Don’t ignore the United States’ first major privacy law. California consumers now have the right to sue non-compliant brands and can face hefty fines. In this article, I’ll go over what you need to do to become CCPA compliant.
What is the CCPA? The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. Learn more about CCPA, what it is, who it applies to & what penalties you could face.
General CCPA Compliance
The following applies to all websites that are required to comply with CCPA:
- Provide a way for users to access & delete their information
- Provide users a way to opt-out if you sell their information
- Obtain prior consent from minors 13-16 years old before selling their personal data
- For minors younger than 13 you have to obtain prior consent by their parents
- Provide a toll-free phone number
- Create a “Do Not Sell My Information” page
Need help bringing your site into compliance with the CCPA? Ensuring all aspects of this new privacy law can be overwhelming — but it doesn’t have to be.
Contact Entermedia.com for a free CCPA compliance consultation to get your site in compliance before you face lawsuits and large fines for non-compliance.
The policy should let your users know what information your site is collecting about them, what you are doing with that information, who you are sharing that information with, and provide a way for people to contact you.
- A description of all rights afforded to consumers under the CCPA
- A specific list of exactly what categories of information you are collecting, how you are using it and what the purpose of this information is
- Why do you collect and process information
- How do you collect and process information
- What you plan on doing with this information
- How the consumer can refuse your access to their personal data for certain purposes
- Links for people to opt-out of data collection or have their data removed
- Include a link titled “Do Not Sell My Personal Information” and link to custom page
- Sales of users’ personal data and how they can opt-out of the selling of their data
- The method for verifying the identity of the person who submits a request
Do I need to obtain prior consent before collecting data? No, unlike many other consumer data protection regulations, this cookie law doesn’t require obtaining prior CCPA cookie consent for collecting and processing your users’ data.
Allow Users Access & Ability to Delete their Information
CCPA requires that you tell people what personal information you collected about them and what you’ve done with that information when they ask. Your response should include, among other things, the categories of service providers and others you share data with; for example, you share data with us as your site’s host.
What is considered personal information?
The definition of ‘personal data’ under the CCPPA explicitly states that it is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This law differs from GDPR, ePrivacy Directive, and privacy laws by including household information in the scope of what personal information entails.
Here’s some examples of personal data to include:
- Identifiers such as name, alias, postal address, username, password, email address, social security number, driving license number or passport number
- Employment records
- Bio records such as fingerprints
- Email and IP addresses
- Geolocation data
- Professional or employment information
- Characteristics of protected classifications under California or federal law such as race, religion, sex/gender, and sexual orientation
- Commercial information such as records of personal property and products purchased, obtained, or considered
- Internet browsing history, search history, and information regarding a consumer’s interaction with websites, apps, or ads
- Any inference that could be used to create a consumer profile such as preferences, characteristics, predispositions, behavior, intelligence, or aptitudes
For more information about what’s considered personal data, see subsection (o)(1) of 1798.140 of the CCPA.
(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household
The Act goes on to provided a non-exhaustive list of what is included in its definition of personal information.
CCPA additionally requires that you delete this information upon request, though there are situations in which you would be allowed to keep the information even after receiving a deletion request. For example, you may need to keep some information for tax purposes or to comply with a legal obligation.
Public Records & CCPA
Information that’s lawfully made publicly available is outside the scope of the CCPA. What does this mean? Here’s an example:
Say someone distributes an address book online. This is illegal, and so the exemption doesn’t apply. Government census records, on the other hand, are publicly available, and so the CCPA doesn’t apply to this information.
Allow Users to Opt-out if you Sell their Information
If you are selling the information your site collects about your customers or site visitors, you should provide an option for them to opt-out, or to opt-in if they are under the age of 16 (parental approval required for minors under 13). For example, if your site collects email addresses and you sell them to an affiliate you would need a clearly displayed “Do Not Sell My Info” link on your website.
Can I sell users’ data freely? The CCPA doesn’t prevent you from selling your users’ data, but it obliges you to allow them to opt-out of their personal information being used for a business purpose. This means that you have to include a “Do Not Sell My Personal Information” link on your website’s homepage to comply with CCPA. Anyone who wants to opt-out of sales of their personal data can click on the link and ban you from selling their personal information.
For 13-16 year old minors, you have to obtain prior CCPA cookie consent before selling their data. For minors younger than 13, you have to obtain consent from their parents or guardians.
Provide a Toll-Free Phone Number
The CCPA requires companies to set up specific communication channels so California residents can request information about their data.
The CCPA states that you are obliged to comply with the following:
Make available to consumers two or more designated methods for submitting requests for information required to be disclosed according to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information.
A toll-free telephone number is, unless you operate exclusively online and have a direct relationship with a consumer, a minimum requirement for anyone who processes personal data of California residents.
Blocking visitors from California could be an option. Remember, however, that if Google crawls your website, you may have a problem with your SEO. Another option is to use the services of a Toll-Free number like: 866-I-OPT-OUT. You can start a free trial at CCPA Toll Free.
Create a “Do Not Sell My Information” Page
If you sell your visitors’ personal information, you must give these consumers the opportunity to opt out of this sale. This is in line with the principle that everyone has control over what happens to their personal data. Be sure to include the following:
- Details concerning the consumer’s right to opt-out of the sale of their personal data
- A contact form for submitting a request for said opt-out
- Information pertaining to other contact methods for opting out
- The burden of proof required for when a consumer has elected to have an authorized agent to submit an opt-out request on their behalf
CCPA Compliance for WordPress
For most WordPress websites, you likely already had to comply with the GDPR in some way or form. Below is a brief overview of current GDPR compliance requirements:
- Upgrade your WordPress to the latest version (4.9.6 or higher)
- Secure connection (SSL)
- Do Not Sell My Personal Information page
- Processing agreement with all processors and/or service providers
- Age verification (to obtain consent from users 13-16, and ensure privacy for users under 13)
WordPress User Information
Much of the personal information collected by your WordPress site can be gathered/deleted by you through your site’s dashboard. For example, you can search for and delete comments from a specific individual via your site’s comments admin area.
If you WordPress site includes contact forms, ensure there’s a way to gather and delete any information that is stored.
As part of implementing your CCPA deletion process you may want to establish a retention policy for the personal information your business collects. There isn’t a single right answer for how long your retention policy should be, but in general it’s a good idea to only keep information for as long as you need it. You can use the Bulk Actions option in the wp-admin dashboard to edit or delete collected information in a variety of areas including WooCommerce Orders, Contact Form Submissions, and Comments.
CCPA Compliance for Google Analytics
If you’re using Google Analytics like most sites, you’ll need to ensure you take the following steps to stay in compliance with CCPA:
Step 1: Include GA in your Do Not Sell My Personal Information page.
Google Analytics shares a lot of information with other Google services, such as Google Adwords, Google Optimizer, etc. If you have this enabled, you must mention it on your ‘Do Not Sell My Personal Information’ page.
You can disable sharing this data in GA by going to: Admin > Account Settings > Data Sharing Settings
Tracking User IDs
Google Analytics has an option to track user ID surfing behavior of different devices and keeps track of the number of sessions. If this is enabled, be sure to describe this in your ‘Do Not Sell My Personal Information’ page.
To disable it or check if you’re using it go to: Admin > Property Settings > Tracking Info > User ID
Google Analytics also shares data for advertising purposes, such as re-marketing. Put this in your ‘Do Not Sell My Personal Information’ or disable it by going to: Admin > Tracking Info > Data Collection
Step 2: Sign the service providing agreement with Google.
Service providing agreements are an important part of CCPA compliance. You need to sign one with Google Analytics which can be found here:
Account Settings > Data Processing Agreement > Review Amendment
Frequently Asked Questions
The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in United States. It was signed into law at the end of June 2018 and provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain data transfers and an “opt-in” requirement for minors.
The CCPA only applies to companies doing business in California, which annually satisfy one or more of the following: (1) have a gross revenue of more than $25 million, (2) derive 50% or more of its annual revenue from the sale of consumer personal information, or (3) buys, sells, or shares the personal information of more than 50,000 consumers.
The CCPA goes into effect on January 1, 2020. However, enforcement by the Attorney General (AG) did not begin until July 1, 2020.
While the CCPA is similar to the GDPR, it is not the same. If you already prepared for the GDPR, you may be able to leverage some of the work that you did to meet your CCPA requirements. Many privacy laws across the world share common themes. These often include:
- Consumer rights to access, update, delete, and receive a copy of personal information
- Different obligations based on a company’s role as a business or service provider
- Transparency and notice about a company’s data practices
In contrast to the GDPR, the CCPA also adds the right for consumers to opt-out of the “sale” of their personal information. Under the CCPA, “sale” is defined to include any sharing or disclosure for valuable consideration.
There are many differences. It’s easier to focus on the similarities, including:
- Transparency/disclosure obligations.
- Consumer rights to access, delete, and receive a copy of data.
- Definition of “service providers” that is similar to how GDPR defines “processors” with a similar contractual obligation.
- Definition of “businesses” that encompasses the GDPR definition of “controllers”.
The biggest difference in CCPA is the core requirement to enable an opt-out from sales of data to third parties (with “sale” broadly defined to include sharing of data for valuable consideration). This is a narrower and more specific obligation than the broad GDPR right to object to processing, which encompasses this type of “sale,” but is not specifically limited to covering this type of sharing.
- CCPA introduces parental consent obligations consistent with The Children's Online Privacy Protection Act (COPPA) for children under the age of 13.
- For children between 13 and 16 years old, CCPA imposes a new obligation to obtain opt-in consent from the child for any “sale” of their personal information.
In October 2019, a number of amendments were passed to the CCPA. One amendment clarified that the CCPA obligations do not apply to the personal information of employees of the business. However, legislators put a one-year sunset on that exemption. We expect California to legislate a new data protection law for employees in 2020.