CCPA stands for the California Consumers Protection Act of 2018.  This act gives California residents the right to learn how their personal information is being used.  It also allows consumers to prevent businesses from selling or disclosing their information. This requires some websites to notify users about how their information will be used and give them a way to opt-out.

Who does CCPA apply to?

CCPA applies to any website meeting one or more of the following thresholds:

  1. Has at least $25 million in annual gross revenues.
  2. Collects data on 50,000 or more California residents, households, and/or devices every year.
  3. Derives 50% or more of its annual revenue from selling the personal information of California residents

Do I need to comply with CCPA even if I don’t do business in California?

CCPA protects California residents regardless of their location. If a California resident navigates to a website operated in another state, or if a California resident travels to a neighboring state and accesses the internet, they are, according to the State of California, protected by CCPA.

What are the penalties for non-compliance?

If you have been notified that you are not in compliance with the CCPA, you have 30 days to take action or the Attorney General will bring a civil case against you.  This could lead to fines up to $7,500 per individual violation. This means if you violate the privacy rights of 10 people, you could be fined $7,500 per person.

What is personal data according to the CCPA?

Personal data is any information identifying, relating to, describing, able to be associated with, or may reasonably be linked, directly or indirectly, to a certain person or household.

Personal data includes:

  • Names,
  • Email addresses,
  • biometric information,
  • IP addresses,
  • location data,
  • Basically any data that can be pinned to a specific individual.

Personal data does not include:

  • Publicly available information from government records.
  • De-identified or aggregated consumer information (including Google Analytics).
  • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

If my site uses Google Analytic, is that considered collecting personal data?

No. Google Analytics is aggregated consumer data. It’s not possible to associate Google Analytics data with an individual person. If someone were to request their “personal data” to be exported from Google Analytics, you’d find it impossible to accomplish. Google Analytics used to show IP addresses but it doesn’t anymore.

How do I comply with CCPA?

  1. Update your privacy policy (View a CCPA Privacy Policy Template Here) to explain how, why and what personal data you collect and process. Explain how your users can access, change, or erase the personal data that you have collected.
  2. Provide a notice to consumers that you collect data at the point of collection or before it takes place.
  3. Include a “Do Not Sell My Personal Information” link on your home page.
  4. Respond to anyone requesting information about their data and maintain records of all requests.
  5. Verify the identity of the person making any personal data requests.
  6. Obtain consent before selling personal data from minors 13-16 years old. For minors younger than 13 you have to obtain consent from their parents.

What should a CCPA-compliant privacy policy contain?

Click here to view an example CCPA Privacy Policy. A CCPA compliant privacy policy should include the following:

  1. The kind of data you collect
  2. Why you collect the data
  3. How you collect and process the data
  4. How people can ask for access, changes, move, or delete their data
  5. Explanation of how you verify the identity of someone requesting these things
  6. Whether you sell the data and how someone can opt out of the selling of their information

Do I need to obtain prior consent before collecting and processing users’ data?

No. In fact you can sell data you collect on those 17 and older without receiving prior consent. However, if CCPA applies to your business, your privacy policy must let people know what data is being collected and how to opt-out.

 

 

WordPress Plugins for CCPA Compliance

A WordPress plugin alone cannot meet compliance requirements. If CCPA applies to your site you must update your website’s privacy policy, add a link to your home page, etc.

That said, a WordPress plugin is a good way to meet the CCPA compliance requirements of providing “a notice to consumers that you collect data at the point of collection or before it takes place.”

These free plugins that can help with cookie consent:

https://wordpress.org/plugins/cookie-notice/

https://wordpress.org/plugins/uk-cookie-consent/

https://wordpress.org/plugins/cookie-law-info/

 

Including a “Do Not Sell” link

Complicance with CCPA requires a clear “do not sell my personal data” link on your homepage, and any other page that is collecting personal information. The page that this link directs to should provide a means for users to:

  1. Opt out of collection,
  2. Request to review their data,
  3. and request that their data be deleted 

Methods which users could make these requests include:

  • Calling
  • Emailing
  • Mailing
  • Sumitting an online web form

It is also a requirement of CCPA that you verify the identity of the person making the request. Learn how to do that here.

Note: This is general advice and not custom-tailored to your unique situation. If you have questions about whether you are required to comply with CCPA you should contact us by calling 800-407-1114 or emailing [email protected]