CCPA Website Compliance

If you’re asking yourself “Does CCPA apply to my business?” then breathe a sigh of relief because the answer is most likely “no”.  But what if CCPA does apply to your business? Don’t worry. Despite a lot of fear-mongering, complying with CCPA isn’t all that difficult.

First off, what the heck CCPA?

It stands for the California Consumers Protection Act of 2018.  This act gives California residents the right to learn how their personal information is being used.  It also allows consumers to prevent businesses from selling or disclosing their information. This requires some websites to notify users about how their information will be used and give them a way to opt out.

 

Who does CCPA apply to?

CCPA applies to any website that:

    1. Has at least $25 million in annual gross revenues.
    2. Collects data on 50,000 or more California residents, households, and/or devices every year.
    3. Derrives 50% or more of its annual revenue from selling the personal information of California residents

 

What are the penalties for non-compliance?

If you have been notified that you are not in compliance with the CCPA, you have 30 days to take action or the Attorney General will bring a civil case against you.  This could lead to fines up to $7,500 per individual violation. This means if you violate the privacy rights of 10 people, you could be fined $7,500 per person.

 

What is personal data according to the CCPA?

Personal data is any information identifying, relating to, describing, able to be associated with, or may reasonably be linked, directly or indirectly, to a certain person or household. 

Personal data includes:

  • Names,
  • Email addresses,
  • biometric information,
  • IP addresses,
  • location data,
  • Etc.  

Personal data does not include:

  • Publicly available information from government records.
  • De-identified or aggregated consumer information (including Google Analytics).
  • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

 

If my site uses Google Analytic, is that considered collecting personal data?

No. Google Analytics is aggregated consumer data. It’s not possible to associate Google Analytics data with an indiviaul person. If someone were to request their “personal data” to be exported from Google Analytics, you’d find it impossible to accomplish. Google Analytics used to show IP addresses but it doesn’t anymore.

 

How do I comply with CCPA?

  1. Update your privacy policy (Download a CCPA Privacy Policy Template Here) to explain how, why and what personal data you collect and process. Explain how your users can access, change, or erase the personal data that you have collected.
  2. Provide a notice to consumers that you collect data at the point of collection or before it takes place.
  3. Include a “Do Not Sell My Personal Information” link on your home page.
  4. Respond to anyone requesting information about their data and maintain records of all requests.
  5. Verify the identity of the person making any personal data requests.
  6. Obtain consent before selling personal data from minors 13-16 years old. For minors younger than 13 you have to obtain consent from their parents.

 

What should a CCPA-compliant privacy policy contain?

Click here to view an example CCPA Privacy Policy. A CCPA compliant privacy policy should include the following:

  1. The kind of data you collect
  2. Why you collect the data
  3. How you collect and process the data
  4. How people can ask for access, changes, move, or delete their data
  5. Explanation of how you verify the identity of someone requesting these things
  6. Whether you sell the data and how someone can opt out of the selling of their information

Do I need to obtain prior consent before collecting and processing users’ data?

No. In fact you can sell data you collect on those 17 and older without receiving prior consent. However, if CCPA applies to your business, your privacy policy must let people know what data is being collected and how to opt out.  


WordPress Plugins for CCPA Compliance

A WordPress plugin alone cannot meet compliance requirements. If CCPA applies to your site you must update your website’s privacy policy, add a link to your home page, etc.

That said, a WordPress plugin is a good way to meet the CCPA compliance requirements of providing “a notice to consumers that you collect data at the point of collection or before it takes place.”

These free plugins that can help with cookie consent:

https://wordpress.org/plugins/cookie-notice/

https://wordpress.org/plugins/uk-cookie-consent/

https://wordpress.org/plugins/cookie-law-info/


Including a “Do Not Sell” link

Complicance with CCPA requires a clear “do not sell my personal data” link on your homepage, and any other page that is collecting personal information. The page that this link directs to should provide a means for users to:

  1. Opt out of collection,
  2. Request to review their data,
  3. and request that their data be deleted 

Methods which users could make these requests include:

  • Calling
  • Emailing
  • Mailing
  • Sumitting an online web form

It is also a requirement of CCPA that you verify the identity of the person making the request. Learn how to do that here.

 

 

Note: This is general advice and not custom-tailored to your unique situation. If you have questions about whether you are required to comply with CCPA you should contact us by calling 800-407-1114 or emailing support@wowie.co

Contact

Send A Message

We Are Nice.

Contact