If you’re asking yourself “Does CCPA apply to my business?” then breathe a sigh of relief because the answer is most likely “no”. But what if CCPA does apply to your business? Don’t worry. Despite a lot of fear-mongering, complying with CCPA isn’t all that difficult.
First off, what the heck CCPA?
It stands for the California Consumers Protection Act of 2018. This act gives California residents the right to learn how their personal information is being used. It also allows consumers to prevent businesses from selling or disclosing their information. This requires some websites to notify users about how their information will be used and give them a way to opt out.
Who does CCPA apply to?
CCPA applies to any website that:
- Has at least $25 million in annual gross revenues.
- Collects data on 50,000 or more California residents, households, and/or devices every year.
- Derrives 50% or more of its annual revenue from selling the personal information of California residents
What are the penalties for non-compliance?
If you have been notified that you are not in compliance with the CCPA, you have 30 days to take action or the Attorney General will bring a civil case against you. This could lead to fines up to $7,500 per individual violation. This means if you violate the privacy rights of 10 people, you could be fined $7,500 per person.
What is personal data according to the CCPA?
Personal data is any information identifying, relating to, describing, able to be associated with, or may reasonably be linked, directly or indirectly, to a certain person or household.
Personal data includes:
- Email addresses,
- biometric information,
- IP addresses,
- location data,
Personal data does not include:
- Publicly available information from government records.
- De-identified or aggregated consumer information (including Google Analytics).
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
If my site uses Google Analytic, is that considered collecting personal data?
No. Google Analytics is aggregated consumer data. It’s not possible to associate Google Analytics data with an indiviaul person. If someone were to request their “personal data” to be exported from Google Analytics, you’d find it impossible to accomplish. Google Analytics used to show IP addresses but it doesn’t anymore.
How do I comply with CCPA?
- Provide a notice to consumers that you collect data at the point of collection or before it takes place.
- Include a “Do Not Sell My Personal Information” link on your home page.
- Respond to anyone requesting information about their data and maintain records of all requests.
- Verify the identity of the person making any personal data requests.
- Obtain consent before selling personal data from minors 13-16 years old. For minors younger than 13 you have to obtain consent from their parents.
- The kind of data you collect
- Why you collect the data
- How you collect and process the data
- How people can ask for access, changes, move, or delete their data
- Explanation of how you verify the identity of someone requesting these things
- Whether you sell the data and how someone can opt out of the selling of their information
Do I need to obtain prior consent before collecting and processing users’ data?
That said, a WordPress plugin is a good way to meet the CCPA compliance requirements of providing “a notice to consumers that you collect data at the point of collection or before it takes place.”
These free plugins that can help with cookie consent:
Complicance with CCPA requires a clear “do not sell my personal data” link on your homepage, and any other page that is collecting personal information. The page that this link directs to should provide a means for users to:
- Opt out of collection,
- Request to review their data,
- and request that their data be deleted
Methods which users could make these requests include:
- Sumitting an online web form
It is also a requirement of CCPA that you verify the identity of the person making the request. Learn how to do that here.
Note: This is general advice and not custom-tailored to your unique situation. If you have questions about whether you are required to comply with CCPA you should contact us by calling 800-407-1114 or emailing firstname.lastname@example.org