After the introduction of GDPR back in 2018, there’s now another law that’s set to further effect WordPress webmasters in their bid to remain compliant with local data privacy regulations.
Its name? The California Consumer Protection Act (or CCPA for short).
This new piece of legislation is designed to provide Californians with enhanced protection with regard to the use of their personal information. It came into force at the beginning of the year 2020.
This guide will walk you through what the CCPA website compliance requirements are. It also explains what it means for your website in practice, and how to implement the necessary changes. So without further ado, let’s begin by discussing the principal themes of the CCPA.
What is the California Consumer Privacy Act (CCPA)?
The CCPA was passed back in 2018. Initially introduced as a voluntary initiative, the law only took seven days to be passed through the respective bodies of the California State Legislature.
The law was dramatically rushed through legislative bodies after politicians heeded the burgeoning chorus of concerns from constituents who felt that Californian law had not kept pace with the amount of personal data customers unwittingly share with businesses.
Secondly, the Cambridge Analytica scandal that enveloped Facebook, and the introduction of the General Data Protection Regulation (GDPR) laws in the EU, heightened the importance of bringing this legislation forward.
Since those events in June 2018, the law has been amended on two further occasions. The California Attorney General has issued guidance to help companies better understand how to make the necessary adjustments to their operations. The law officially came into effect on January 1st, 2020.
Concerning the details of the CCPA, the law mostly follows the lead provided by its GDPR predecessor. It grants the citizens of California the right to:
- Know what personal information is being collected about them
- Know whether their personal information is sold or disclosed and to whom
- Say no to the sale of their personal information
- Request the deletion of their personal information
- Access their personal information
- Equal service and price, even if they exercise their privacy rights
With the law understood, you’re probably wondering if these laws apply to you, notably if your website or business is registered outside of the state of California.
Does CCPA apply to your business?
Unpicking the implications of any privacy law is probably the hardest part. But now there’s been enough time for the dust to settle. There are some clear guidelines for how and when this law should be applied.
The first item to note is that this law pertains to the protection of personal information of citizens and residents of California. That means companies or organizations that have dealings with the citizens mentioned above will have the law applied to them, no matter their location.
As part of the guidance released by the California Attorney General, the law applies to for-profit organizations that meet the following criteria:
- Has annual gross revenue of more than $25,000,000
- Annually buys or receives, for business or commercial purposes, sells or shares the personal information of 50,000 or more Californian consumers
- Derives 50% or more of its annual revenues from selling the personal information of Californian consumers.
If you’re sat there thinking, “Great, my business doesn’t fit any of those criteria, I don’t need to make any changes,” you’re only partly correct. This new law may still apply to you by extension. If you transact with companies that have to comply with CCPA, then you may still need to make necessary alterations to comply.
For instance, if you purchase an email list for marketing purposes from a Californian provider that holds millions of records, you will have to make adjustments stipulated by CCPA by extension. Similarly, if you provide WordPress web design services to largescale companies, you’ll need to pay attention to ensure you deliver a compliant website.
CCPA vs. GDPR
The CCPA and GDPR legislation, whilst very similar, do have some key differences. Firstly, GDPR is much more far-reaching than CCPA is.
GDPR contains obligations for the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. There are no such legal obligations attached to CCPA, even though are similar provisions in place.
Next, GDPR works on the fundamental principle that there should be a legal basis for processing any aspect of personal data. However, CCPA doesn’t even apply to some sets of personal data. For example, medical records and personal information recorded for the purposes of credit reporting are not covered by CCPA as they are seen to be covered by separate existing legislation.
Finally, the disparate laws differ on one final legal principle, which is the issue of prior consent. CCPA doesn’t require companies to ask for prior consent to process personal information, which is the central legal pillar upon which GDPR is founded.
In fact, according to the CCPA, a business does not need prior consent from a user before processing their data, nor does a website need prior permission from a user before selling their data to third parties. However, a Californian citizen has the right to ‘opt-out’ of that processing and request to both view and request the removal of their data.
In other words, CCPA aims to provide data transparency and protection after-the-fact. In contrast, GDPR focuses on providing EU citizens with the power to the prior consent of personal data processing.
How to make your website CCPA compliant
If your WordPress site needs to be updated to meet CCPA website compliance requirements, then the following steps should help you to ensure that you don’t fall foul of the new privacy law.
You’ll then need to include several contact methods so that consumers can submit their requests to exercise their rights under the legislation. It’s also a good idea to update what data you collect, how you obtain it, and for what purposes it’s used for if any of that information has changed since the introduction of GDPR.
(Note: If you sell the personal information of 4,000,000 or more Californian consumers per year, you may need to include additional disclosures)
An excellent way to tell your customers is through a privacy notice or cookie bar as you already do for GDPR purposes.
Compliance/privacy notice delivered via cookie bar or footer
Make sure to include a list of categories of personal information you collect from consumers, and for each category, list the commercial purpose(s) for which it will be used.
Ensure opt-in/opt-out is available
As mentioned, you don’t have to gain consent for the purposes of CCPA. However, you will need to provide the option for consumers to opt-out of personal data collection. With that in mind, it makes sense to bundle this permission together with the prior consent required for GDPR if you already have those parameters in place.
Given the company size criteria in place for CCPA, it’s likely that you’ve already put similar website architecture in place, so it makes sense to make the necessary tweaks to also fulfill CCPA requirements.
Add a ‘Do Not Sell My Information’ page and place a link to it on your homepage
If you sell the personal information of Californian residents, then you are required by the new law to have a web page titled ‘Do Not Sell My Personal Information’ or ‘Do Not Sell My Info’.
On that newly-created webpage you need to include the following information:
- Details concerning the consumer’s right to opt-out of the sale of their personal data
- A contact form for submitting a request for said opt-out
- Information pertaining to other contact methods for opting out
- The burden of proof required for when a consumer has elected to have an authorized agent to submit an opt-out request on their behalf
You should place a link to this page in your website footer so that it is never more than one click away.
Obtain prior consent from minors aged 13 to 16 before selling data
Once again, if you are in the business of selling personal data of residents of California, you will not be permitted to do so for those aged 13 to 16 without prior consent. You can choose to use your cookie bar to include a message to this effect, with an accompanying consent box.
While it’s undoubtedly true that the CCPA isn’t as far-reaching as GDPR, it should be taken seriously all the same. It’s likely to represent just one of several state-level privacy laws that are set to come into effect across America throughout 2020.
Many will use the CCPA as a cut and paste template for the laws relating to their respective states. Therefore, it makes sense to tweak your WordPress site to adhere to CCPA website compliance requirements now so that you can continue to remain compliant across both EU (GDPR) and North American markets (CCPA et al.). For more detailed information about CCPA refer to the State of California Department of Justice website.
Here at WP White Security, we take compliance and security seriously. We develop high-quality niche security and admin utility plugins that help administrators better manage and secure their WordPress websites. Why not take a look at our portfolio of plugins to see how we can help you to better protect your website and manage its users?