California Consumer Privacy Act (CCPA) took effect on the 1st of January, 2020, laying down a foundation of privacy rights for California residents. Fast forward to November 2020, the California Privacy Rights Act (CPRA) was passed, building upon and enhancing the provisions of CCPA.
If you want to make your business CCPA and CPRA compliant, you need to make adjustments to your website or e-commerce store. And that’s where we come in!
Read on to learn how to prepare the pre-chat form to make your chat window compliant with the California Consumer Privacy Act and California Privacy Right Act whenever you deem it necessary.
Please beware that LiveChat cannot guarantee that your website is CCPA and CPRA compliant. It is your responsibility to ensure that your website complies with all applicable laws and regulations.
- California’s Privacy Legislation overview
- Handle the processing of your customers’ data
- Give your customers the right to access their data
- Let them know that they have the right to be forgotten
CCPA, enacted in 2018, was a pioneering privacy law aiming to provide California residents more control over their personal information. CPRA, on the other hand, refines and expands upon CCPA, introducing new provisions and a dedicated enforcement agency - the California Privacy Protection Agency (CPPA). The CCPA and CPRA are set to be the toughest privacy law in the United States.
Both Acts, CCPA and CPRA, will apply to a business if it, or an entity it controls or that controls it, collects or receives personal information from California residents, either directly or indirectly, and meets one or more of the following criteria:
- Annual gross revenue exceeds $25 Million;
- Under CCPA the entity annually receives, buys, sells or shares, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households; However, under the CPRA amendment, to be defined as a qualifying business, companies must buy, sell, or share the personal information of 100,000 or more California consumers, devices, or households, doubling the amount required originally by the CCPA
- Initially, the CCPA required that businesses get 50% or more of its annual revenue from the sale of personal information about California consumers. The CPRA expanded this threshold so that companies must get 50% or more of their annual revenue from selling or sharing California consumers’ personal information.
Non-compliance can result in hefty fines. Under CCPA, fines can go up to $2,500 per violation or $7,500 per intentional violation. There isn’t a cap on the total amount of fines that can be imposed. CPRA also adds administrative fines for intentional violations involving the sensitive personal information of individuals under 16 years of age, with fines of up to $7,500 for entities not adhering to the CPRA’s requirements. Businesses are given a period of 30 days to remedy alleged violations of the law before a fine can actually be assessed.
For example, a violation impacting 10,000 California consumers could carry a penalty of $25 million for an unintentional violation and as much as $75 million for an intentional one. Also, statutory damages can be between $100 and $750 per California resident “per incident,” or actual damages, whichever is greater. You may not receive a penalty for statutory damages once personal information are encrypted.
Now that you know if the Act applies to your company as well, let us show you how to make your LiveChat CCPA and CPRA compliant!
Here’s what you should remember:
Under the CCPA (California Consumer Privacy Act) and the CPRA (California Privacy Rights Act), businesses that process the personal information of California residents have various obligations. Below are only some of the primary obligations imposed on businesses:
- Notice Obligations: Businesses must provide consumers with clear and accessible privacy notices detailing the categories of personal information collected, the purposes for which it’s used, and the consumer rights available under the CCPA and CRPA. Under CPRA, this notice should also include whether the business sells or shares the personal information and whether it uses it for targeted advertising.
- Respond to Consumer Requests: Businesses must have mechanisms to respond to consumer requests for access, deletion, and opt-out within specific timeframes. For most requests, this is 45 days, which can be extended once for an additional 45 days when necessary.
- Implement Reasonable Security Measures: While the CCPA does not explicitly state this, it implies the need for reasonable security procedures and practices appropriate to the nature of the personal information. The CPRA emphasizes this further, making clear the requirement for businesses to implement reasonable security practices.
You should remember that with CCPA and CPRA, you are obliged to inform your customers that you and/or a third-party processor will gather their personal information and that you and/or a third-party processor will save cookies on their devices. There are two ways to do so:
If you run an e-commerce store where your customers can make a purchase, you can modify the agreement between you and your customer so that it will include the information about the data processing that occurs during a chat.
- If you are not using LiveChat for sales purposes, you should still inform your website visitors that you gather and process their data during a chat. You can use our pre-chat form feature to do just that. Below we provide instructions on how to use the pre-chat form to make your chat widget CCPA and CPRA compliant, as well as ready-made examples of data protection acknowledgment.
Below we will provide you with the step-by-step instruction on how to do so with the use of our pre-chat form.
If you’d like to gather data processing consent from your customers, first visit the Pre-chat form section of your LiveChat settings. While there, add a new Multiple choice list field.
Now you can add your data processing consent under the Label section.
Don’t forget to mark your Multiple choice list as required! If you don’t, your customers will be able to start a chat without agreeing to the consent.
As your pre-chat form is ready now, press Save changes and you are ready to go!
If you’d like to get a better idea of what the data processing acknowledgement should look like, we prepared a few examples that you can use to adjust your pre-chat form.
- [Business notice]
I understand/acknowledge that the business handling my personal information is [your company name] with its registered office in [your business address]. I understand/acknowledge that my personal information shall be processed and transmitted in accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
- [Data processing acknowledgment, purpose, retention period, revocation]
I agree for my personal information, provided via chat, to be processed by [your company name] for the purposes of providing support via chat. I agree for my personal information to be processed for the time [e.g., needed to carry out the service]. I understand that this acknowledgment may be revoked by sending an email at: [your business email/your data protection officer’s email].
Both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant California residents a set of specific rights concerning their personal information.
Here are the primary subject rights under the CCPA and CPRA:
- Right to Know/Access: Consumers have the right to request that businesses disclose the personal information they collect, use, share, or sell about them. They can also request details about specific pieces of personal information, categories of sources, business purposes for collecting or selling, and categories of third parties with whom the business shares personal information.
- Right to Delete: Consumers can ask businesses to delete the personal information they have collected from them, with certain exceptions.
- Right to Opt-Out: Consumers have the right to direct businesses not to sell their personal information. This is often referred to as the right to “opt-out” of the sale of personal information.
- Right to Correct (CPRA addition): The CPRA introduced the right for consumers to correct inaccurate personal information that a business holds about them.
Businesses that are subject to these regulations need to be aware of these rights and ensure mechanisms are in place to respect and respond to consumer requests appropriately.
With the advent of CPRA, ensuring precise and timely responses to information access requests has become more crucial. Have a plan to respond to requests submitted by the consumer under CPRA rules within the allotted 45-day period, with the possibility of another 45-day extension.
Give your customers the right to access their data
At LiveChat, we are giving you the option to provide your customers with the transcript of conversations and/or tickets that they created while interacting with your chat widget – and all of that with just a few easy steps.
To provide your customer with the transcript of the requested conversation, go to the Archives section of your LiveChat. While there, pick a requested chat from the list.
Now, click on the Send transcript button, available under the More menu at the top-right side of the conversation.
You will be prompted with a modal, asking you to provide an email address. To proceed, provide your customer’s email and click on Send copy.
We will now send the transcript of the conversation to the provided email address.
Tickets at LiveChat are automatically forwarded to your customers, whenever an agent will reply to their query via email or LiveChat application. However, if your customer has deleted a ticket or simply would like to receive it again, simply go to the Tickets section of your LiveChat. While there, look for the desired entry.
Now you can resend a ticket by simply typing a message and hitting Send button, or you can forward a ticket to another email address, by adding more people.
Both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) state that:
A consumer shall have the right to request that a business delete any personal information…
You as a business owner may decline a request to delete a customer’s personal information upon receiving such request for the following reasons:
- if it is necessary for the business;
- or if your service provider needs personal information under certain conditions.
However, if you ever face such a request and you have no reason to decline, we prepared an internal procedure that allows you to remove the requested conversation or a ticket from your LiveChat license. What’s more, we’ll take care of the hard part for you.
All you have to do is to tag a chat or a ticket that you would like for us to remove. You can create a separate tag and name it Delete, so that you will use it only when such requests arise.
After tagging a conversation or a ticket, send us an email at email@example.com, asking us to remove all the transcripts and/or tickets, marked with a specified tag.
After receiving the verification code, we will remove all of the requested data as soon as possible. Also, after fulfilling your request, one of our Support Heroes will send you an email confirmation, letting you know that the process has been taken care of.
If you have any questions about making your LiveChat CCPA compliant, feel free to start a chat with one of our Support Heroes. They are available 24/7 and are always ready to provide you with additional information on adjusting your LiveChat license.