Farouk Musa Aliyu and Yusuf Isah Yahaya. 2021. An investigation of the accuracy of knowledge graph-base search engines: Google knowledge Graph, Bing Satori and Wolfram Alpha. International Journal of Scientific & Engineering Research 12, 1 (2021), 11\u201315.","journal-title":"International Journal of Scientific & Engineering Research"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.5220\/0010708600003058"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.giq.2018.10.001"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/RE.2018.00023"},{"key":"e_1_3_2_9_2","volume-title":"Guidelines for Performing Systematic Literature Reviews in Software Engineering","author":"Barbara Kitchenham","year":"2007","unstructured":"Kitchenham Barbara and Stuart Charters. 2007. Guidelines for Performing Systematic Literature Reviews in Software Engineering. Technical Report. Keele University, UK."},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1177\/2053951716646135"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1155\/2022\/9601630"},{"key":"e_1_3_2_12_2","unstructured":"Brasil. 2012. Lei N\u00ba 13.709 de 14 de agosto de 2018\u2014Lei Geral de Prote\u00e7\u00e3o de Dados Pessoais (LGPD). Retrieved June 16 2023 from https:\/\/www.planalto.gov.br\/ccivil_03\/_ato2015-2018\/2018\/lei\/l13709.htm"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.csl.2021.101269"},{"key":"e_1_3_2_14_2","first-page":"449","article-title":"Risk and its effect on complying with international privacy laws","volume":"9","author":"Buresh Donald Lee","year":"2022","unstructured":"Donald Lee Buresh. 2022. Risk and its effect on complying with international privacy laws. Indonesian Journal of International & Comparative Law 9 (2022), 449.","journal-title":"Indonesian Journal of International & Comparative Law"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-022-00391-7"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/RE51729.2021.00013"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.2196\/43135"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3432924"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3334480.3382951"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/3475716.3484190"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3623809.3623875"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-05014-5_16"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/3195555.3195563"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3306446.3340823"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.47975\/IJDL.magalhaes.v.2.n.2"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-82786-1_18"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-82786-1_18"},{"key":"e_1_3_2_28_2","unstructured":"European Commission. 2016. Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95\/46\/EC (General Data Protection Regulation) (Text with EEA Relevance). Retrieved from https:\/\/eur-lex.europa.eu\/eli\/reg\/2016\/679\/oj"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/EIConCIT50028.2021.9431861"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3342775.3342784"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-17705-8_13"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3568444.3568454"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/IWSSIP58668.2023.10180265"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376651"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2018.09.006"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.25776\/t6m4-e786"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103207"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1007\/s43681-021-00095-8"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2020.319"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.6426"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-39540-7_3"},{"key":"e_1_3_2_42_2","unstructured":"ISO. 2005. ISO\/IEC 27001:2022\u2014Information Security Management Systems (ISO\/IEC 27001:2022 ed.). Technical Report. International Organization for Standardization Vernier Geneva Switzerland. Retrieved from https:\/\/www.iso.org\/standard\/27001"},{"key":"e_1_3_2_43_2","unstructured":"ISO. 2011. ISO\/IEC 29100:2011\u2014Information Technology\u2014Security Techniques\u2014Privacy Framework (ISO\/IEC 29100:2011 ed.). Technical Report. International Organization for Standardization Vernier Geneva Switzerland. Retrieved from https:\/\/www.iso.org\/standard\/45123.html"},{"key":"e_1_3_2_44_2","unstructured":"ISO. 2019. ISO\/IEC 27701:2019\u2014Security Techniques\u2014Extension to ISO\/IEC 27001 and ISO\/IEC 27002 for Privacy Information Management\u2014Requirements and Guidelines (ISO\/IEC 27701:2019 ed.). Technical Report. International Organization for Standardization Vernier Geneva Switzerland. Retrieved from https:\/\/www.iso.org\/standard\/71670.html"},{"key":"e_1_3_2_45_2","unstructured":"ISO. 2023. ISO\u2014International Organization for Standardization. Retrieved August 16 2023 from https:\/\/www.iso.org\/home.html"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1186\/s40537-016-0059-y"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.14445\/22312803\/IJCTT-V50P120"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/1989323.1989345"},{"key":"e_1_3_2_49_2","volume-title":"Procedures for Performing Systematic Reviews","author":"Kitchenham Barbara","year":"2004","unstructured":"Barbara Kitchenham. 2004. Procedures for Performing Systematic Reviews. Keele University, Keele, UK."},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2013.07.010"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3165938"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2019.245"},{"key":"e_1_3_2_53_2","volume-title":"Conversational AI with Rasa: Build, Test, and Deploy AI-Powered, Enterprise-Grade Virtual Assistants and Chatbots","author":"Kong Xiaoquan","year":"2021","unstructured":"Xiaoquan Kong, Guan Wang, and Alan Nichol. 2021. Conversational AI with Rasa: Build, Test, and Deploy AI-Powered, Enterprise-Grade Virtual Assistants and Chatbots. Packt Publishing Ltd."},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3201144"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","unstructured":"He Li Lu Yu and Wu He. 2019. The impact of GDPR on global technology development Journal of Global Information Technology Management 22 1 (2019) 1\u20136. DOI: 10.1080\/1097198X.2019.1569186.","DOI":"10.1080\/1097198X.2019.1569186"},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1155\/2022\/2508690"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2020.03.039"},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2021.08.012"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.24136\/eq.2021.012"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1108\/ICS-04-2019-0048"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1080\/17538157.2021.1983578"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jbi.2014.01.011"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2020.106294"},{"key":"e_1_3_2_64_2","first-page":"17","article-title":"Talking to bots: Symbiotic agency and the case of Tay","volume":"10","author":"Neff Gina","year":"2016","unstructured":"Gina Neff. 2016. Talking to bots: Symbiotic agency and the case of Tay. International Journal of Communication 10 (2016), 17.","journal-title":"International Journal of Communication"},{"issue":"2","key":"e_1_3_2_65_2","first-page":"531","article-title":"Design intelligent educational chatbot for information retrieval based on integrated knowledge bases","volume":"49","author":"Nguyen Hien D.","year":"2022","unstructured":"Hien D. Nguyen, Tuan-Vi Tran, Xuan-Thien Pham, Anh T. Huynh, Vuong T. Pham, and Diem Nguyen. 2022. Design intelligent educational chatbot for information retrieval based on integrated knowledge bases. IAENG International Journal of Computer Science 49, 2 (2022), 531\u2013541.","journal-title":"IAENG International Journal of Computer Science"},{"key":"e_1_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2021.107093"},{"key":"e_1_3_2_67_2","unstructured":"Alan Nichol. 2020. Conversation-Driven Development. Retrieved July 29 2023 from https:\/\/rasa.com\/blog\/conversation-driven-development-a-better-approach-to-building-ai-assistants"},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.2196\/33717"},{"key":"e_1_3_2_69_2","first-page":"27730","volume-title":"Advances in Neural Information Processing Systems","volume":"35","author":"Ouyang Long","year":"2022","unstructured":"Long Ouyang, Jeffrey Wu, Xu Jiang, Diogo Almeida, Carroll Wainwright, Pamela Mishkin, Chong Zhang, Sandhini Agarwal, Katarina Slama, Alex Ray, et al. 2022. Training language models to follow instructions with human feedback. In Advances in Neural Information Processing Systems. S. Koyejo, S. Mohamed, A. Agarwal, D. Belgrave, K. Cho, and A. Oh (Eds.), Vol. 35, Curran Associates, Inc., 27730\u201327744. Retrieved from https:\/\/proceedings.neurips.cc\/paper_files\/paper\/2022\/file\/b1efde53be364a73914f58805a001731-Paper-Conference.pdf"},{"key":"e_1_3_2_70_2","doi-asserted-by":"publisher","DOI":"10.4018\/JGIM.20211101.OA53"},{"key":"e_1_3_2_71_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-06417-3_59"},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","unstructured":"Geovana Ramos Sousa Silva and Edna Dias Canedo. 2024. Privacy Requirements for Chatbot Conversation-Driven Development: A Systematic Review. DOI: 10.5281\/zenodo.10800538","DOI":"10.5281\/zenodo.10800538"},{"key":"e_1_3_2_73_2","unstructured":"Rasa. 2023. Introduction to Rasa Open Source & Rasa Pro. Retrieved July 24 2023 from https:\/\/rasa.com\/docs\/rasa"},{"key":"e_1_3_2_74_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISSA.2010.5588297"},{"key":"e_1_3_2_75_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3000662"},{"key":"e_1_3_2_76_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-78642-7_53"},{"key":"e_1_3_2_77_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2023.107162"},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3143323"},{"key":"e_1_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.1007\/s41019-015-0001-x"},{"key":"e_1_3_2_80_2","doi-asserted-by":"publisher","DOI":"10.1155\/2018\/5978636"},{"key":"e_1_3_2_81_2","doi-asserted-by":"publisher","DOI":"10.1109\/RE48521.2020.00025"},{"key":"e_1_3_2_82_2","unstructured":"UNCTAD. 2023. Data Protection and Privacy Legislation Worldwide. Retrieved August 8 2023 from https:\/\/unctad.org\/page\/data-protection-and-privacy-legislation-worldwide"},{"key":"e_1_3_2_83_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4842-4888-1_6"},{"key":"e_1_3_2_84_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-29044-2_4"},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1109\/RE54965.2022.00040"},{"key":"e_1_3_2_86_2","doi-asserted-by":"publisher","DOI":"10.3390\/app13116355"},{"key":"e_1_3_2_87_2","doi-asserted-by":"publisher","DOI":"10.1109\/SEC50012.2020.00057"},{"key":"e_1_3_2_88_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2016.2577036"},{"key":"e_1_3_2_89_2","doi-asserted-by":"publisher","DOI":"10.1145\/3389685"},{"key":"e_1_3_2_90_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10506-016-9182-5"},{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.autcon.2022.104390"},{"key":"e_1_3_3_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3276954.3276958"},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics10060666"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICICCS56967.2023.10142289"},{"key":"e_1_3_3_6_2","doi-asserted-by":"publisher","DOI":"10.59324\/ejaset.2024.2(4).02"},{"key":"e_1_3_3_7_2","first-page":"1","volume-title":"Workshop on the Future of Privacy Notices and Indicators, at the 12th Symposium on Usable Privacy and Security (SOUPS \u201916)","author":"Harkous Hamza","year":"2016","unstructured":"Hamza Harkous, Kassem Fawaz, Kang G. Shin, and Karl Aberer. 2016. \\(\\{\\) PriBots \\(\\}\\) : Conversational privacy with chatbots. In Workshop on the Future of Privacy Notices and Indicators, at the 12th Symposium on Usable Privacy and Security (SOUPS \u201916). usenix.org, 1\u20136."},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-02613-4_50"},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3617072.3617106"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3582515.3609536"},{"key":"e_1_3_3_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00095"},{"key":"e_1_3_3_12_2","doi-asserted-by":"publisher","DOI":"10.3850\/978-981-18-2016-8_221-cd"},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-07475-2_21"},{"key":"e_1_3_3_14_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10270-023-01131-3"},{"key":"e_1_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jbi.2019.103305"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICOEI56765.2023.10125731"},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/SmartWorld-UIC-ATC-ScalCom-DigitalTwin-PriComp-Metaverse56740.2022.00160"},{"key":"e_1_3_3_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICAC57685.2022.10025250"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3659625"},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN58367.2023.00061"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3730578","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,27]],"date-time":"2026-02-27T21:48:23Z","timestamp":1772228903000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3730578"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,14]]},"references-count":108,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2025,9,30]]}},"alternative-id":["10.1145\/3730578"],"URL":"https:\/\/doi.org\/10.1145\/3730578","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,8,14]]},"assertion":[{"value":"2024-07-26","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-04-08","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-08-14","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}