07 February 2017
Privacy Concerns within Live Chat for Website
Security is a high business priority, with significant consequences for noncompliance. Organisations regularly look into employee backgrounds and suppliers providing services.
It can be very tempting to look at price alone when buying services such as live chat but signing up to oversees services can be risky due to the differences in how data needs to be handled. When UK organisations look into live chat for website software, they can feel they need functionality that they don’t necessarily know can have security implications.
This can include:
- Reviewing a customer’s basket
- Gaining controllable access to a visitor’s computer via co-browsing
- Viewing what a visitor is typing in real-time
In the UK, using these features can potentially breach the data protection laws.
The risk of a personal data breach increases when an operator reviews a customer’s basket or gains controllable access to a visitor’s computer, as the operator could accidently alter or delete the visitor’s private information.
Before organisations use visitor data in the case of live chat for website they need to receive consent, this can be done by the visitor ticking an opt-in box, sending a link on an email or hitting send on a message.
Whilst typing, the visitor has not consented for the company to see the content of the message. Therefore, infringing privacy. Personal data could be included within the initial draft however they may decide not to include these details in their final message. It becomes a breach of security if the operator uses any of these details.
The law that governs personal data is the Data Protection Act 1998 (DPA) and there are 8 key principles. Principle 1 and 8 are the ones that regulate using data and transferring data overseas.
DPA – Principle 1
Under Principle 1 of the DPA, there is the requirement to process personal data fairly and lawfully.
The Information Commissioner Office (ICO) has explained that:
“In practice, it means that you must:
- have legitimate grounds for collecting and using the personal data;
- not use the data in ways that have unjustified adverse effects on the individuals concerned;
- be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
- handle people’s personal data only in ways they would reasonably expect; and
- make sure you do not do anything unlawful with the data.”
An ICO representative explained that under this first principle, a company would need to have a clear and non-ambiguous privacy notice. Before entering a conversation the company will need to disclose how the visitor’s data is being handled, and inform them that they can see anything that the visitor types before it is submitted.
DPA – Principle 8
Principle 8 of the DPA covers that data can only be transferred to a country or territory outside the EEA if an adequate level of protection is ensured for the rights and freedom of data subjects, in relation to processing personal data.
If a British company is looking to use live chat provided by a US provider, there are other laws involved in protecting data.
Click4Assistance previously reported on the invalidation of Safe Harbor, the framework was found to be unsatisfactory of the legal requirement that personal data transferred outside the EU is be adequately protected. Therefore on 6th October 2015 it was decided by the European Court of Justice (“ECJ”) to annul the Safe Harbor Framework.
Privacy Shield replaced Safe Harbor, which ensures that US companies are required to sign up to the scheme that places stronger privacy requirements on the organisation.
ICO have stated, “While the Privacy Shield decision issued by the European Commission is legally binding, the area of international transfers is still not free from uncertainty. There are cases currently being considered by the Court of Justice of the European Union which may also have an impact on other mechanisms for international transfers, and the Court may also be asked to consider whether Standard Contractual Clauses provide adequate protection for transfers to the US.”
The Privacy and Electronic Communications Regulations
Live chat for website communication within the UK also needs to comply with The Privacy and Electronic Communications Regulations (PECR) that sits alongside the Data Protection Act. The ICO outlines PECR as:
“PECR are the Privacy and Electronic Communications Regulations. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.
They are derived from European law. They implement European Directive 2002/58/EC, also known as ‘The e-privacy Directive’.
The e-privacy Directive complements the existing Data protection regime and sets out more-specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.
PECR have been amended four times. The more recent changes were made in 2015, to allow emergency text alerts and to make it easier to take action for breaches of the marketing rules; and in 2016, to require anyone making a marketing call to display their number.”
The original PECR and the amendments can be found on the ICO website.
Missing People – Privacy in Action
Missing People is an independent charity that searches for missing people on behalf of family and friends. They offer a free confidential helpline and is adamant that it will protect privacy at every turn.
The Charity needed to maintain their stance in live chat so it restricts the information that operators can view about the visitor by disabling tracking and screening any IP address. This means operators are unable to gain access to the visitor’s computer or see what they are typing before it is sent.
Missing People clearly explain what they do on the website. They state that the chat system doesn’t show locations, however it does leave cookies on the visitor’s device to identify if the visitor has come to the website previously. If the visitor does not want this, it provides instructions on how the visitor can delete cookies if they want to remove them.
Before a visitor enters a chat, they have the choice on what information, if any they wish to disclose, the optional fields include:
- First name
- An emoji chart for how they are feeling
- A drop down menu to give a brief explanation of what their situation is.
The emoji chart represents a range of emotions; anger, upset, sad, indifferent or happy. Visitors have can select from situation options, including, “I’m thinking of running away”, “I’ve run away from home”, “I’m back now”, “I’m worried about someone else”, or “Something else”
By gauging how the visitor is feeling and their current situation, the operator can already be prepared to respond, without seeing approximately what has been written.
Are Features worth risking Data Protection Issues?
For businesses to risk their visitors’ data, surely there must be greater benefits to using these features!
Upsell and cross sell are tempting reasons for operators to have access to a customer’s shopping basket but there is a chance to abuse this by additional or expensive items being added by the operator.
Support engineers can provide resolutions more quickly and accurately if they can view what the visitor is experiencing. Some software takes this a step further and allows the operator to take control of the visitor’s screen, speeding this process up. Imagine if a visitor has all their credit card details entered and /or other personal data, an operator would have access to this and could misuse it.
Just simply being able to view what the visitor is typing is to optimise the response time but there are a few issues with this:
- Time consuming - If the visitor edits what they are typing, the operator may need to edit how they are replying
- Halting the chat flow - Some software including Click4Assistance displays that the operator is typing on the visitor’s screen so they may feel like the operator is not listening or stop to see what they are going to say.
- Unprofessional - Any information that is being typed could be misused by the operator, payment or personal details, or if anything written in the heat of the moment but then removed etc.
Your organisation will need decide whether these features outweigh safeguarding your visitor’s personal information and really make the difference they need. Is it really worth the risk?