CCPA Website Compliance

The California Consumer Privacy Act (CCPA) went into effect on Jan 1, 2020 allowing consumers to sue non-compliant sites. It's the United States' first major privacy law paving the way for more to come — learn how to get your site into CCPA compliance.
Published
Updated
Typical Read
11 minutes
Sponsored
Help support open-source projects & pro-bono non-profit services by donating today.
Find your next web developer job
jobs by Indeed
CCPA Compliance

Don’t ignore the United States’ first major privacy law. California consumers now have the right to sue non-compliant brands and can face hefty fines. In this article, I’ll go over what you need to do to become CCPA compliant.

What is the CCPA? The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. Learn more about CCPA, what it is, who it applies to & what penalties you could face.

General CCPA Compliance

The following applies to all websites that are required to comply with CCPA:

  1. Provide a Privacy Policy
  2. Provide a way for users to access & delete their information
  3. Provide users a way to opt-out if you sell their information
  4. Obtain prior consent from minors 13-16 years old before selling their personal data
  5. For minors younger than 13 you have to obtain prior consent by their parents
  6. Provide a toll-free phone number
  7. Create a “Do Not Sell My Information” page

Need help bringing your site into compliance with the CCPA? Ensuring all aspects of this new privacy law can be overwhelming — but it doesn’t have to be.

Contact Entermedia.com for a free CCPA compliance consultation to get your site in compliance before you face lawsuits and large fines for non-compliance.

Privacy Policy

The Privacy Policy is the most significant compliance requirement for businesses subject to the CCPA. Why? Because your Privacy Policy should contain information explaining how your business complies with the other terms of the Act.

The policy should let your users know what information your site is collecting about them, what you are doing with that information, who you are sharing that information with, and provide a way for people to contact you.

The CCPA has specific requirements for what to include in your Privacy Policy and how to make it available to your site visitors — for example, making it easy to find by adding a link to it from your homepage, updating it at least once a year, describing the categories of personal information shared with third parties (like your vendors and service providers), along with the purposes for collecting and sharing information, and including the rights of California consumers in your policy. Here’s a quick list of what to include:

  1. A description of all rights afforded to consumers under the CCPA
  2. A specific list of exactly what categories of information you are collecting, how you are using it and what the purpose of this information is
  3. Why do you collect and process information
  4. How do you collect and process information
  5. What you plan on doing with this information
  6. How the consumer can refuse your access to their personal data for certain purposes
  7. Links for people to opt-out of data collection or have their data removed
  8. Include a link titled “Do Not Sell My Personal Information” and link to custom page
  9. Sales of users’ personal data and how they can opt-out of the selling of their data
  10. The method for verifying the identity of the person who submits a request
  11. It must be updated at least once every 12 months & a way to notify your users that the Privacy Policy has been updated

Do I need to obtain prior consent before collecting data? No, unlike many other consumer data protection regulations, this cookie law doesn’t require obtaining prior CCPA cookie consent for collecting and processing your users’ data.

Allow Users Access & Ability to Delete their Information

CCPA requires that you tell people what personal information you collected about them and what you’ve done with that information when they ask. Your response should include, among other things, the categories of service providers and others you share data with; for example, you share data with us as your site’s host.

What is considered personal information?

The definition of ‘personal data’ under the CCPPA explicitly states that it is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This law differs from GDPR, ePrivacy Directive, and privacy laws by including household information in the scope of what personal information entails.

Here’s some examples of personal data to include:

  1. Identifiers such as name, alias, postal address, username, password, email address, social security number, driving license number or passport number
  2. Employment records
  3. Bio records such as fingerprints
  4. Email and IP addresses
  5. Geolocation data
  6. Professional or employment information
  7. Characteristics of protected classifications under California or federal law such as race, religion, sex/gender, and sexual orientation
  8. Commercial information such as records of personal property and products purchased, obtained, or considered
  9. Internet browsing history, search history, and information regarding a consumer’s interaction with websites, apps, or ads
  10. Any inference that could be used to create a consumer profile such as preferences, characteristics, predispositions, behavior, intelligence, or aptitudes

For more information about what’s considered personal data, see subsection (o)(1) of 1798.140 of the CCPA.

(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household

The Act goes on to provided a non-exhaustive list of what is included in its definition of personal information.

CCPA additionally requires that you delete this information upon request, though there are situations in which you would be allowed to keep the information even after receiving a deletion request. For example, you may need to keep some information for tax purposes or to comply with a legal obligation. 

Public Records & CCPA

Information that’s lawfully made publicly available is outside the scope of the CCPA. What does this mean? Here’s an example:

Say someone distributes an address book online. This is illegal, and so the exemption doesn’t apply. Government census records, on the other hand, are publicly available, and so the CCPA doesn’t apply to this information.

Allow Users to Opt-out if you Sell their Information

If you are selling the information your site collects about your customers or site visitors, you should provide an option for them to opt-out, or to opt-in if they are under the age of 16 (parental approval required for minors under 13). For example, if your site collects email addresses and you sell them to an affiliate you would need a clearly displayed “Do Not Sell My Info” link on your website.

Can I sell users’ data freely? The CCPA doesn’t prevent you from selling your users’ data, but it obliges you to allow them to opt-out of their personal information being used for a business purpose. This means that you have to include a “Do Not Sell My Personal Information” link on your website’s homepage to comply with CCPA. Anyone who wants to opt-out of sales of their personal data can click on the link and ban you from selling their personal information.

For 13-16 year old minors, you have to obtain prior CCPA cookie consent before selling their data. For minors younger than 13, you have to obtain consent from their parents or guardians.

Provide a Toll-Free Phone Number

The CCPA requires companies to set up specific communication channels so California residents can request information about their data.

The CCPA states that you are obliged to comply with the following:

Make available to consumers two or more designated methods for submitting requests for information required to be disclosed according to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information.

A toll-free telephone number is, unless you operate exclusively online and have a direct relationship with a consumer, a minimum requirement for anyone who processes personal data of California residents.

Blocking visitors from California could be an option. Remember, however, that if Google crawls your website, you may have a problem with your SEO. Another option is to use the services of a Toll-Free number like: 866-I-OPT-OUT. You can start a free trial at CCPA Toll Free.

Create a “Do Not Sell My Information” Page

If you sell your visitors’ personal information, you must give these consumers the opportunity to opt out of this sale. This is in line with the principle that everyone has control over what happens to their personal data. Be sure to include the following:

  1. Details concerning the consumer’s right to opt-out of the sale of their personal data
  2. A contact form for submitting a request for said opt-out
  3. Information pertaining to other contact methods for opting out
  4. A link to your Privacy Policy
  5. The burden of proof required for when a consumer has elected to have an authorized agent to submit an opt-out request on their behalf

If you sell information, you must provide a web page that gives people the option to “opt out” of having their information sold. You should link to this web page in your Privacy Policy. It’s also good practice to put a link on your landing page or at the footer of your website.

CCPA Compliance for WordPress

For most WordPress websites, you likely already had to comply with the GDPR in some way or form. Below is a brief overview of current GDPR compliance requirements:

  1. Upgrade your WordPress to the latest version (4.9.6 or higher)
  2. Cookie Policy
  3. Cookie Consent Banner (opt-out options with a link to Privacy Policy & Do Not Sell My Personal Information page)
  4. Secure connection (SSL)
  5. Do Not Sell My Personal Information page
  6. Processing agreement with all processors and/or service providers
  7. Age verification (to obtain consent from users 13-16, and ensure privacy for users under 13)

Privacy Policy

Be sure to review the information your WordPress plugins and any custom scripts are collecting for the privacy policy. These kinds of extra functionality are common on WordPress sites and depending on their purpose, could be an additional source of information your site is collecting and/or sharing. Be sure to also look at any other tools (online or offline) that you use for your business that collect information about your site visitors and customers.

WordPress User Information

Much of the personal information collected by your WordPress site can be gathered/deleted by you through your site’s dashboard. For example, you can search for and delete comments from a specific individual via your site’s comments admin area.

If you WordPress site includes contact forms, ensure there’s a way to gather and delete any information that is stored.

As part of implementing your CCPA deletion process you may want to establish a retention policy for the personal information your business collects. There isn’t a single right answer for how long your retention policy should be, but in general it’s a good idea to only keep information for as long as you need it. You can use the Bulk Actions option in the wp-admin dashboard to edit or delete collected information in a variety of areas including WooCommerce OrdersContact Form Submissions, and Comments.

CCPA Compliance for Google Analytics

If you’re using Google Analytics like most sites, you’ll need to ensure you take the following steps to stay in compliance with CCPA:

Step 1: Include GA in your Do Not Sell My Personal Information page.

Google Analytics uses cookies which means you must clearly indicate what activities you perform within GA. For example, anonymizing IP addresses.

Sharing Data

Google Analytics shares a lot of information with other Google services, such as Google Adwords, Google Optimizer, etc. If you have this enabled, you must mention it on your ‘Do Not Sell My Personal Information’ page.

You can disable sharing this data in GA by going to: Admin > Account Settings > Data Sharing Settings

Google Analytics Data Sharing

Tracking User IDs

Google Analytics has an option to track user ID surfing behavior of different devices and keeps track of the number of sessions. If this is enabled, be sure to describe this in your ‘Do Not Sell My Personal Information’ page.

To disable it or check if you’re using it go to: Admin > Property Settings > Tracking Info > User ID

Google Analytics User ID Tracking

Advertising Sharing

Google Analytics also shares data for advertising purposes, such as re-marketing. Put this in your ‘Do Not Sell My Personal Information’ or disable it by going to: Admin > Tracking Info > Data Collection

Google Analytics Data Collection

Step 2: Sign the service providing agreement with Google.

Service providing agreements are an important part of CCPA compliance. You need to sign one with Google Analytics which can be found here:
Account Settings > Data Processing Agreement > Review Amendment

Google Analytics Data Processing Agreement

Frequently Asked Questions

What is the CCPA?

The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in United States. It was signed into law at the end of June 2018 and provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain data transfers and an “opt-in” requirement for minors.

Who needs to comply with CCPA?

The CCPA only applies to companies doing business in California, which annually satisfy one or more of the following: (1) have a gross revenue of more than $25 million, (2) derive 50% or more of its annual revenue from the sale of consumer personal information, or (3) buys, sells, or shares the personal information of more than 50,000 consumers.

When did the CCPA go into effect?

The CCPA goes into effect on January 1, 2020. However, enforcement by the Attorney General (AG) did not begin until July 1, 2020.

Is the CCPA the same as the GDPR?

While the CCPA is similar to the GDPR, it is not the same. If you already prepared for the GDPR, you may be able to leverage some of the work that you did to meet your CCPA requirements. Many privacy laws across the world share common themes. These often include:

  • Consumer rights to access, update, delete, and receive a copy of personal information
  • Different obligations based on a company’s role as a business or service provider
  • Transparency and notice about a company’s data practices

In contrast to the GDPR, the CCPA also adds the right for consumers to opt-out of the “sale” of their personal information. Under the CCPA, “sale” is defined to include any sharing or disclosure for valuable consideration.

What are the differences between GDPR and CCPA?

There are many differences. It’s easier to focus on the similarities, including:

  • Transparency/disclosure obligations.
  • Consumer rights to access, delete, and receive a copy of data.
  • Definition of “service providers” that is similar to how GDPR defines “processors” with a similar contractual obligation.
  • Definition of “businesses” that encompasses the GDPR definition of “controllers”.

The biggest difference in CCPA is the core requirement to enable an opt-out from sales of data to third parties (with “sale” broadly defined to include sharing of data for valuable consideration). This is a narrower and more specific obligation than the broad GDPR right to object to processing, which encompasses this type of “sale,” but is not specifically limited to covering this type of sharing.

How does the CCPA apply to children?
  • CCPA introduces parental consent obligations consistent with The Children's Online Privacy Protection Act (COPPA) for children under the age of 13.
  • For children between 13 and 16 years old, CCPA imposes a new obligation to obtain opt-in consent from the child for any “sale” of their personal information.
What about personal data from my employees?

In October 2019, a number of amendments were passed to the CCPA. One amendment clarified that the CCPA obligations do not apply to the personal information of employees of the business. However, legislators put a one-year sunset on that exemption. We expect California to legislate a new data protection law for employees in 2020.

Did you find CCPA Website Compliance useful? Get articles in your inbox.

…and don’t worry, I hate spam as much as you. Expect to hear from me at most once a week.

Latest Job Postings
Posted on Aug 9, 2020 at 9:17pm
Full-time
Los Angeles
Posted on Aug 9, 2020 at 9:15pm
Full-time
Los Angeles
Posted on Aug 9, 2020 at 1:19am
Littleton, CO
jobs by Indeed
Sponsored
Sponsor my site by donating to help support open-source projects, like WordPress Zero Spam, Referrer Analytics & others.
Sponsored
Need help with website, a boost in ranking or online marketing? Contact me today for a free quote.
Sponsored
Do you run a development agency, freelance developer or offer website services. Contact me today for information about advertising.
Sponsored
Help support open-source projects & pro-bono non-profit services by donating today.
Sponsored
Help support open-source projects & pro-bono non-profit services by donating today.

Leave a Reply

Your email address will not be published. Required fields are marked *

All comments posted on 'CCPA Website Compliance' are held for moderation and only published when on topic and not rude. Get a gold star if you actually read & follow these rules.

You may write comments in Markdown. This is the best way to post any code, inline like `<div>this</div>` or multiline blocks within triple backtick fences (```) with double new lines before and after.

Want to tell me something privately, like pointing out a typo or stuff like that? Contact Me.