Absolutely. Take a look at our Legal Context document here.

The California Consumer Privacy Act of 2018 (“CCPA”) provides certain rights to residents of California. Exhibit B of our Privacy Policy supplements our Privacy Policy and applies if you are a natural person who is a resident of California, i.e., a “California Consumer”, and use our Services. 

We detail in Exhibit B the categories of information we collect about CA Consumers, who we share this information with, the purposes for which we use the information, and whether we’ve sold this information in the past 12 months.

We are also offering our EU and EAA based quiz and chatbot customers a Data Processing Agreement (DPA), which includes the EU approved model clauses.  The DPA clarifies exactly how Gobot handles the data we process for you and provides the information and assurances you need under GDPR.  Click here for Gobot’s DPA.

The GDPR (General Data Protection Regulation) is an EU Regulation that replaces the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It came into force on May 25, 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
‍
The full text of the GDPR can be found here.

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is "adequately protected", data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as "white listed countries"), so it is permissible to transfer data to those countries from the EU. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g., the Model Clauses in Gobot’s Data Processing Agreement) or one of the other alternative measures provided for in Law.

The aim of GDPR is a positive one: to protect the privacy of EU citizens. However, violation of GDPR may result in a serious fine.  Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater).

Specific consent:

‍Whenever a data subject, e.g., your customer or website visitor, is about to submit their personal information, the data controller, e.g., your company, has to make sure the data subject has given their consent. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”.  Further, GDPR requires the data subject to signal agreement by "a statement or a clear affirmative action."

In connection with our conversational experiences, Gobot provides the flexibility you need to seek consent and, if necessary, process withdrawn consent.  With Gobot, how you script your conversational experiences is up to you.  To play it safe, however, we suggest that when interacting with European citizens your experiences be drafted to seek consent such that what you get is “freely given, specific, informed and unambiguous.”  In other words, make sure to have your conversational experiences ask for permission to use the information you collect in a specific and very clear way. Also, allow your visitors and customers to respond in a very specific and clear way, e.g., using specific and well thought out multiple choice options that avoid subjective responses.

Finally, if your customer or visitor opts to withdraw consent as to a chatbot or quiz related email, Gobot’s emails include an optional opt-out button you can use for European citizens.  
‍
Notice:

‍Gobot also makes it very easy for you to provide the notice required under GDPR.  When collecting data, consider including notice in your conversational experience script clarifying exactly how long you will hold onto the data, what you will use it for, who you will share it with, how the visitor can seek to opt out later, whether the visitor’s data will be used to make automated decisions, the relevant legal bases for processing, and means to communicate with you.  Gobot’s notice functionality makes it real easy for you to provide the required notices in a clear and trackable manner.

‍Reasonable retention:

‍Above and beyond allowing for scripting of a conversational experience that seeks consent in a clear and unambiguous way, providing the requisite notice, and allowing for easy opt-out when your customer or visitor changes their mind, Gobot has simplified and added additional control over retention.  Consistent with GDPR, Gobot makes it easy to hold onto data you collect only for a period reasonably necessary to accomplish the purpose for which the data was collected for in the first place. 

‍Right to be forgotten:

‍GDPR also grants European citizens the “right to be forgotten,” which requires that controllers delete all personal data stored about the citizen and also that the controllers alert downstream recipients of the deletion request.  Gobot makes it easy to delete all information you have about a particular contact with the press of a button.

‍Right to data portability:

‍GDPR also grants European citizens the “right to data portability,” which allows data subjects to demand a copy of their personal data in a common format.  Gobot makes it easy to print a report including personal data Gobot has collected from a particular contact. 

‍Records: 

Controllers will also be required to provide evidence that their processes are compliant and followed in each case.  Gobot’s consent log and transcript feature facilitates compliance in this regard.  If you are ever questioned as to whether a particular visitor or customer provided consent to use of their personal data, e.g., email address, you can point the customer or authorities to your Gobot consent log, which clearly documents the consent provided.  The log references the conversational experience transcript showing exactly the authorization you requested and the notice you provided, and importantly, the consent your visitor or customer responded with.

Click here for the full text of the GDPR in English. 

Here it is in German.

The EU’s GDPR page.

The EU’s Data Protection Supervisor.

Find your Supervisory Authority here.

Click here for the CCPA.

We suggest that you include sufficient notice in your website's privacy policy to account for your usage of Gobot on your website or web application.  Always review changes to your site’s terms & privacy policy with your lawyers. Reach out to us at max+privacy@getgobot.com and we can provide sample language for your policy.