Is Lucky Orange GDPR- and CCPA-compliant?

Data protection laws, regulations and requirements have gone into effect over the last several years that make an impact on every business from small Shopify merchants to large enterprises.

Two of the largest data protection laws to go into effect include:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)

Before we jump in on what you need to know, we need to include one incredibly important detail (aka disclaimer): We are not attorneys and this article is not intended to be legal advice and should not be used in place of seeking advice from your attorney. 

What are GDPR and CCPA?

In a nutshell, GDPR and CCPA regulate how businesses or organizations use the personal data of visitors.  

GDPR

GDPR, the stricter of the two laws, went into effect on May 25, 2018. It extends data protection of personal data of identified or identifiable EU “data subjects” and applies to any business or organization with online visitors from the EU, regardless of whether it has a physical or legal presence in the EU. 

In addition to the list of requirements is providing data subjects with the right to opt-out of personal data processing and deleting a data subject’s personal data if requested. Click here to read more about GDPR or here to see the full regulation.

CCPA 

CCPA went into effect on Jan. 1, 2020. While less strict than GDPR, CCPA is the most expansive data protection law to be enacted in the United States since GDPR. It extends data protection of personal data of California residents, regardless of whether they are currently in the state, and applies to companies that do business (online or physical) in California and meets certain criteria based on business-specific information such as a minimum revenue and volume of consumers involved.  

Like GDPR, CCPA requires that companies honor requests for data to be deleted (with a few exceptions). Unlike GDPR, CCPA only applies to the sale of data. Additionally, data access rights are not limited. Click here to read more about CCPA or here for the full regulation

Is Lucky Orange compliant with both GDPR and CCPA?

Yes! Lucky Orange, as a service provider and processor, is compliant with both GDPR and CCPA. We’ve been leading the industry by proactively prioritizing data security and visitor privacy, even before GDPR. One of the many protections we have maintained since day one of Lucky Orange to anonymize keystroke data out of the box. As a result, every character from inputs are replaced with asterisks before data is even recorded. Other measures we’ve taken include:

  • Extended account-based privacy settings that include text scrambling and consent requirements. This is part of our Privacy settings available to the Account Owner. 
  • Required opt-in IP address collection that is only searchable and not visible at any point. This includes enhanced visitor anonymity or de-identification, including encrypted IP addresses
  • Launched a data privacy management tool that enables visitors to view and delete data your company has collected about them. 
  • Updated Terms of Service, Data Processing Agreement (located within the Terms of Service) and Data Subject Access Request form
  • Privacy Shield certification

You can read our full Security Overview here. 

To sum it up: As a processor of Data and software provider/cloud-based SaaS, Lucky Orange fulfills its own legal and compliance obligations under GDPR and CCPA. Merchants (as controllers) have their own separate obligations they must consider which are dependent upon the types of data they collect on their site, products sold and their industry.