Pricing
Go to app
User Name
Upgrade Help Center

Get ready for CCPA and CPRA!

Krzysztof Kraus
13 min read
updated: Nov 14, 2023

California Consumer Privacy Act (CCPA) took effect on the 1st of January, 2020, laying down a foundation of privacy rights for California residents. Fast forward to November 2020, the California Privacy Rights Act (CPRA) was passed, building upon and enhancing the provisions of CCPA. 

If you want to make your business CCPA and CPRA compliant, you need to make adjustments to your website or e-commerce store. And that’s where we come in!

Read on to learn how to prepare the pre-chat form to make your chat window compliant with the California Consumer Privacy Act and California Privacy Right Act whenever you deem it necessary. 

Please beware that LiveChat cannot guarantee that your website is CCPA and CPRA compliant. It is your responsibility to ensure that your website complies with all applicable laws and regulations.

The information provided here is not meant to be construed as legal advice. It is always recommended to seek guidance from a legal advisor to ensure compliance with your local applicable regulations, such as CCPA and CPRA. Therefore, we advise consulting with qualified legal counsel regarding your particular business and data processing circumstances.
The information provided here is not meant to be construed as legal advice. It is always recommended to seek guidance from a legal advisor to ensure compliance with your local applicable regulations, such as CCPA and CPRA. Therefore, we advise consulting with qualified legal counsel regarding your particular business and data processing circumstances.

California Privacy Legislation - overviewLink icon

What is the California Consumer Privacy Act (CCPA) Act and California Privacy Rights Act (CPRA)?Link icon

CCPA, enacted in 2018, was a pioneering privacy law aiming to provide California residents more control over their personal information. CPRA, on the other hand, refines and expands upon CCPA, introducing new provisions and a dedicated enforcement agency - the California Privacy Protection Agency (CPPA). The CCPA and CPRA are set to be the toughest privacy law in the United States.

Who should be concerned about it?Link icon

Both Acts, CCPA and CPRA, will apply to a business if it, or an entity it controls or that controls it, collects or receives personal information from California residents, either directly or indirectly, and meets one or more of the following criteria:

  1. Annual gross revenue exceeds $25 Million;
  2. Under CCPA the entity annually receives, buys, sells or shares, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households; However, under the CPRA amendment, to be defined as a qualifying business, companies must buy, sell, or share the personal information of 100,000 or more California consumers, devices, or households, doubling the amount required originally by the CCPA
  3. Initially, the CCPA required that businesses get 50% or more of its annual revenue from the sale of personal information about California consumers. The CPRA expanded this threshold so that companies must get 50% or more of their annual revenue from selling or sharing California consumers’ personal information.

What are the penalties for non-compliance?Link icon

Non-compliance can result in hefty fines. Under CCPA, fines can go up to $2,500 per violation or $7,500 per intentional violation. There isn’t a cap on the total amount of fines that can be imposed. CPRA also adds administrative fines for intentional violations involving the sensitive personal information of individuals under 16 years of age, with fines of up to $7,500 for entities not adhering to the CPRA’s requirements. Businesses are given a period of 30 days to remedy alleged violations of the law before a fine can actually be assessed.

For example, a violation impacting 10,000 California consumers could carry a penalty of $25 million for an unintentional violation and as much as $75 million for an intentional one. Also, statutory damages can be between $100 and $750 per California resident “per incident,” or actual damages, whichever is greater. You may not receive a penalty for statutory damages once personal information are encrypted.

Now that you know if the Act applies to your company as well, let us show you how to make your LiveChat CCPA and CPRA compliant!

Here’s what you should remember:
Under the CCPA (California Consumer Privacy Act) and  the CPRA (California Privacy Rights Act), businesses that process the personal information of California residents have various obligations. Below are only some of the primary obligations imposed on businesses:

  1. Notice Obligations: Businesses must provide consumers with clear and accessible privacy notices detailing the categories of personal information collected, the purposes for which it’s used, and the consumer rights available under the CCPA and CRPA. Under CPRA, this notice should also include whether the business sells or shares the personal information and whether it uses it for targeted advertising.
  2. Respond to Consumer Requests: Businesses must have mechanisms to respond to consumer requests for access, deletion, and opt-out within specific timeframes. For most requests, this is 45 days, which can be extended once for an additional 45 days when necessary.
  3. Implement Reasonable Security Measures: While the CCPA does not explicitly state this, it implies the need for reasonable security procedures and practices appropriate to the nature of the personal information. The CPRA emphasizes this further, making clear the requirement for businesses to implement reasonable security practices.

Handle the processing of your customers’ dataLink icon

You should remember that with CCPA and CPRA, you are obliged to inform your customers that you and/or a third-party processor will gather their personal information and that you and/or a third-party processor will save cookies on their devices. There are two ways to do so:

  1. If you run an e-commerce store where your customers can make a purchase, you can modify the agreement between you and your customer so that it will include the information about the data processing that occurs during a chat.

  1. If you are not using LiveChat for sales purposes, you should still inform your website visitors that you gather and process their data during a chat. You can use our pre-chat form feature to do just that. Below we provide instructions on how to use the pre-chat form to make your chat widget CCPA and CPRA compliant, as well as ready-made examples of data protection acknowledgment.
Note that, in both cases, you have to make sure that the agreement and/or the consent will match your business agenda, based on what data you are processing, for what purpose or for how long you keep them.
Note that, in both cases, you have to make sure that the agreement and/or the consent will match your business agenda, based on what data you are processing, for what purpose or for how long you keep them.

Below we will provide you with the step-by-step instruction on how to do so with the use of our pre-chat form.

Adjust your pre-chat formLink icon

If you’d like to gather data processing consent from your customers, first visit the Pre-chat form section of your LiveChat settings. While there, add a new Multiple choice list field.

CCPA Multiple Choice List

Now you can add your data processing consent under the Label section.

CCPA Label Text

Don’t forget to mark your Multiple choice list as required! If you don’t, your customers will be able to start a chat without agreeing to the consent.

CCPA Required

As your pre-chat form is ready now, press Save changes and you are ready to go!

Please note that when you invite customers to chat manually, the pre-chat form will not be displayed even if it is enabled.
Please note that when you invite customers to chat manually, the pre-chat form will not be displayed even if it is enabled.

You can also link to your full privacy policy in the pre-chat form. Use the text editor in the input fields to create a clickable link. See this article for more details.

How to create a clickable link in the LiveChat Agent app.

If you’d like to get a better idea of what the data processing acknowledgement should look like, we prepared a few examples that you can use to adjust your pre-chat form.

Note that the data protection acknowledgements provided are to be considered as general examples and are not legal advice to meet CCPA and CPRA. Keep in mind that you’ll need to adapt these examples to fit your unique business and legal requirements each time.
Note that the data protection acknowledgements provided are to be considered as general examples and are not legal advice to meet CCPA and CPRA. Keep in mind that you’ll need to adapt these examples to fit your unique business and legal requirements each time.
  1. [Business notice]
    I understand/acknowledge that the business handling my personal information is [your company name] with its registered office in [your business address]. I understand/acknowledge that my personal information shall be processed and transmitted in accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
  2. [Data processing acknowledgment, purpose, retention period, revocation]
    I agree for my personal information, provided via chat, to be processed by [your company name] for the purposes of providing support via chat. I agree for my personal information to be processed for the time [e.g., needed to carry out the service]. I understand that this acknowledgment may be revoked by sending an email at: [your business email/your data protection officer’s email].

Understanding Your Consumer Rights Under CCPA and CPRALink icon

Both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant California residents a set of specific rights concerning their personal information. 

Here are the primary subject rights under the CCPA and CPRA:

  1. Right to Know/Access: Consumers have the right to request that businesses disclose the personal information they collect, use, share, or sell about them. They can also request details about specific pieces of personal information, categories of sources, business purposes for collecting or selling, and categories of third parties with whom the business shares personal information.
  2. Right to Delete: Consumers can ask businesses to delete the personal information they have collected from them, with certain exceptions.
  3. Right to Opt-Out: Consumers have the right to direct businesses not to sell their personal information. This is often referred to as the right to “opt-out” of the sale of personal information.
  4. Right to Correct (CPRA addition): The CPRA introduced the right for consumers to correct inaccurate personal information that a business holds about them.

Businesses that are subject to these regulations need to be aware of these rights and ensure mechanisms are in place to respect and respond to consumer requests appropriately.

With the advent of CPRA, ensuring precise and timely responses to information access requests has become more crucial. Have a plan to respond to requests submitted by the consumer under CPRA rules within the allotted 45-day period, with the possibility of another 45-day extension.

Give your customers the right to access their data
At LiveChat, we are giving you the option to provide your customers with the transcript of conversations and/or tickets that they created while interacting with your chat widget – and all of that with just a few easy steps.

Copy of chat transcriptsLink icon

To provide your customer with the transcript of the requested conversation, go to the Archives section of your LiveChat. While there, pick a requested chat from the list.

CCPA Select Chat

Now, click on the Send transcript button, available under the More menu at the top-right side of the conversation.

CCPA Send Transcript

You will be prompted with a modal, asking you to provide an email address. To proceed, provide your customer’s email and click on Send copy.

CCPA Send Transcript Confirmation

We will now send the transcript of the conversation to the provided email address.

Copy of ticketsLink icon

Tickets at LiveChat are automatically forwarded to your customers, whenever an agent will reply to their query via email or LiveChat application. However, if your customer has deleted a ticket or simply would like to receive it again, simply go to the Tickets section of your LiveChat. While there, look for the desired entry.

CCPA Select Ticket

Now you can resend a ticket by simply typing a message and hitting Send button, or you can forward a ticket to another email address, by adding more people.

CCPA Add People

Let them know that they have the right to be forgottenLink icon

Both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) state that:

A consumer shall have the right to request that a business delete any personal information…

You as a business owner may decline a request to delete a customer’s personal information upon receiving such request for the following reasons:

  • if it is necessary for the business;
  • or if your service provider needs personal information under certain conditions.

However, if you ever face such a request and you have no reason to decline, we prepared an internal procedure that allows you to remove the requested conversation or a ticket from your LiveChat license. What’s more, we’ll take care of the hard part for you.

What does the procedure look like?Link icon

All you have to do is to tag a chat or a ticket that you would like for us to remove. You can create a separate tag and name it Delete, so that you will use it only when such requests arise.

Not using tags at LiveChat or not entirely sure how to create a new one? Click here to learn more!
Not using tags at LiveChat or not entirely sure how to create a new one? Click here to learn more!

After tagging a conversation or a ticket, send us an email at support@livechat.com, asking us to remove all the transcripts and/or tickets, marked with a specified tag.

After processing your initial request, we may ask you to send us via chat a verification code from the email we have sent to the email address registered under your LiveChat subscription.
After processing your initial request, we may ask you to send us via chat a verification code from the email we have sent to the email address registered under your LiveChat subscription.

After receiving the verification code, we will remove all of the requested data as soon as possible. Also, after fulfilling your request, one of our Support Heroes will send you an email confirmation, letting you know that the process has been taken care of.

Questions?Link icon

If you have any questions about making your LiveChat CCPA compliant, feel free to start a chat with one of our Support Heroes. They are available 24/7 and are always ready to provide you with additional information on adjusting your LiveChat license.

Was this article helpful?

Got it!

Thanks for your feedback.

Thank you!

We’re happy to help.

RELATED ARTICLES

LiveChat: HIPAA and PCI compliance

Making LiveChat HIPAA compliant is now possible, with a dedicated guide that will show you how to prepare both, your chat and LiveChat app for agents!

Read the article

Prepare your chat for GDPR!

Making LiveChat GDPR compliant is our number one priority, that is why we prepared a short article that will help you adjust your chat window as well!

Read the article

Start using LiveChat now!

Free 14-day trial AI-driven features No credit card required

Still not convinced? Discover all LiveChat features

Discover text| products: