California Consumer Privacy Act (CCPA) is the US’ answer to the EU’s General Data Protection Regulation (GDPR). With largely similar rules, the CCPA is the most robust data privacy legislation in the US. The Act set motion to other privacy acts that have been in progress in the US for some time, like Virginia’s CDPA, Nevada privacy law, and Colorado Privacy Act.
Similar to GDPR, the CCPA lays out several rules for businesses to deal with the personal information of consumers and those apply to websites as well. So, we will cover what a WordPress user like you must follow to make your website CCPA compliant.
But before we discuss that, let us have a quick look at what CCPA is all about.
IMPORTANT: We (WPExplorer) are not lawyers, we are simply sharing information about the CCPA and general compliance tips. Following the steps below does not guarantee you fully comply with CCPA requirements. Please consult a lawyer or CCPA consultant to be sure your website is in full compliance.
CCPA is a state-wide data privacy law from California, USA. And like its European counterpart, the CCPA was passed to safeguard people’s personal information. It became effective on 1 January 2020.
The CCPA’s scope is limited to any for-profit business in the world that meets one of the criteria:
- Has total annual revenue over $25 million
- Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices
- Acquires more than half of their annual revenue from selling the personal information of Californians
The consumers have several right sunder CCPA:
- The right to know about the personal information a business collects and how it is used and shared or sold;
- The right to delete personal information;
- The right to opt-out of the sale of the personal information; and
- The right to non-discrimination against those who exercise the CCPA rights.
There are consequences for violating the CCPA rules.
For unintentional violations, you could be fined up to $2500 per violation, and for intentional violations, $7500 per violation.
Consumers can seek legal consultation and claim $100 to $750 in damages for data breach and find legal complaints against the violator.
Can CCPA Affect Small Business Websites?
Unlike GDPR, the CCPA does not apply to all websites that serve its defined data subjects. In this case, California residents. As discussed earlier, it has to meet one of the three thresholds. These thresholds, however, seem to suggest that smaller websites are relaxed from complying with the law. However, one of the cornerstones of any business should be quality customer experience. Protecting your customers’ rights and interests should be a top priority especially if you handle their personal information. It is a good practice to protect their privacy and for that complying with CCPA is recommended even if your business falls outside its material scope.
Also, with rising cases of data breaches and privacy violations, it is imperative to provide your users with a space that they can trust and have more control over their personal information.
How to Make Your WordPress Website CCPA Compliant
CCPA requirements are much more relaxed compared with GDPR. A WordPress website that is already GDPR-ready may not require a lot of effort to prepare for the US law. But, there are a few standouts that the website must not miss to implement for CCPA compliance.
You can use this guide on how to make your WordPress website GDPR compliant, but if CCPA applies to you keep reading. Below are some steps to get your WordPress website ready for CCPA compliance.
- What personal information does your site collect from the users?
- Where does it collect the personal information from?
- Why does it require to collect, sell or share personal information?
- With whom (third parties) does the site share or sell the personal information?
- What rights do the consumers have under the CCPA?
- How can they contact you to exercise these rights?
- A Do Not Sell My Personal Information link to or section that explains how users can opt-out of sharing or selling their personal information.
Just go to Settings > Privacy.
2. Do Not Sell My Personal Information Page
One of the rules that make CCPA different from GDPR is its relaxation on consent requirement for collecting and selling data. The CCPA emphasizes giving users control to object to selling their data than giving consent. Opt-out is a big part of the law and that is where the mechanism of “Do Not Sell My Personal Information” (DNSMPI) comes. DNSMPI is a method proposed by the CCPA to allow users to opt-out of websites selling thier personal information tothird parties. It is usually implemented via a dedicated page.
The page must provide the following information:
- Explanation of right to opt-out of the sale of personal information right.
- A webform or any other method to submit opt-out requests.
A website’s footer is the ideal place to include the link to the DNSMPI page.
Here is an example from Sony Music official website:
The link leads to their DNSMPI page.
3. Cookie Consent Notice
CCPA recognized “unique personal identifiers” as personal information. Cookie identifiers, therefore, are personal information under the law. Unlike GDPR, for CCPA cookie consent, the website doesn’t need to get consent from users to store cookies on their browsers. However, it does require the sites to provide an opt-out option for such sale of personal information. And a cookie notice or popup is not just for asking for consent; it is also a method by which the users can opt-out of cookies.
There is much more you can do with CookieYes to make your usage of cookies CCPA compliant. Best of all, it’s free to sign up and get started with CookieYes. The free plan offers cookie scan for up to 100 pages and 5000 consent logs per month (and there are premium plans for advanced features and increased usage). You can try the premium features free for 14 days (no credit card required and you can upgrade from the trial plan anytime) and see how it works for your website.
4. Data Access
The CCPA also requires websites to let users access their personal information upon request. You are liable to inform users about what information you collected, what you do with it, the category of the source of collection, and the category of the third party you share the information with.
The data access request can be implemented via contact forms. There are various types of forms that you can use. One of the most recommended plugins for building forms in WordPress is Ninja Forms.
It is a simple drag and drop tool for adding forms on your website pages. You can use pre-made templates or create your own for users to submit data access requests.
5. Data Deletion
The CCPA requires websites to delete personal information upon user request.
Like data access, WordPress’ latest versions also have dedicated settings for your visitors to submit data deletion requests. Using this you can send a confirmation mail for data deletion.
To access this, after logging into your WordPress website, go to Tools on the admin menu. From there select Erase Personal Data.
Similarly for other information, such as comments on a post, you can go to the admin area and delete it.
The Ninja Forms plugin has several templates including one for data deletion requests. It is easy to use and you can create a simple form for users to submit their requests.
All you need to do is publish and embed the form shortcode on the target page.
We hope these steps will kickstart your WordPress website’s CCPA compliance in the right way. We will always recommend getting a legal consult for complete compliance. That way, you will be able to ensure that everything is in place.