With the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA), California has been the first US state to enforce specific legislation regarding cookies and the processing of personal data of Californian residents. Other states are drafting and enforcing similar legislation, and (while slowly) there have also been attempts to create federal privacy legislation.
While there are subtle differences in requirements for state-specific privacy legislation, CCPA compliance is still seen as the first step towards privacy compliance for sites that target the United States. In this article, we will discuss the top-5 things to keep in mind to achieve CCPA compliance:
A cookie notice is (not) required
The short answer is: No, the CCPA does not explicitly require websites to show a cookie banner, as required in the EU. The CCPA, like most other privacy legislation, is all about being transparent. This is why it is required to inform site visitors about how you deal with their personal information. So while a cookie banner is not legally required, it is the most convenient way to comply with the obligation to inform site visitors.
The accept button on a CCPA cookie banner is actually a dismiss function, as consent may be implied. This also means that auto-dismissal is permitted, for example, after 10 seconds or upon further interaction with the website.
Provide an opt-out mechanism
While obtaining consent is not required, websites must offer visitors the possibility to opt out of tracking mechanisms and the processing of their personal data. Unlike European cookie banners, this is usually not done via the cookie banner itself but via a designated page or legal document (More about that later). The CCPA grants Data Subjects (people whose data is processed) several rights to restrict the processing of their personal data and to stop the usage of non-functional cookies. After visitors opt out, all tracking scripts and cookies should be disabled on your site.
Inform site users about the way you use cookies and their personal data
As mentioned before, the CCPA and similar legislation are all about transparency. This is why a cookie banner should contain a link to legal documentation that, among other things, clearly describes their rights and the way your site (and organization) deals with privacy. Usually, this information is split into two categories, with their respective legal documents:
Privacy Statement: How we deal with your Personal Information
The Privacy Statement is all about personal information, which is broader than cookies. Most websites process personal information through web forms, newsletter subscriptions, and user profiles. A Privacy statement should describe the following:
- Categories of personal data collected, per purpose
- How long the data is retained
- With what purposes and to which countries the personal data is shared
- How your site responds to DNT or GPC signals
- State the rights data subjects have in terms of requesting their data, objecting to processing, or deleting their data
Opt-Out Preferences / Cookie Policy / Do Not Sell My Personal Information: How we deal with cookies and how to express your legal rights
There are three common names for what should essentially be the same legal document. In an early draft, the CCPA required a legal document specifically named ‘Do Not Sell My Personal Information’. In our experience, this introduced quite the confusion with site moderators, as most websites don’t literally ‘Sell’ personal data in return for money. While the requirement with respect to the name of the legal document is no longer in place, the term ‘Selling Personal Information’ still is. The definition means “to sell or share personal information in return for monetary or valuable consideration”. This should be interpreted in a very broad sense: e.g. using a ‘free’ service like Google Analytics means that Google will receive tracking (personal) data of your site visitors. This also falls under the definition of selling data. Complianz has renamed the Do Not Sell My Personal information page to ‘Opt-out Preferences’ as it is still required to clearly indicate how en where visitors can opt-out of non-functional cookies and the processing of their personal data.
Along with the opt-out mechanism, the legal document should provide information about which cookies are used and for which purposes.
Introduction of the CPRA (California Privacy Rights Act)
The CPRA was introduced in 2020 and replaces the CCPA. Though for most WordPress websites, the above-mentioned list remains unchanged. The CPRA does contain extra requirements for websites that:
- websites processing personal data of Children
- websites processing sensitive personal data
CCPA and CPRA Compliance for WordPress
Luckily, there is a plugin that takes care of most (if not all) of the above. Complianz allows you to add a CCPA/CPRA cookie banner to your site easily, and to generate all required legal documents by quickly going through the configuration wizard. Also, a Privacy Statement for Children can be generated, for websites that target minors. The Complianz legal team is closely monitoring drafted privacy legislation in states other than California. Currently, most states seem to take the CCPA/CPRA as a starting point, but then add or change legal rights for data subjects residing in their state. Complianz adds sections to your legal documents explaining which rights apply to visitors from states with enforced privacy legislation.
Please feel free to reach out to us if you have any further questions about CCPA and CPRA Compliance for your WordPress website, we are happy to help!
