What is CCPA?
It stands for the California Consumers Protection Act of 2018. This new law actually went into effect on 01/2020. This act gives California residents the right to learn how their personal information is being used. It also allows consumers to prevent businesses from selling or disclosing their information. This requires some websites to notify users about how their information will be used and give them a way to opt out.
The California Consumer Privacy Act (CCPA) is similar to legislation passed in Europe in 2016 called the General Data Protection Regulation (GDPR). In the light of recent major consumer data breaches such as the ones Target and Equifax, as well as the Cambridge Analytica / Facebook experienced, consumers are beginning to demand more privacy rights and how their data is used.
California is the first state in the United States to pass such legislation, but know there are nine additional states working on similar legislation. It is only a matter of time before more states pass consumer data protection laws.
Who does CCPA apply to?
If you’re wondering if CCPA applies to your business, then relax, because the answer is most likely “no”. But what if CCPA does apply to your business? Don’t worry. Despite a lot of fear-mongering, complying with CCPA isn’t all that difficult.
CCPA law states it applies to any business website that:
- Has at least $25 million in annual gross revenues.
- Collects data on 50,000 or more California residents, households, and/or devices every year.
- Derives 50% or more of its annual revenue from selling the personal information of California residents
What are the penalties for non-compliance?
If you have been notified that you are not in compliance with the CCPA, you have 30 days to take action or the Attorney General will bring a civil case against you. This could lead to fines up to $7,500 per individual violation. This means if you violate the privacy rights of 10 people, you could be fined $7,500 per person.
What is personal data according to the CCPA?
Personal data is any information identifying, relating to, describing, able to be associated with, or may reasonably be linked, directly or indirectly, to a certain person or household.
Personal data includes:
- Email addresses
- biometric information
- IP addresses
- location data
Personal data does not include:
- Publicly available information from government records.
- De-identified or aggregated consumer information (including Google Analytics).
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
If my site uses Google Analytic, is that considered collecting personal data?
No. Google Analytics is aggregated consumer data. It’s not possible to associate Google Analytics data with an individual person. If someone were to request their “personal data” to be exported from Google Analytics, you’d find it impossible to accomplish. Google Analytics used to show IP addresses but it doesn’t anymore.
How do I comply with CCPA?
- Provide a notice to consumers that you collect data at the point of collection or before it takes place.
- Include a “Do Not Sell My Personal Information” link on your home page.
- Respond to anyone requesting information about their data and maintain records of all requests.
- Verify the identity of the person making any personal data requests.
- Obtain consent before selling personal data from minors 13-16 years old. For minors younger than 13 you have to obtain consent from their parents.
- The kind of data you collect
- Why you collect the data
- How you collect and process the data
- How people can ask for access, changes, move, or delete their data
- Explanation of how you verify the identity of someone requesting these things
- Whether you sell the data and how someone can opt out of the selling of their information
Do I need to obtain prior consent before collecting and processing users’ data?
WordPress Plugins for CCPA Compliance
That said, a WordPress plugin is a good way to meet the CCPA compliance requirements of providing “a notice to consumers that you collect data at the point of collection or before it takes place.”
These free plugins that can help with cookie consent:
Including a “Do Not Sell” link
Compliance with CCPA requires a clear “do not sell my personal data” link on your homepage, and any other page that is collecting personal information. The page that this link directs to should provide a means for users to:
- Opt out of collection,
- Request to review their data,
- and request that their data be deleted
Methods which users could make these requests include:
- Submitting an online web form
It is also a requirement of CCPA that you verify the identity of the person making the request.
DISCLAIMER: This is general advice and not custom-tailored to your unique situation. If you have questions about whether you are required to comply with CCPA you should contact your personal attorney.
If you would like help getting your website GDPR or CPPA compliant please contact me.