General Data Protection Regulation (GDPR) took effect on the 25th of May, 2018, and Lifesight guarantees that we comply, completely, with all the changes approved and implemented.
Essentials of GDPR for eCommerce
If the user has consented to the message and communication channel that you are offering, then you can continue to do as you always have. But if there was no consent, then you cannot send them marketing materials or advertise to them. If you don’t have explicit, unambiguous consent from the visitor to get these kinds of marketing messages, then you won’t be able to send them messages—or else face heavy fines.
Note! Emails collected using 3rd party apps or on the checkout of your store won't have a consent record in Lifesight, because per European GDPR law, consent may only be collected via 1st party web form. Basically, we can't confirm that customers have given their consent if they weren't collected by us.
If a user does consent to your storing and processing their personal data (through personalized marketing or advertising messages, for example) you have the obligation to make sure that that data is adequately protected. When it comes to exactly what “personal data” is, according to the GDPR the definition is pretty broad: any data that can be used alone or in combination to link to or point to a person.
This includes the visitor’s:
If a user asks you to change or delete their personal data, it’s best to do it sooner rather than later. With that, you’ll have nothing to worry about for this part of GDPR.
How Lifesight is helping merchants be GDPR-ready Lifesight makes sure that all eCommerce merchants using our marketing automation platform are fully covered. We have done in the following ways:
By using Lifesight, you agree not to import or send to any email address which: A.You do not have explicit, provable permission to contact in relation to the topic of the email you’re sending. B.You bought, loaned, rented or in any way acquired from a third party, no matter what they claim about quality or permission. You need to obtain permission yourself. C.You haven’t contacted via email in the last 12 months. D.You scraped or copy and pasted from the web
What should I do if my contacts don't have consent record? European customers must have consent due to GDPR law and EU regulations, which state that contact must be opted-in in order to receive emails. So, you can send communication to these contacts at your own risk. US regulations do not require any legal form of consent, so a simple subscription box on checkout is enough in order to treat contact as a legal subscriber, and a consent record isn't that needed. However, these contacts must be able to unsubscribe from your marketing campaigns. Under the General Data Protection Regulation (GDPR), an organization must be able to justify each type of data processing activity it conducts, using one of six lawful bases of processing. In email marketing, which involves the processing of contacts’ personal data (such as email address and name), consent often makes sense as the lawful basis used to justify the data processing. Organizations using consent as a lawful basis for data processing need to be able to prove consent was freely given, and be prepared to share a record of consent with regulators, if asked. Additionally, data subjects must be able to withdraw consent at any time.
CCPA Who must comply with the CCPA?
Businesses Most CCPA requirements apply to “businesses” — companies that collect consumers’ personal information (on their own or using vendors) and use the information for their own purposes. These businesses determine “the purposes and means” of processing personal information. The CCPA applies to any “business” that:
Handles California residents’ personal information
Is “doing business” in California (e.g., engaging with individuals located in California though an ecommerce or interactive website or application)
Satisfies one or more of the following thresholds:
Has annual gross revenues of $25 million
Obtains, sells, or shares personal information of 50,000 or more California residents, households, or devices annually
Derives 50 percent or more of its annual revenues from “selling” California residents’ personal information (i.e., sharing or giving access to personal information to third parties for those parties’ own purposes)
The CCPA also imposes limited requirements on “service providers” — companies that process consumer personal information on behalf of a business. Businesses disclose personal information to service providers for a specific business purpose pursuant to a written contract. The CCPA requires service providers to process personal information only as necessary to provide their services.
What is classified as personal information under the CCPA? The CCPA defines personal information very broadly to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In practice, this broad definition means that information such as contact information, transaction data, Internet Protocol (IP) addresses, mobile device identifiers, clickstream data, and order details may be within the scope of the CCPA’s definition of personal information, and subject to the CCPA’s requirements.
What do I need to do to prepare? The CCPA is a complex law. This article provides the key obligations under the CCPA for the benefit of our customers but does not take into account all individual circumstances that may apply to your business. Please contact your legal counsel for specific advice. If the CCPA is applicable to your business, you should consider the following:
Information regarding a consumer’s right to access, opt-out (if the business sells personal data), right to deletion, right of non-discrimination for invoking CCPA rights, and the right to designate an authorized agent Two or more methods for submitting access and deletion requests, including a toll-free number (however, certain businesses that operate exclusively online are exempt from the toll-free number requirement) A list of the categories of personal information it has collected about consumers in the preceding 12 months A list of the categories of personal information it has sold about consumers in the preceding 12 months (or if the business has not sold consumers’ personal information in the preceding 12 months, the business should disclose that fact) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months (or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business should disclose that fact) Opt-out rights
Consumers have the right at any time to opt-out of the sale of their personal data to third parties.
If the consumer is less than 13 years old, then a parent or guardian's affirmative consent (opt-in) is required before selling his or her personal information.
If the consumer is between 13-16 years old, then affirmative consent is required before selling his or her personal information.
Consumers have the right at any time to opt-out of their personal data being sold by a third party who has purchased the consumer's personal data from a business. The third-party must stop selling upon receipt of the opt-out request unless a subsequent express authorization is provided by the consumer.
Access and deletion rights
Make available to consumers 2 or more designated methods for submitting requests for information required to be disclosed and/or deleted, including, at a minimum, a toll-free telephone number and a web address (if the business maintains a website).
A business must implement processes to verify a California resident’s identity before providing an individual with the right to access or delete personal information.
Once a request is received from a California resident and their identity is confirmed, complete the following as applicable:
Right to access: access disclosures must include, among other things, the (i) categories of personal information collected about that consumer (in the preceding 12 months), (ii) categories of sources from which the personal information is collected, (iii) business or commercial purpose for collecting or selling personal information, (iv) categories of third parties with whom the business shares personal information; and (v) specific pieces of personal information it has collected about that consumer. Right of deletion: erasure requests must be completed by the business and its direct service providers. A number of exceptions exist, however, such as where the information is necessary to complete a transaction, provide goods or services requested by the consumer, comply with a legal obligation, or protect against and prosecute fraud and other illegal activity. Consumer requests must be addressed within 45 days of receiving the request, by mail or electronically (in a usable format that allows the consumer to provide it to another entity) or through a user account (if the requestor has an active account).
Response time may be extended by an additional 45 days (during the first 45 days) if reasonably necessary (based on complexity and the number of requests) and if the requestor is notified of the extension (detailing the reasons why).
The request process must be free of charge.
Businesses are not required to carry out more than two requests in a 12-month period.
What is Lifesight's role under the CCPA?
Lifesight has no direct relationship with the individuals whose personal information is stored within our systems. Lifesight serves as a service provider, while our customers are the businesses because we process end-user information on behalf of our customers.
What is Lifesight doing to help customers comply with the CCPA?