California Consumer privacy Act (CCPA), is the US answer to EU’s General Data Protection Regulations (GDPR). The CCPA, which has largely identical rules to the EU’s General Data Protection Regulation (GDPR), is America’s most comprehensive data privacy legislation. This Act initiated other privacy laws that were in development in the US, including Virginia’s CDPA and Nevada’s privacy law.
As similar to GDPR the CCPA lays down several guidelines for businesses regarding how they handle personal data of customers. These rules also apply to websites. We will now discuss what a WordPress user must do to ensure that your website is compliant with the CCPA.
But, before we get into that discussion let’s take a look at the basics of CCPA.
IMPORTANT: We () are not lawyers, we are simply sharing information about the CCPA and general compliance tips. You cannot ensure that you comply with all CCPA requirements by following the steps. To ensure that your website meets all CCPA requirements, please consult a lawyer.
CCPA is a state-wide data privacy law from California, USA. The CCPA, like its European counterpart was created to protect people’s private information. It became effective on 1 January 2020.
The CCPA’s jurisdiction is restricted to for-profit businesses in the world who meet one of these criteria:
- Has total annual revenue over $25 million
- Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices
- Acquires more than half of their annual revenue from selling the personal information of Californians
The consumers enjoy several rights under the CCPA:
- The right to view the personal data a company collects, and how they are used and sold ;
- The right to delete personal information;
- The right to opt-out of the sale of the personal information; and
- The right to non-discrimination against those who exercise the CCPA rights.
There can be severe consequences for breaking the CCPA rules.
For unintentional violations, you could be fined up to $2500 per violation, and for intentional violations, $7500 per violation.
Consumers can seek legal consultation and claim $100 to $750 in damages for data breach and find legal complaints against the violator.
How can CCPA affect small business websites?
Unlike GDPR the CCPA is not applicable to websites serving its data subjects. California residents are the data subjects in this instance. It must meet at least one of these three requirements, as we discussed previously. However, these thresholds seem to indicate that websites smaller than 10k are not required by law. Quality customer service should remain a cornerstone of every business. It is important to protect your customers’ interests and rights, especially when you are handling their personal data. Protecting their privacy is a smart practice. Even if you do not fall within the CCPA’s material coverage, it is advisable to comply with this law.
By increasing data breaches and privacy violations it’s imperative that your users have a safe space where they feel secure and can exercise more control of their information.
How to Make Your WordPress Website CCPA Compliant
CCPA regulations are more flexible than GDPR. It may not be necessary to make a WordPress site GDPR ready in order to comply with US laws. There are a few things that CCPA compliance websites should not overlook.
This guide will show you how to make WordPress compliant with GDPR, however, CCPA may apply to your website. These are the steps you need to take in order for your WordPress website to be compliant with the CCPA.
This privacy statement must be in line with the CCPA.
- What personal data does your website collect about users?
- Where does it get the personal data?
- Why is it necessary to sell, share or collect personal data?
- With whom (third parties), does the website share the personal data?
- What rights does the CCPA give consumers?
- How can they reach you to exercise their rights?
- A Do Not Sell My Personal Information link to or section that explains how users can opt-out of sharing or selling their personal information.
You can create and add privacy pages to your WordPress site. The latest WordPress version (4.9.6 or higher) has an admin dashboard setting that allows you to set up a privacy page. This will allow you to add relevant content.
Just go to Settings > Privacy.
2. Do Not Sell My Personal Information Page
The CCPA is different than GDPR in that it allows for data collection and sale without consent. The CCPA gives users the ability to opt out of selling their data rather than consent. Opt-out is an important part of the law. This is why the “Do not sell my personal information” (DNSMPI), mechanism was created. DNSMPI, a way for users to refuse websites that sell their personal data to third parties is a proposal by the CCPA. It’s usually done via a separate page.
This section could be included in your privacy policies. You could provide additional information about the opt-out process on a separate page.
The page should contain the following information:
- Explanation of right to opt-out of the sale of personal information right.
- A webform, or other means to send opt-out requests.
The best place to add the DNSMPI link is in the footer of a website.
Here’s an example taken from the Sony Music website:
The link takes you to their DNSMPI webpage.
3. Cookie Consent Notice
The cookie notice should explain the reasons you are using cookies, and provide a link/button to opt out of cookies (or the DNSMPI)
CookieYes allows you to create a cookie consent notice for your site and let users opt out of any cookies that collect personal data. The settings and CSS can be customized to make the notice more relevant for US users. In just a few mouse clicks, you can create privacy and cookie policies for your site.
4. Data Access
The CCPA requires that websites allow users to access personal data upon request. Websites are required to disclose information about the data you have collected and what it is used for, as well as the categories of information that were collected.
Contact forms can be used to make a request for data access. You have many options for forms. Ninja Forms is one of the best plugins to build forms in WordPress.
This tool allows you to add forms directly on your web pages using a drag-and-drop interface. Pre-made templates are available or you can create your own to allow users to make data access request.
5. Data Deletion
The CCPA mandates that websites delete user information on request.
Like access to data, WordPress latest versions have specific settings that allow your users to send data deletion requests. This allows you to send confirmation mails for data deletion.
To access this, after logging into your WordPress website, go to Tools on the admin menu. From there select Erase Personal Data.
You can also delete other information such as comments or posts from the admin area.
The Ninja Forms plugin offers several templates, including one that allows you to request data deletion. The plugin is simple to use, and users can submit requests via a form.
All you have to do is embed the shortcode in the page target and publish it.
We hope that these steps can help you get your WordPress website into compliance with the CCPA. For complete compliance, we recommend that you consult a lawyer. This will allow you to make sure everything is correct.