There’s a new privacy law going into effect soon on January 1st, 2020 to be exact and everyone is scrambling to implement compliance. Sound familiar? If you are sensing deja vu, don’t worry, we remember GDPR too.

While GDPR was an overarching law to protect the privacy rights of citizens of the European Union, this new law is concerned with the privacy rights of residents of California. Allow us to introduce you to the California Consumer Protection Act of 2018 (CCPA), a law designed to provide Californians with more control over their personal information.

In this guide, we will walk you through the following:

Please note that this guide is for information purposes only and should not be considered legal advice.

What Is the CCPA?

The CCPA is a privacy law that was passed on June 28, 2018. A version of this law was initially introduced as an initiative for the November 2017 statewide ballot by a real estate developer. The developer offered the California legislature a deal that he would withdraw his ballot (which was fairly harsh for businesses) if a similar privacy law was passed.

The legislature introduced, amended and passed their version of the CCPA in a total of seven days. The law has since been amended a few more times and the California Attorney General has also released regulations that aim to clarify the requirements of this new law. You can find the full text of the CCPA, with the passed amendments here, and the proposed regulations here.

According to lawmakers, the CCPA was passed because:

  1. The growth of technology has limited the ability of Californians to properly protect and safeguard their privacy
  2. California law has not kept pace with the fact that consumers share more and more personal information with businesses
  3. Unauthorized disclosure of personal information and the loss of privacy can have devastating effects on people
  4. The Cambridge Analytica scandal has increased the desire for privacy controls and transparency in data practices.

Finally, it is clear that people desire privacy and more control over their information, and the CCPA was passed to fulfill that desire. Similarly to GDPR, the CCPA fulfills this desire by providing certain rights to consumers, or, in this case, to residents of California. These rights are as follows:

  1. The right to know what personal information is being collected about them
  2. The right to know whether their personal information is sold or disclosed and to whom
  3. The right to say no to the sale of their personal information
  4. The right to request the deletion of their personal information
  5. The right to access their personal information
  6. The right to equal service and price, even if they exercise their privacy rights

Who Does the CCPA Apply To?

The tricky and, sometimes the most confusing part of privacy laws is figuring out whether they apply to your business. Privacy laws are created to protect the personal information of the residents or citizens of a particular state or country, not the businesses.

This means that businesses outside of California may still be subject to this law. CCPA applies to “businesses” which is defined as a for-profit legal entity that does business in California and meets one of the following thresholds:

  1. Has annual gross revenue of more than $25,000,000
  2. Annually buys or receives, for business or commercial purposes, sells or shares the personal information of 50,000 or more Californian consumers, households or devices or
  3. Derives 50% or more of its annual revenues from selling the personal information of Californian consumers.

If you are thinking that the CCPA technically applies to large companies only, you are partially correct. Due to the very broad definition of sale of personal information, a big part of CCPA compliance is the management of vendors.

This means that if you do business with, or act as a vendor to large businesses, they may require you to comply with the CCPA via contract. So, if you are a small company that does not meet the thresholds above, you may still need to pay attention to and comply with these requirements.

Furthermore, if you design websites for companies that are large and need to comply with the CCPA, you will need to pay attention as well as this law will affect how you design those websites.

What Are the Consequences of Not Complying with the CCPA?

The CCPA will generally be enforced by the California Attorney General. Fines for non-compliance are $2,500 per violation or $7,500 per intentional violation. “Per violation” is generally understood to mean per person whose privacy rights you violated.

So, if you have 100 website visitors from California and do not have a compliant Privacy Policy, your fines can add up to $250,000. It’s easy to see how this can balloon into a very large number.

If you have to comply with the CCPA via contract only, a consequence of non-compliance could be the loss of that customer or the business relationship. If you have to build a CCPA-compliant website, the consequence of non-compliance can mean your client getting fined and you being sued in return or bad reviews that hurt your web design business.

How to Prepare Your WordPress Website for the CCPA

If you have a website on WordPress that needs to be CCPA compliant, we’ll walk you through a few of the steps that you can take to ensure that you are compliant with the CCPA. The steps that you take to prepare for the CCPA may include:

If this all seems like a lot of work, it is. Don’t worry though, we’ll also provide you with some of our favorite tools and resources that you can use to help you prepare.

Hire a Privacy Lawyer

As you will soon see, there’s a lot that goes into complying with the CCPA. The law and the regulations can be difficult to interpret, to say the least.

If you are unsure of the right path for you, you should hire an attorney that specializes in privacy as they will be able to point you in the right direction and provide you with valuable advice specific to your situation.

If you are unsure of what lawyer to choose, check out the International Association of Privacy Professionals’ list of law firms that work in the privacy field.

Understand What Personal Information You Collect

The CCPA requires you to tell consumers what categories of personal information you collect. You should go through your website and create a list.

Take a look through all of your pages and all of the forms that you use, including contact forms, newsletter sign up forms, account creation forms, comment submission forms, check-out forms, and any other forms that you may use and their associated plugins.

For example, as shown below, the default form in WordPress that is used to provide comments on blog posts collects name and email:

Comments form on Kinsta
Comments form on Kinsta

Also, put together a list of personal information that you collect from any other sources. Think Analytics software, Hotjar, information on an ecommerce checkout page or WordPress registration page, and similar ones.

Then, put those pieces of personal information that you collect from those forms into categories that allow the consumer to easily understand what personal information you collect. Examples of the categories of personal information can include:

  1. Identifying information
  2. Financial information
  3. Commercial information
  4. Biometric information
  5. Internet activity information and
  6. Geolocation information

Understand from What Sources You Collect This Personal Information

The CCPA requires you to disclose from what sources you collect personal information. Examples of sources can include:

  1. Directly from the consumer
  2. Surveys
  3. Tracking pixels
  4. Observing and recording of activities such as through the use of cookies and
  5. Data resellers

Understand Whether You Are Disclosing Personal Information to Third Parties

The CCPA requires you to disclose whether you are disclosing personal information to third parties. When asked whether they share data, most people’s initial answer is a slightly offended “no”.

Take some time and really think about what integrations you have made with your website.

Do newsletter subscriptions go right to an email marketing tool such as MailChimp?

Do form submissions get logged into a customer relationship management tool such as HubSpot?

Does your web developer receive an alert whenever you get a form submission?

If so, you are sharing data with third parties and you need to disclose that.

Create a Do Not Sell My Personal Information Page

If you sell the personal information of Californian consumers, you are required to have a web page titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” This web page needs to contain the following information:

  1. A description of the consumer’s right to opt-out of the sale of their personal information
  2. A webform by which the consumer can submit their request to opt-out
  3. Instructions for any other methods by which the consumer can submit their request to opt-out
  4. A link to your Privacy Policy
  5. Any proof required when a consumer wants to designate an authorized agent to submit a request to opt-out on their behalf

Below, you can see an example of a website homepage’s footer that includes a hyperlink to the “Do Not Sell My Personal Information” page.

Example of a "Do not sell my personal info" page
Example of a “Do not sell my personal info” page

Create a Privacy Notice

The CCPA requires you to provide Californian consumers with a Privacy Notice at the time of collecting personal information.

Note that the CCPA does not require a consumer to provide consent to the collection of personal information, which is quite a departure from the requirements we saw in GDPR.

A Privacy Notice is like a mini-Privacy Policy: it provides a quick and condensed explanation of what personal information is collected, what it will be used for, and other disclosures.

The notice must be designed and presented to the consumer in a way that is easy to read and must be understandable to the average person. The notice must:

  1. Use plain and straightforward language and avoid technical or legal jargon
  2. Use a format that draws the consumers’ attention to the notice and makes the notice readable, including on smaller screens
  3. Be available in the languages in which you provide contracts, disclaimers, sale announcements, or other information to consumers
  4. Be accessible to consumers with disabilities

Your Privacy Notice must include the following information:

  1. A list of categories of personal information you collect from consumers. Each category that you list must give the consumer a meaningful understanding of the personal information collected
  2. For each category of information, the business or commercial purpose(s) for which it will be used
  3. If you sell personal information, a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” This link should lead to a webpage where consumers can exercise their right to say no to the sale of personal information

If you do not want to create a Privacy Notice, you can simply provide consumers with a link to your Privacy Policy at the time of collecting personal information. Below is an example of a California-specific Privacy Notice.

California-specific Privacy Notice
California-specific Privacy Notice

Create a Privacy Policy

The CCPA also requires you to have a Privacy Policy. The purpose of the Privacy Policy is to provide the consumer with a thorough description of your practices regarding the collection, use, disclosure, and sale of personal information and the privacy rights that consumers receive under the CCPA.

The Privacy Policy must meet the same readability, format, availability, and accessibility requirements as the Privacy Notice.

However, the Privacy Policy must also be available in an additional format that allows the consumer to easily print it out. The Privacy Policy must be posted on your website through a conspicuous link using the word “privacy” on your website’s homepage.

Your Privacy Policy must contain the following information:

  1. A description of the rights of Californian consumers under the CCPA
  2. One or more methods by which consumers can submit requests to exercise their rights. If you sell personal information, a link to your “Do Not Sell My Personal Information” or “Do Not Sell My Info” page where the consumer can exercise their right to say no to the sale of their personal information
  3. A list of categories of personal information that you collected in the last 12 months
  4. A list of categories of sources from which you collect the personal information
  5. The business or commercial purpose(s) for which you use the personal information
  6. A list of categories of personal information that you sold in the last 12 months and a list of categories of third parties to whom you sold that personal information. If you have not sold any personal information, then you must disclose that fact
  7. A list of categories of personal information that you disclosed in the last 12 months and a list of categories of third parties to whom you disclosed this personal information. If you have not disclosed any personal information, then you must disclose that fact
  8. How a consumer can designate an authorized agent to make requests to exercise their privacy rights on their behalf;
  9. A contact that a consumer can reach for any questions or concerns
  10. The date the Privacy Policy was last updated
  11. If you sell the personal information of 4,000,000 or more Californian consumers per year, you will need to include additional disclosures as well

Tools and Resources That Can Help You Comply with the CCPA

All of these compliance and disclosure requirements can seem daunting. Fortunately, there are quite a few helpful tools that you can use to get your website and business ready:

Termageddon

termageddon
Termageddon

Termageddon: a software as a service that generates Privacy Policies that are customized for your business. We update our clients’ Privacy Policies whenever the laws change, making sure that your policies always stay up to date.

CCPA Toll Free

CCPA Toll Free
CCPA Toll Free

CCPA Toll Free: the CCPA requires some businesses to provide a toll-free phone number as one of the methods that consumers can use to exercise their privacy rights. CCPA Toll-Free helps you meet that requirement.

Orrick’s CCPA Readiness Assessment

CCPA Readiness Assessment
CCPA Readiness Assessment

Orrick’s CCPA Readiness Assessment: this tool helps you understand how fully you are prepared for the CCPA by asking you simple “yes” or “no” questions. You can also use this tool as a kind of checklist for preparedness.

CCPA Opt-Out by CookiePro

CCPA Opt-Out WordPress plugin
CCPA Opt-Out WordPress plugin

CCPA Opt-Out: this plugin allows you to customize and add a “Do Not Sell button” to your website.

IAPP

IAPP
IAPP

IAPP: the International Association of Privacy Professionals is the largest privacy group in the world. Check out their website for a constantly updating list of privacy news, resources, and vendors.

Kinsta and CCPA

Kinsta is committed to data privacy and security, and we are happy to affirm that we do not sell California consumer personal information to third parties. Please see our Privacy Policy and Terms of Service for additional information.

Summary

While the CCPA does not have as broad of an application as GDPR, it is still a very big deal and should not be taken lightly.

The CCPA is truly a first of its kind in the United States and other states are now following California’s example. In fact, as of the end of 2019, nine states have proposed their own privacy bills.

These bills either cite the CCPA as inspiration or are virtually complete copies of the CCPA. It is clear that the CCPA has paved the way for more privacy regulations and that the requirements for privacy compliance online are not going away anytime soon.

Now it’s your turn: what do you think of CCPA? Are you preparing your site for it? Let us know in the comments!

Donata Kalnenaite

Donata Kalnenaite is a privacy and technology attorney that helps others understand and comply with privacy laws. She is the President of Termageddon, a Privacy Policy generator that automatically updates its clients' policies whenever the laws change. Follow them on Twitter to keep up to date with all things privacy: @termageddon.