Data protection is now a concern for all businesses, as more and more legislation is passed to protect consumers. The California Consumer Privacy Act (CCPA) is the latest U.S. policy and it is already being referred to as “California’s GDPR.”
The GDPR or Global Data Protection Regulation went into effect in the E.U. last year and it set new standards for website data collection and privacy with some hefty fines for non-compliance.
Whether the CCPA affects your website and business or not right now, the writing is on the wall. Eventually, all businesses will need to comply with the best practices for data protection, so you may as well start now.
What is the CCPA?
The California Consumer Privacy Act or CCPA was passed by California legislators in 2018, and it will go into effect as of January 2020. The law gives California residents more control over their personal information collected online, by allowing residents to:
- Know what personal data any organization is collecting, and request it be deleted
- Know if their personal information is being shared with any third party
- Decline the sale of their personal information and receive the same service whether or not they decide to exercise these privacy rights
One of the big focuses of the CCPA is the sale of consumers’ personal information to third party providers, and the law forbids the sale of personal information for consumers age 13-16 unless the consumer opts-in or a parent provides consent for children under the age of 13.
Similar to the GDPR, the CCPA also institutes penalties for businesses that suffer data breaches due to poor security procedures.
How CCPA Affects Your Website
The big question on everyone’s mind is “Does the CCPA apply to my business?” With the GDPR, the policy was written very broadly and covered E.U. data subjects, which meant the policy could be applied to any businesses that collected data of individuals in the E.U.
With the CCPA, the law applies only to businesses that meet any of the 3 thresholds below:
- Have annual gross revenues in excess of $25 million dollars
- Annually buy, receive, sell, or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
There are some disagreements about the terminology in the act, and legislators are continuing to propose amendments.
If a business meets one of these requirements above and does business in California, then they must comply with the CCPA by 2020. Businesses that have already implemented GDPR best practices will have a jump-start on the CCPA, although there are a few differences between the two policies.
Why You Should Follow CCPA Anyway
Even if your business doesn’t fall under the GDPR or the CCPA, there’s a lot of benefits to implementing best practices for data protection and privacy.
1. Web Visitors & Customers Expect It
First, it is an opportunity to show your website users that you care and are concerned about their personal data.
Because of the publicity of the new legislation, web visitors are more aware of this issue and are starting to view cookie notifications and privacy policy links as signals of trust on a site.
After the GDPR was enacted in 2018, there was a consumer backlash for global brands that dodged compliance by blocking certain site traffic, as it looked to consumers like the brands had something to hide about their data policies.
2. You Will Be a Good “Web” Citizen
While the passing of these data laws has created a lot of extra work for businesses, there’s a lot of good that’s come from it.
Prior to GDPR, data collected by different WordPress plugins was often stored in different parts of your site, making it difficult to audit all your collected data. The passing of these laws has led to major improvements in WordPress and other platforms, in terms of data collection and security.
The ultimate goal of all these best practices is to protect consumers. It reminds us of “the golden rule.” If you want your own personal data as a consumer to be protected, then you should do what you can to protect your customers’ data on your site.
3. Data Laws Keep Changing
California is one of the first states to implement data privacy and protection laws after the GDPR, but it won’t be the last. Regulations similar to the CCPA are already going into effect in New York and Nevada.
There are a lot of speculations that a federal law will be enacted sooner than later in the U.S. that is similar to the GDPR.
In the meantime, states like California are also clarifying parts of the passed legislation and the CCPA is expected to be expanded to more businesses in the future.
4. You Could Be At Risk At Times
When the GDPR passed in May 2018, it was unclear how the regulation would be enforced in the U.S. The challenge was that the GDPR was written very broadly so the requirements applied to any businesses who received traffic from the E.U.
Even if your business is based in the U.S., there is a possibility that you’ll have traffic from the E.U. Your own clients may be traveling at times and visiting the site while abroad. If your business is larger and has multiple offices, you may have more potential clients from overseas. For our own site, even though we mainly work with U.S. companies, we still receive traffic from other countries from different directories and searches.
5. You’ll Reduce Security Liabilities
While we are focusing on the best practices for data privacy and security in relation to websites, a major aspect of the CCPA and GDPR is how businesses handle ALL of their data and systems.
Besides the fines associated with security breaches, having a data breach and compromising any customers’ data is a very embarrassing and costly situation for any business.
We’ve found in our own business that by implementing the data best practice on our website has made us review all of our software and internal systems for security.
Best Practices for CCPA & GDPR
While there are differences between the CCPA and GDPR policies, the following best practices are a good starting point for WordPress websites.
Use WordPress GDPR Features
- When the GDPR went into effect, WordPress added features to the WordPress core in order to help meet compliance. One of those features is the ability to process data requests for erasing data
- If your website has been updated to at least WordPress 4.9.6, you’ll have access to these features.
Add a Privacy Policy to Your Website
- Every site should have a privacy policy and there should be a link to your Privacy Policy page in the footer of your site.
- Under the GDPR, it’s also recommended that contact forms include a statement that visitors agree to your privacy policy when submitting information to your team.
Provide Instructions for Data Removal
- An important aspect of the CCPA and the GDPR is providing consumers with the option to request a copy of the data collected or to have it removed.
- Your privacy policy should include information on how a web visitor or customer can contact your team to get a copy of collected data or to have their data removed. One option is to set up a Personal Data Request form on the site.
Update Your Website Forms
- Under the new regulations, it’s important to state clearly how you’ll be handling a user’s data before the user submits it on the website.
- The best way to handle this is to add a small disclaimer to all website forms that says “By submitting this form, I agree to Company X’s privacy policy” with a link to your own privacy policy. You can see an example of this on our website forms.
Set Up Cookie Preference Management
- It’s now a best practice to notify web visitors that your website uses cookies and to allow visitors to opt-out of third party cookies.
- There are different WordPress plugins available to add this feature to your website.
Secure Your Website to Prevent Data Breaches
- Under both the CCPA and the GDPR, businesses face harsh penalties for data breaches.
- For WordPress sites, which are highly targeted by hackers, it’s important to set up these security measures to protect your site & the data collected:
- 24/7 security monitoring & malware removal
- Secured hosting server for WordPress
- Monthly maintenance by an expert WordPress developer
- SSL certificate
- Regular backup of entire site database
While it may take time now to implement these best practices, it will save your business headaches later, as data protection becomes a significant factor for all businesses.
If you’d like to discuss how the CCPA affects your website or the GDPR best practices, contact our team here.
Important Note: TinyFrog cannot provide any legal advice and we recommend that you seek legal counsel if you have concerns about compliance to the CCPA or GDPR for your business.