Compliance FAQ

Before we jump in, we need to include one incredibly important detail (aka disclaimer): We are not attorneys and these FAQ and responses are not intended to be legal advice and should not be used in place of seeking advice from your attorney. 

In this article: 

• GDPR
• CCPA
• HIPAA
• General

GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a privacy and security law, put into effect May 25, 2018, to protect the personally identifiable information (PII) of EU citizens.

 It imposes obligations on businesses and organizations, regardless of their location, so long as they collect and process the personal data of EU citizens or residents (data subjects). GDPR applies to the processing of PII data regardless of the company size or amount of annual revenue they generate.

Who does GDPR apply to?

The GDPR applies to the processing of personal data by a business/entity acting as a data controller or processor, regardless if the processing takes place in the EU. 

What is considered personal data under the GDPR?

Under Article 4 of the GDPR, personal data is any information that relates to an individual who can be directly or indirectly identified by a reference to an identifier, such as:  

• A name    
• Identification number
• Location data
• Online identifiers

It can also include one or more of the following factors specific to the data subject: 

• Physiological
• Genetic
• Mental
• Economic
• Cultural
• Social identity

What are the rights of data subjects?

There are eight rights under the GDPR that data subjects are entitled to and all companies must adhere to in their data privacy policies and data processing practices. 

The right to: 

• Transparency of Information – transparent information on what data is being collected and the third parties/data processors that will have access to the data 
• Access – Allows the data subject to access their personal data that is in a controller’s possession. 
• Data subjects have the right to know and controllers have the obligation to disclose:
  • Why and how the data is being used
  • Categories of personal data collected
  • Who has access to the data
  • How long the data will be retained
  • How to exercise their data subject rights
  • How the data was collected/obtained
  • Any use of profiling or automated decision making
• Rectification – correction or modification of data if the data subject believes it is inaccurate or out-of-date
• Erasure 
  • When the personal information/data is no longer required for the original purpose it was collected
  • Consent is withdrawn by the data subject for the purpose the personal data being processed
  • Data subject objects to the processing of personal data and there is no legitimate grounds for further processing
  • Personal data was unlawfully processed
  • Erasure in compliance with a legal obligation where the Controller is located
• Restriction of Processing – a halt on further processing of personal data if:
  • Accuracy of data is disputed
  • Data subject objects to unlawful processing 
  • The data is no longer required for the original purpose for which it was collected but is retained in defense of a legal claim
• Data Portability – data subject’s right to receive the personal data held by the data controller in a commonly used format or to send to another data controller
• Right to object – the controller must stop further processing of personal data unless the data controller:
  •  can demonstrate legitimate reason for the continued processing of the personal data, which overrides the interests, rights and freedoms of the data subject
  •  or is required in defense of a legal claim 
• Avoid automated profiling and individual decision making – data subjects shall not be subject to a decision based solely on automated processing or profiling that results in a negative impact to the data subject. The following exceptions apply:
  • When necessary to enter into or execute a contract 
  • With authorization from the EU or Member state and using safeguards to protect the data subject’s interests and freedom
  • With explicit consent of the data subject

Is Lucky Orange GDPR compliant?

Lucky Orange, as a service provider and data processor, is GDPR compliant. 

Take a look at the Lucky Orange Privacy Statement to see how Lucky Orange processes personal data. 

What steps did Lucky Orange take in preparation for the GDPR?

We put forth a lot of effort when we prepared for the GDPR including:

• Updating our Terms of Service, Privacy Statement and Data Processing Agreement (DPA)
• Implementing a data privacy management tool
• Defining the basis for lawful data processing
• EU Privacy Shield certification
• Securing GDPR representation in the EU
• Creating a Data Subject Access Request Form
• Enhancing visitor anonymity with data de-identification
• Encrypting IP addresses 
• Scrambling page content 
• Establishing a default opt-in approach to keystroke logging  

Can you use Lucky Orange and remain GDPR compliant?

Yes, you can. Out of the box, Lucky Orange anonymizes keystroke data shown in Session Recordings. Characters within form fields, such as checkout or sign-up form, are replaced with an asterisk before any data is sent. By reducing the collection of PI and sensitive data, there’s less risk for all parties.

Also, Lucky Orange users can enable text scrambling to keep sensitive data from being accidentally sent to our servers. Neither you nor Lucky Orange receives any personal or sensitive data in the data transmission process

What do you need to do to be GDPR compliant?

Various data privacy laws impose different obligations on controllers and processors of data. 

As a processor of Data, Lucky Orange fulfills its own legal and compliance obligations under GDPR and the California Consumer Privacy Act (CCPA). 

Merchants, as controllers, have their own separate obligations they must consider that are dependent upon the types of data they collect on their site, products sold, and their industry. 

Although Lucky Orange can’t advise you as to what you need to be compliant, we can provide links to some tools and resources:

• Data privacy management tool: Allows site visitors to opt-out of any further tracking on pages where Lucky Orange is installed.  
• Opt-out button: You can add an opt-out privacy button from your site directly. You can also link visitors to the Lucky Orange privacy page, which includes a button to opt-out globally from all sites that use Lucky Orange. 
• Security overview: Learn more about everything Lucky Orange does to keep your visitors' data protected and what you need to know. 

Does Lucky Orange have a Data Processing Agreement?

Yes, we do. Incorporated into the Lucky Orange Terms and Conditions is the Lucky Orange Data Processing Addendum (DPA) which applies to all data transfers using the Lucky Orange Service. Also incorporated are the Standard Contractual Clauses (SCCs) that apply to all data transfers subject to the GDPR. 

We understand the need to have the DPA separately executed and are always happy to separately execute the DPA when a customer signs up with Lucky Orange or as requested. 

If you are a current Lucky Orange customer that needs to separately execute a DPA, please contact us at privacy@luckyorange.com.

Does Lucky Orange list their subprocessors? 

Yes, we do. Lucky Orange’s subprocessors are listed as Appendix 3 to the Lucky Orange DPA/SCC’s located here.

Does Lucky Orange notify its customers of changes to its subprocessors?

Updates to the Lucky Orange Terms, DPA, and Subprocessors can be found here along with the date last updated.

CCPA

What is the CCPA?

The California Consumer Privacy Act (CCPA)is a comprehensive data privacy law enacted in the U.S. that applies to consumer protection and individual privacy rights of California residents. This law became effective on Jan. 1, 2020. 

The CCPA is focused on how California residents’ personal information (PI) is handled by businesses and other third parties.

What is considered “personal information” under the CCPA?

Section 1798.140 of the CCPA defines personal information as:

“Information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” 

Examples of identifiers and personal information covered by the CCPA includes (but is not limited to):

• Name (real and/or alias)
• Postal address
• Unique personal identifier
• Online IP address
• Email address
• Account name
• Social Security number
• Driver’s license number
• Passport number
• Property records
• Biometric info
• Employment related data
• Internet search and browsing history

What rights do consumers have under the CCPA?

Section 1798.100-125 outlines the rights of consumers along with any business exemptions: 

• Receive notice before or at the time of collection that lists:
  • the specific categories of personal information that will be collected 
  • the sources where the personal information was collected
  • purpose of use
  • categories of third parties the personal information will be shared with
  • specific pieces of personal information it has collected
• Request a business delete any personal information the business has collected
  • Businesses must also instruct their service providers to delete any personal information they have received about the consumer. 
  • Exceptions apply when:
  • Information is needed to fulfill the terms of a warranty, product recall, provide goods or services requested by the consumer or expected within the businesses’ ongoing relationship with the consumer or in the performance of the contract with the business and consumer
  • Other exceptions can be found in Section 1798.105(d) of the CCPA
• Request that a business that sells, discloses or collects personal information disclose, upon receipt of a verified consumer request, the:
  • Categories of personal information it has collected, disclosed for a business purpose or sold (or intends to sell)
  • Categories of sources from where the personal information was collected
  • Purpose of collection or sale 
  • Categories of third parties the personal information is shared with or sold to
  • Specific pieces of personal information collected about the consumer.
• Consumer opt out - businesses cannot sell personal information after receiving an opt-out request unless authorization is given allowing for continued processing of personal data
  • Businesses must also provide this notice to any third parties the personal information was or may be sold to

• Non-discrimination for exercising consumer rights under the CCPA
  • If a consumer exercises their rights under the CCPA, a business may not discriminate against a consumer by:
  • Denying goods or services
  • Charging a different price for goods or services, imposing penalties or denying the ability to use discounts or eligible benefits
  • Provide a different level of goods or services
  • Suggest or imply that the consumer will receive a price, rate or level of quality different from what is normally offered

Is Lucky Orange CCPA compliant?

Yes, Lucky Orange as a service provider is CCPA (and GDPR) compliant.

What has Lucky Orange done to prepare for CCPA?

Lucky Orange was well prepared for the CCPA to become effective with all the measures taken to prepare for and become compliant with the GDPR. 

• Updating our Terms of Service, Privacy Statement, and DPA to account for CCPA specific requirements
• Updating the Access Request Form to account for consumer requests and response time language as applicable to CCPA specific requirements 

How does CCPA impact Lucky Orange?

• Although Lucky Orange is not directly required to comply with CCPA since we do not meet the requirements, we still want our customers to feel comfortable and confident in their compliance efforts while using the Lucky Orange Service
• Under CCPA, Lucky Orange customers (if they meet the CCPA requirements) are considered ”businesses” with Lucky Orange is your “service provider” 
• As a service provider, Lucky Orange is responsible for processing data collected by your website via the Lucky Orange Service. This data is then stored on our third-party data center servers. 

Who does the CCPA apply to?

The CCPA applies to the collection and sale of the personal information of California residents. However, the CCPA only applies if a company does business in California (an online presence counts) and meets one of the following criteria: 

• More than USD $25 million in annual revenue
• Annually purchases, receives, sells or shares, for commercial purposes, in combination or alone, the personal information of 50,000 or more consumers, households, or devices
• Derives more than half of its annual revenue from selling personal information (PI)

If you don't meet these thresholds, do you still need to comply?

The short answer? Maybe. If a small company has a contract with another business that is required to comply with the CCPA, then the contract with that business might have terms requiring the small company to comply with CCPA. 

It’s best to check with your legal counsel to confirm.

If data is anonymized or has been stripped of any identifiable information, does CCPA still apply?

It is unlikely that the CCPA would apply if any identifying information has been removed from the data. The CCPA does not limit the use of deidentified data.

Can you use Lucky Orange and remain CCPA compliant?

Absolutely. 

Out of the box, Lucky Orange anonymizes keystroke data. Characters within form fields are replaced with an asterisk before any data is sent. Reducing the collection of PI and sensitive data means less risk for all parties.

Also, Lucky Orange users can enable text scrambling to keep sensitive data from being accidentally sent to our servers. Neither you nor Lucky Orange receives any personal or sensitive data in the data transmission process.

HIPAA

Is Lucky Orange HIPAA compliant?

Because Lucky Orange is a software as a service (SaaS) provider, compliance with HIPAA resides with and is reliant upon the data transmitted through the Service by the Customer. 

Transmission of sensitive data through or imported into the Service is prohibited as stated in the Lucky Orange Terms and Conditions.

Does Lucky Orange accept or sign Business Associate Agreements (BAAs)?

As Lucky Orange prohibits the transmission of sensitive data (personal health data or PHI as defined by HIPAA) through the Service, Lucky Orange is unable to sign and/or accept Business Associate Agreements. 

The terms contained in BAAs are in direct conflict with Lucky Orange policies against the transmission of sensitive data through the Lucky Orange platform (in accordance with the Lucky Orange Terms and Conditions). 

In addition to the Terms and Conditions, terms of the Lucky Orange Data Processing Addendum apply to all data transfers through the Lucky Orange Service.

What is the Privacy Shield Framework?

Designed by the U.S. Department of Commerce, European Commission and Swiss Administration, the EU-U.S. and Swiss-U.S. Privacy Shield Framework is intended to provide companies a method to comply with and a standard of data protection requirements for transferring personal data from the EU and Switzerland from or to the U.S. 

Is Lucky Orange Privacy Shield Certified?

Yes, Lucky Orange is certified for both EU-U.S. and Swiss-U.S. non-HR data. You can view Lucky Orange’s certification status by going here. 

General

Does Lucky Orange monitor changes in regulations to keep up with the changing laws and their requirements?

Yes, we do. Lucky Orange has a dedicated internal compliance team that monitors for newly proposed legislation and keeps current on changes to existing compliance and data privacy laws to understand their impacts to Lucky Orange practices and potential impact to its customers. 

Does Lucky Orange sell personal information? 

Lucky Orange does not disclose or resell personal information for any other commercial purpose, except in certain cases where the personal information has been pseudonymized or is considered aggregated consumer information which has removed any/all personally identifiable information and used for statistical purposes only. 

Does Lucky Orange have a privacy statement I can use that is regulatory compliant?

While we cannot advise you on what your own regulatory and compliance requirements are, please feel free to take a look at the Lucky Orange Privacy Statement to see how we have addressed GDPR and CCPA. 

For reference, we are also a customer of our own Service/Software. 

What other resources or information does Lucky Orange have available that would be useful in your efforts to remain GDPR and CCPA compliant?

Out of the box, Lucky Orange does not capture keystroke data (data entered into forms). Each character from fields on all pages is replaced with an asterisk before any data is recorded. This is to ensure all data is anonymous. 

If certain fields aren’t sensitive (e.g., fields for quantities, products, coupons, etc.), you can individually enable keystroke capturing for those non-sensitive fields. To do this, you would have to opt out of keystroke blocking..

Who is tracked and what data you collect through your use of Lucky Orange entirely depends upon the features you enable. 

Lucky Orange tracks all site visitors who have not opted out of tracking. If you have added the Lucky Orange opt-out button on your pages that use Lucky Orange, site visitors can click the button to opt out of any further tracking.

Although Lucky Orange can’t cannot advise you as to what you need to be compliant, we can provide links to some tools and resources:

• Data privacy management tool: Allows site visitors to opt-out of any further tracking on pages where Lucky Orange is installed.  
• Opt-out button: You can add an opt-out privacy button from your site directly. You can also link visitors to the Lucky Orange privacy page, which includes a button to opt-out globally from all sites that use Lucky Orange. 
• Security overview: Learn more about everything Lucky Orange does to keep your visitors' data protected and what you need to know.