California Consumer Privacy Act (CCPA) took effect on the 1st of January, 2020, laying down a foundation of privacy rights for California residents. Fast forward to November 2020, the California Privacy Rights Act (CPRA) was passed, building upon and enhancing the provisions of CCPA.
To make your business CCPA and CPRA compliant, you need to make adjustments to your website or ecommerce store. And that’s where we come in!
Read on to learn how to prepare your website widget to be compliant with the California Consumer Privacy Act and California Privacy Rights Act whenever you deem it necessary.
Please be aware that we cannot guarantee that your website is CCPA and CPRA compliant. It is your responsibility to ensure that your website complies with all applicable laws and regulations.
The information provided here is not meant to be construed as legal advice. It is always recommended to seek guidance from a legal advisor to ensure compliance with your local applicable regulations, such as CCPA and CPRA. Therefore, we advise consulting with qualified legal counsel regarding your particular business and data processing circumstances.
California Privacy Legislation - overview
What are the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)?
The CCPA, enacted in 2018, was a pioneering privacy law aimed at providing California residents with more control over their personal information. CPRA, on the other hand, refines and expands upon CCPA, introducing new provisions and a dedicated enforcement agency - the California Privacy Protection Agency (CPPA). The CCPA and CPRA are set to be the toughest privacy laws in the United States.
Who should be concerned about it?
Both Acts, CCPA and CPRA, will apply to a business if it, or an entity it controls or that controls it, collects or receives personal information from California residents, either directly or indirectly, and meets one or more of the following criteria:
Annual gross revenue exceeds $25 million.
Under CCPA the entity annually receives, buys, sells or shares, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households; However, under the CPRA amendment, to be defined as a qualifying business, companies must buy, sell, or share the personal information of 100,000 or more California consumers, devices, or households, doubling the amount required originally by the CCPA.
Initially, the CCPA required that businesses get 50% or more of their annual revenue from the sale of personal information about California consumers. The CPRA expanded this threshold so that companies must get 50% or more of their annual revenue from selling or sharing California consumers’ personal information.
What are the penalties for non-compliance?
Non-compliance can result in hefty fines. Under the CCPA, fines can range from $2,500 per violation to $7,500 per intentional violation. There isn’t a cap on the total amount of fines that can be imposed. CPRA also imposes administrative fines for intentional violations involving the sensitive personal information of individuals under 16 years of age, with fines of up to $7,500 for entities that fail to comply with the CPRA’s requirements. Businesses are given a period of 30 days to remedy alleged violations of the law before a fine can actually be assessed.
For example, a violation impacting 10,000 California consumers could carry a penalty of $25 million for an unintentional violation and as much as $75 million for an intentional one. Also, statutory damages can be between $100 and $750 per California resident “per incident,” or actual damages, whichever is greater. You may not receive a penalty for statutory damages once personal information is encrypted.
Now that you know if the Act applies to your company, let us show you how to make your LiveChat CCPA and CPRA compliant.
Here’s what you should remember:
Under the CCPA (California Consumer Privacy Act) and the CPRA (California Privacy Rights Act), businesses that process the personal information of California residents have various obligations. Below are only some of the primary obligations imposed on businesses:
Notice Obligations: Businesses must provide consumers with clear and accessible privacy notices detailing the categories of personal information collected, the purposes for which it’s used, and the consumer rights available under the CCPA and CRPA. Under the CPRA, this notice should also include whether the business sells or shares the personal information and whether it uses it for targeted advertising purposes.
Respond to Consumer Requests: Businesses must have mechanisms to respond to consumer requests for access, deletion, and opt-out within specific timeframes. For most requests, this is 45 days, which can be extended once for an additional 45 days when necessary.
Implement Reasonable Security Measures: While the CCPA does not explicitly state this, it implies the need for reasonable security procedures and practices appropriate to the nature of the personal information. The CPRA emphasizes this further, making clear the requirement for businesses to implement reasonable security practices.
Handle the processing of your customers’ data
You should remember that with CCPA and CPRA, you are obliged to inform your customers that you and/or a third-party processor will gather their personal information and that you and/or a third-party processor will save cookies on their devices. There are two ways to do so:
If you run an ecommerce store where customers can make purchases, you can modify the agreement between you and your customer to include information about the data processing that occurs during a chat.
If you are not using live chat for sales purposes, you should still inform your website visitors that you gather and process their data during a chat. You can use our Privacy note feature to do just that. Below, we provide instructions on how to use the Privacy note to make your website widget CCPA and CPRA compliant, as well as ready-made examples of data protection acknowledgment.
Note that, in both cases, you have to make sure that the agreement and/or the consent will match your business agenda, based on what data you are processing, for what purpose, or for how long you keep them.
Below, we will provide you with step-by-step instructions on how to do so using our Privacy note.
Adjust your Privacy note
The Privacy note is not enabled by default and contains no pre-filled text. You can customize and enable it yourself to meet your organization’s compliance requirements.
How to enable the Privacy note
1. In Text App, go to Settings → Channels → Website widgets.
2. Click the three dots icon next to your website.
3. Select Customize.
4. You’ll be redirected to the on-site configurator with a live preview of your widget.
5. Go to Language → Privacy policy to set and enable your privacy note.
6. Add your Privacy note.
7. (Optional) Add a link to your full Privacy Policy or Data Processing Agreement (DPA).
8. Click Save changes.
You can adjust the tone and formality of your privacy note to fit your brand voice.
Privacy note examples
If you’d like to get a better idea of what the data processing acknowledgement should look like, we prepared a few examples that you can use to adjust your Privacy note.
[Business notice]
I understand/acknowledge that the business handling my personal information is [your company name] with its registered office in [your business address].
I understand/acknowledge that my personal information shall be processed and transmitted in accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
[Data processing acknowledgment, purpose, retention period, revocation]
I agree for my personal information, provided via chat, to be processed by [your company name] for the purposes of providing support via chat. I agree for my personal information to be processed for the time [e.g., needed to carry out the service]. I understand that this acknowledgment may be revoked by sending an email at: [your business email/your data protection officer’s email].
Understanding your consumer rights under CCPA and CPRA
Both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant California residents a set of specific rights concerning their personal information.
Here are the primary subject rights under the CCPA and CPRA:
Right to Know/Access: Consumers have the right to request that businesses disclose the personal information they collect, use, share, or sell about them. They can also request details about specific pieces of personal information, categories of sources, business purposes for collecting or selling, and categories of third parties with whom the business shares personal information.
Right to Delete: Consumers can ask businesses to delete the personal information they have collected from them, with certain exceptions.
Right to Opt-Out: Consumers have the right to direct businesses not to sell their personal information. This is often referred to as the right to “opt-out” of the sale of personal information.
Right to Correct (CPRA addition): The CPRA introduced the right for consumers to correct inaccurate personal information that a business holds about them.
Businesses that are subject to these regulations need to be aware of these rights and ensure mechanisms are in place to respect and respond to consumer requests appropriately.
With the advent of CPRA, ensuring precise and timely responses to information access requests has become more crucial. Have a plan to respond to requests submitted by consumers under CPRA rules within the allotted 45-day period, with the possibility of an additional 45-day extension.
The right to access your data
At Text, we are giving you the option to provide your customers with the transcript of conversations and/or tickets that they created while interacting with your website widget — and all of that with just a few easy steps.
Copy of chat transcripts
If you want to provide your website visitors with a transcript of a conversation they’ve requested, follow the steps below.
1. Go to the Archive section in your Text App.
2. Choose the requested chat from the list.
3. Click Send transcript under the More menu in the top-right corner of the conversation.
4. A modal will appear asking for an email address. Enter your customer’s email and click Send transcript to proceed.
We will now send the transcript of the conversation to the provided email address.
But that’s not all — the same rule applies to you. If you would like to retrieve your chat history with our support team, simply email us at support@text.com and request the data we have collected about you in Text App.
Please make sure to send the information retrieval request from the email address you use to log in to Text App. We will send a verification code to the email address associated with your Text App account, and will send over the information after receiving the code back from you.
Copy of tickets
When it comes to tickets, each one is automatically forwarded to your customer’s email whenever an agent replies to their query. However, if a customer asks you to resend a ticket, you can easily do so from the Tickets section of your Text App.
1. Go to the Tickets section and find the ticket in question.
2. Click on the ticket to open it.
3. To resend the ticket, simply write a new message and click Send. All messages within the ticket will be resent to the customer.
If you need to send the ticket to another email address, click Add recipients. Enter the new email address in the modal and click Save. After that, write a new message and click Send. The full ticket history will also be sent to the new address.
The right to be forgotten
Both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) state that:
A consumer shall have the right to request that a business delete any personal information.
You, as a business owner, may decline a request to delete a customer’s personal information upon receiving such a request for the following reasons:
if it is necessary for the business;
or if your service provider needs personal information under certain conditions.
However, if you ever face such a request and you have no reason to decline, we have prepared an internal procedure that allows you to remove the requested conversation or a ticket from your Text App license. Moreover, we’ll take care of the hard part for you.
What does the procedure look like?
All you need to do is provide us with a chat or ticket ID (you can find it on the right side of the transcript in the application) or, if it’s multiple documents, tag the chats or tickets you would like us to remove. You can create a separate tag and name it 'Delete' so that you can use it only when such a request arises.
Not using tags in Text App yet, or unsure how to create one? Click here to learn more.
After tagging a conversation or ticket, please send us an email at support@text.com requesting that we remove all transcripts and/or tickets marked with the specified tag.
Please make sure to send the deletion request from the email address of an Owner or Admin of your account. We will send a verification code to the email address associated with your account and will delete the transcripts and/or tickets as soon as we get the code back from you.
After receiving an email, we will remove all of the requested data as soon as possible. Also, after fulfilling your request, one of our Support Heroes will send you an email confirmation to notify you that the process has been completed.
Questions?
If you have any questions about this article, feel free to start a chat with one of our Support Heroes. They are available 24/7 and always ready to provide additional information on adjusting your Text App license.