How to Make Your WordPress Website CCPA Compliant
Due to a growing user demand to have their privacy protected and their personal data on the internet secured, the authorities worldwide have started introducing various privacy regulations. In fact, it’s already been well over five years since GDPR (the General Data Protection Regulation regarding the EU citizens’ personal data) first rolled out. And while many people are already familiar with what GDPR compliance entails, there are still those not aware of similar regulation in the USA’s largest state – the California Consumer Privacy Act (CCPA).
Generally speaking, CCPA has a similar set of rules like GDPR, though there are still some CCPA-specific things that every website owner should be aware of. For this reason, we’ve decided to gather a list of things you can do to make your WordPress CCPA compliant. But before we begin, we will explain what CCPA stands for and share some of its most important rules.
We will cover:
As we already mentioned at the beginning, CPPA is an acronym for California Consumer Protection Act. This is a new data privacy law that first emerged in January 2020 and which essentially protects US consumers in the state of California.
Now, the thing is, even if you are not running a business in California (or rather, if your business isn’t based there), the law still applies to you if you do business in California in any way (as in, if you conduct business with Californian consumers, but your business is based elsewhere). However, aside from this, your business also needs to meet one of the following conditions for the law to apply to you:
-
It generates over $25 million in annual revenue,
-
It has access to the personal data of over 50,000 consumers,
-
Earns more than half of the annual revenue by selling the personal information of its consumers.
So, in short, if you do business with, or sell your products or services to anyone in California and your business meets at least one of the above-mentioned conditions, your website has to be CCPA compliant.
Here are the rights consumers have under the CCPA law:
-
The right to be aware of the personal information your business gathers about them, including the way this information is used, shared, or sold,
-
The right to opt out of selling of their personal data,
-
The right to delete their personal information.
As for what personal information means in legal terms, it means any information that relates to or can be directly or indirectly linked to a specific consumer. This includes names, aliases, addresses, email addresses, driver’s license numbers, passport numbers, IP addresses, and similar data. In short, under the CCPA law, users are protected in the sense that they have the right to tell a business to stop selling their personal information. And if these CCPA rules can be applied to your site, you should make sure to provide a way for users to opt out of the sale of their personal data.
If your business violates the CCPA unintentionally, you could be subjected to a fine of up to $2500 per violation. For intentional violations, your fine could be up to $7500 per violation.
Now, you might be wondering – what does this mean for a small business website?
The thing is, while the CCPA does not necessarily affect the websites of smaller businesses, we still advise you to comply with the CCPA laws even if you fall into the small business category. By doing so, you will let potential customers know that your business is trustworthy and that protecting their rights is your top priority, so they will know to expect nothing short of a perfect customer experience from you.
Finally, we should note that we are only stating some of the general rules and regulations of the CCPA law. To make sure that your WordPress is CCPA compliant and to protect yourself from any potential liabilities, we advise you to consult with a lawyer.
Now that we’ve explained what CCPA stands for and we’ve also talked about some of its key points, it’s time to go through some of the necessary steps you should take to ensure that your WordPress site fits the CCPA requirements. Here’s what you need to do:
While a Privacy Policy page has always been important, with these new laws coming into effect (first GDPR, and now CCPA as well), having this kind of page on your WordPress site is practically a must. A Privacy Policy page is also the perfect opportunity to disclose the kind of user information you are collecting, as well as the way this information will be used (shared, sold, and so on). Here are some of the CCPA-related things you should include on your Privacy Policy page:
-
The info about the type of personal data that your WordPress site collects from its visitors, as well as where it collects it from,
-
Why the collecting (sharing or selling) of personal information is necessary,
-
Who you share this data with (i.e. a third-party service),
-
Information about consumer rights under the CCPA law,
-
Your contact info so that they can put their rights to use and/or ask you about any additional questions they may have.
To create a Privacy Policy page, you can use the premade WordPress Privacy Policy template by going to Settings >> Privacy located in your WordPress admin dashboard. Or, you can create your page from scratch by going to Pages >> Add New. In case you already have a Privacy Policy page on your site, you need to update it so that it complies with the CCPA.
For more information on the subject, you can check out our article on adding a Privacy Policy in WordPress.
Like we’ve previously mentioned, the CCPA gives the ability to users to object to the selling of their data to third-party businesses. So, another great way in which you can make things easier for users is to add a Do Not Sell button to your site. By doing so, you will provide Californian users with the ability to click on this button so that they can be taken to a dedicated “Do Not Sell My Personal Information” page. Once there, these users should be able to opt out of any sales related to their data.
Creating this button is quite easy to do with the help of a suitable plugin. To learn how to do this, we recommend that you check out our article on how to add a Do Not Sell Button in WordPress.
You know those popups that appear when you enter a website, saying that website uses cookies? These are cookie consent notices – and yes, you should set one up on your WordPress site as well, since cookie identifiers are also regarded as personal data according to the CCPA law. And while you don’t necessarily need the users’ consent to have cookies implemented in their browsers, you should still provide them with the means to opt out of cookies regardless. Aside from the cookie notice, you need to let a user know what you will use cookies for, and you should also include a link that will allow them to opt out of cookies, and/or the link leading to the Do Not Sell My Personal Information page.
You can use one of the many available cookie consent tools to add this notice to your WordPress site. If you ask us, we recommend trying tools like CookieYes and Osano. Both of these options are easy to use and are highly customizable, allowing you to set up a functional cookie consent notice on your site in no time.
Another thing you should do according to the CCPA is to provide users with access to personal information upon their request. You can easily do this by putting up a simple form on your site. The users will be able to fill in this form and submit their data access requests. We recommend using one of the available contact form WordPress plugins for this task, such as Contact Form 7 or WPForms, to name a few.
The CCPA law states you mustn’t sell personal data of children aged 13 to 16 unless you have their consent to do so (for children under the age of 13, a parent or a guardian should give their verifiable consent). You can provide a separate consent box for children younger than the age of 16 in your cookie notice. Or, if you do not want to collect this data in the first place, you should state so on your Privacy Policy page, guaranteeing that all their personal data will be deleted.
Finally, according to CCPA law, you are required to delete the personal data of users upon their request. Luckily, if you’re using the latest version of WordPress, you will be able to access settings in your WordPress admin specifically made to help you manage data deletion requests of specific users. To do this, simply head to Tools >> Erase Personal Data. Once there, you will see the options that will allow you to delete personal data by entering a specific user name or email address. You also have the option to send personal data erasure confirmation emails to users.
Of course, you should also provide a simple form that will allow users to request the deletion of their personal information. You can also do so using one of the above-mentioned contact form plugins.
Conclusion
Regardless of your business size or the country you operate your business in, you won’t make a mistake if you decide to comply with the CCPA law. By doing so, not only will you send a clear message to users that you care about their personal data, but also that you’re up to date with the latest privacy standards, which can only make them more inclined to trust you. Just be sure to follow most, if not all of the steps we recommended above, and you’ll be well on your way to gaining credibility in your line of work.