How to Make Your WordPress Website CCPA-Compliant

Åtgärda USBenhetsbeskrivningsfel i Windows 10

California Consumer privacy Act (CCPA), is the US answer to EU’s General Data Protection Regulations (GDPR). The CCPA, which has largely identical rules to the EU’s General Data Protection Regulation (GDPR), is America’s most comprehensive data privacy legislation. This Act initiated other privacy laws that were in development in the US, including Virginia’s CDPA and Nevada’s privacy law.

As similar to GDPR the CCPA lays down several guidelines for businesses regarding how they handle personal data of customers. These rules also apply to websites. We will now discuss what a WordPress user must do to ensure that your website is compliant with the CCPA.

But, before we get into that discussion let’s take a look at the basics of CCPA.

IMPORTANT: We () are not lawyers, we are simply sharing information about the CCPA and general compliance tips. You cannot ensure that you comply with all CCPA requirements by following the steps. To ensure that your website meets all CCPA requirements, please consult a lawyer.

CCPA is a state-wide data privacy law from California, USA. The CCPA, like its European counterpart was created to protect people’s private information. It became effective on 1 January 2020.

The CCPA’s jurisdiction is restricted to for-profit businesses in the world who meet one of these criteria:

  • Has total annual revenue over $25 million
  • Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices
  • Acquires more than half of their annual revenue from selling the personal information of Californians

The consumers enjoy several rights under the CCPA:

  • The right to view the personal data a company collects, and how they are used and sold ;
  • The right to delete personal information;
  • The right to opt-out of the sale of the personal information; and
  • The right to non-discrimination against those who exercise the CCPA rights.

There can be severe consequences for breaking the CCPA rules.

For unintentional violations, you could be fined up to $2500 per violation, and for intentional violations, $7500 per violation.

Consumers can seek legal consultation and claim $100 to $750 in damages for data breach and find legal complaints against the violator.

How can CCPA affect small business websites?

Unlike GDPR the CCPA is not applicable to websites serving its data subjects. California residents are the data subjects in this instance. It must meet at least one of these three requirements, as we discussed previously. However, these thresholds seem to indicate that websites smaller than 10k are not required by law. Quality customer service should remain a cornerstone of every business. It is important to protect your customers’ interests and rights, especially when you are handling their personal data. Protecting their privacy is a smart practice. Even if you do not fall within the CCPA’s material coverage, it is advisable to comply with this law.

By increasing data breaches and privacy violations it’s imperative that your users have a safe space where they feel secure and can exercise more control of their information.

How to Make Your WordPress Website CCPA Compliant

CCPA regulations are more flexible than GDPR. It may not be necessary to make a WordPress site GDPR ready in order to comply with US laws. There are a few things that CCPA compliance websites should not overlook.

This guide will show you how to make WordPress compliant with GDPR, however, CCPA may apply to your website. These are the steps you need to take in order for your WordPress website to be compliant with the CCPA.

1. Privacy Policy Page

A Privacy Policy outlines information about your website’s data collection and use. You can also contact users through this policy to file complaints or exercise your privacy rights.

This privacy statement must be in line with the CCPA.

  • What personal data does your website collect about users?
  • Where does it get the personal data?
  • Why is it necessary to sell, share or collect personal data?
  • With whom (third parties), does the website share the personal data?
  • What rights does the CCPA give consumers?
  • How can they reach you to exercise their rights?
  • A Do Not Sell My Personal Information link to or section that explains how users can opt-out of sharing or selling their personal information.

You must update the privacy policy every 12 months to include the changing business practices.

You can create and add privacy pages to your WordPress site. The latest WordPress version (4.9.6 or higher) has an admin dashboard setting that allows you to set up a privacy page. This will allow you to add relevant content.

Just go to Settings > Privacy.

If you select Create a new Privacy policy Page, you will get an auto-generated template that you can customize.

You can use the current privacy policy page.

2. Do Not Sell My Personal Information Page

The CCPA is different than GDPR in that it allows for data collection and sale without consent. The CCPA gives users the ability to opt out of selling their data rather than consent. Opt-out is an important part of the law. This is why the “Do not sell my personal information” (DNSMPI), mechanism was created. DNSMPI, a way for users to refuse websites that sell their personal data to third parties is a proposal by the CCPA. It’s usually done via a separate page.

This section could be included in your privacy policies. You could provide additional information about the opt-out process on a separate page.

The page should contain the following information:

  • Explanation of right to opt-out of the sale of personal information right.
  • A webform, or other means to send opt-out requests.
  • A link to our privacy policy.

The best place to add the DNSMPI link is in the footer of a website.

Here’s an example taken from the Sony Music website:

The link takes you to their DNSMPI webpage.

3. Cookie Consent Notice

CCPA recognized “unique personal identifiers” as personal information. Cookies identifiers are therefore personal information as per the law. Unlike the GDPR cookie consent requirements, the website does not need users’ consent to save cookies in their browsers. It does however require sites to offer an opt-out for the sale of your personal data. A popup or cookie notice isn’t just used to ask for consent, it also allows users to opt out of the use of cookies.

The cookie notice should explain the reasons you are using cookies, and provide a link/button to opt out of cookies (or the DNSMPI)

CookieYes allows you to create a cookie consent notice for your site and let users opt out of any cookies that collect personal data. The settings and CSS can be customized to make the notice more relevant for US users. In just a few mouse clicks, you can create privacy and cookie policies for your site.

CookieYes offers many more options to ensure that your use of cookies is compliant with the CCPA. It’s easy to get started with CookieYes. The free plan offers cookie scan for up to 100 pages and 5000 consent logs per month (and there are premium plans for advanced features and increased usage). You can try the premium features free for 14 days (no credit card required and you can upgrade from the trial plan anytime) and see how it works for your website.

4. Data Access

The CCPA requires that websites allow users to access personal data upon request. Websites are required to disclose information about the data you have collected and what it is used for, as well as the categories of information that were collected.

Contact forms can be used to make a request for data access. You have many options for forms. Ninja Forms is one of the best plugins to build forms in WordPress.

This tool allows you to add forms directly on your web pages using a drag-and-drop interface. Pre-made templates are available or you can create your own to allow users to make data access request.

5. Data Deletion

The CCPA mandates that websites delete user information on request.

Like access to data, WordPress latest versions have specific settings that allow your users to send data deletion requests. This allows you to send confirmation mails for data deletion.

To access this, after logging into your WordPress website, go to Tools on the admin menu. From there select Erase Personal Data.

You can also delete other information such as comments or posts from the admin area.

The Ninja Forms plugin offers several templates, including one that allows you to request data deletion. The plugin is simple to use, and users can submit requests via a form.

All you have to do is embed the shortcode in the page target and publish it.

We hope that these steps can help you get your WordPress website into compliance with the CCPA. For complete compliance, we recommend that you consult a lawyer. This will allow you to make sure everything is correct.


We monitors and writes about new technologies in areas such as technology, innovation, digitization, space, Earth, IT and AI.

Related Posts

Leave a Reply