The Right Side of Regulation: CCPA and What It Means For Website Owners

Updated: Mar 3rd 2021

The past decade witnessed a storm of regulations aiming to protect the digital privacy of users in the US and around the world. The regulatory moves come in response to increasing consumer concern over their digital privacy following a series of high-profile investigations involving tech companies. At a time when personal data is traded like stocks, more consumers are now demanding to know how their personal information is being used.

Digital privacy legislation such as Europe’s GDPR and, most recently, CCPA, seek to provide more transparency over what personal data is being collected and what it’s being used for. As a site owner, you’ll need to understand the scope of each law and make any necessary changes in order to stay on the right side of the law and avoid hefty fines. But there are additional benefits outside of avoiding legal repercussions.

Offering more transparency, such as how and why you collect personal data, signals to visitors that you are open and honest with your users, which impacts how much they will trust you in kind. A PWC study found that 88% of consumers said that the amount of data they are willing to share depends on how much they trust a business. 

Most visitors understand that businesses need personal information to improve the user experience and will surrender their information if they know it’s not being used for malicious purposes. It’s your job to be honest about the personal information you gather and explain why you need it. 

What is CCPA?

While there have been a few different privacy laws enacted in the past decade, this blog focuses on the California Consumer Privacy Act (CCPA), the most recent and wide-ranging privacy law in the US.

The law is intended to protect the online privacy of the 40 million Americans living in  California, but may impact most website owners since they likely deal with customers in the state. CCPA entitles every Californian the right to know the categories of personal data being collected, along with the right to opt-out if they wish. 

The CCPA lays out six intentions, including the rights to:

  • Know what personal data is being collected about them.
  • Know whether their personal data is sold or disclosed and to whom.
  • Say no to the sale of personal data.
  • Access their personal data.
  • Request a business to delete any personal information about a consumer collected from that consumer.
  • Not be discriminated against for exercising their privacy rights.

Along with the rights mentioned above, users can order websites to delete any personal data collected before January 1, 2020. However, users cannot request data to be deleted once they agree to a site’s privacy policy. 

While the CCPA protects data collected from users, the law does not cover publicly available information published by local, state, or federal government agencies. The CCPA also does not cover anonymous or aggregated data.

Is CCPA the Same As GDPR?

In 2018, Europe’s General Data Protection Regulation (GDPR) went into effect as the most comprehensive data privacy law in the world. While the CCPA is similar in many ways to GDPR, they differ in the details. 

For one, GDPR casts a wider net, affecting any website that deals with users from the EU, while the CCPA only applies to for-profit entities earning at least $25 million in revenue and operating in the state of California. Additionally, the CCPA contains a broader definition of personal information, which includes: 

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
  • Characteristics of protected classifications under California or federal law.
  • Commercial information including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Biometric information.
  • Internet or other electronic network activity information including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information.
  • Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

There are some additional restrictions under the CCPA not found in GDPR. For example, websites must feature a “Do Not Sell My Personal Information” link or button that allows visitors to opt-out of the site. Websites must also furnish one year of a user’s personal data if requested.

The CCPA also features stricter regulations in regards to minors. Websites must gain parental consent for minors under 13, while minors 16 and under must give additional consent in order to have their personal data collected. 

What Does CCPA Mean For Website Owners?

When running a website or business, you never want to leave anything to chance. Violating the rules contained in the CCPA can run you some gnarly fines, starting at $2,500 per violation if found to be unintentional, rising to $7,500 per violation if found to be intentional. No matter how successful your business, this isn’t a cost you want to take on, especially when it’s preventable.

There are some easy steps to get and stay in compliance with CCPA. Your first step is creating a privacy policy that clearly explains what data you collect and why you collect it. At a minimum, your privacy page needs to include:

  • What user information you collect, including email addresses, financial information, and even IP addresses
  • How you obtain this information
  • The reason you’re asking for personal information
  • How you store and protect user information
  • How you update your policy and how you update users about these changes
  • Who has access to your information, which could include newsletter services and any third-party tools

You can use services such as Rocket Lawyer or TermsFeed to create free customized privacy policies for your site. These tools allow you to tailor your policy to meet a varying degree of regulatory frameworks, such as GDPR, CalOPPA, CCPA, and more.

In addition to a privacy policy, you may want to create a separate cookie policy to provide more transparency for your users. Your cookie policy should provide a brief explanation of cookies and why you use them. Next, you’ll want to list the specific cookies used on your site and the purpose behind their use. 

You’ll also need to gain user consent for your cookie use. Pop-up banners are typically the most effective way to gain user consent as they are difficult, if not impossible, to ignore. This banner will pop up the first time a user visits your site and should accomplish the following three goals:

  • User is aware and consents to cookie use
  • User has the option to set their cookie preferences
  • User can revoke consent at any time

Does CCPA Only Apply to Businesses Located In California?

In short, no. The CCPA applies to businesses that “collect” or “sell” personal information of California residents, even if the business is not organized under California law and even if it has no physical presence in California. Further, CCPA applies to all California residents, including those who happen to be temporarily outside California at the time that businesses collect their personal information. Considering that California is the most populous state, it’s more than likely that your site will attract visitors covered under CCPA.

Protecting Yourself, And Your Users

You can read the original text off the CCPA here. It’s in your best interest to get as familiar as you can with all data privacy laws in order to get ahead of any unexpected problems down the line.

The DigitalTrust score identifies over 50 areas to improve your site’s usability, transparency, safety, and reputation to boost user trust. Using the DigitalTrust dashboard, you can easily identify topics like privacy law compliance that you should keep in mind when operating your website. Stay tuned for future announcements as we build new features to help you maintain compliance with privacy regulations on your site.

Beyond staying in good standing with the law, it’s always good practice to be open and honest with your users. People can be reluctant to share personal information, so if they believe you’re doing your best to protect their data, they’ll be more willing to place their trust in your hands. That makes staying in compliance with digital privacy laws a win-win.