Over the past few years, many online business owners have taken steps to comply with privacy laws and regulations.
The biggest change for many website owners came with the introduction of the General Data Protection Regulation (GDPR) in 2018. When GDPR came into effect in the EU, online businesses had to implement cookie banners that asked visitors in the EU for opt-in consent to drop cookies.
This was because the regulation introduced rules about how businesses could collect user data—something many websites do via cookies. Specifically, the law said businesses could only collect data once they had received valid consent from the user. Fortunately, plenty of GDPR compliance WordPress plugins were released along with a few core WordPress updates to make following the rules simple.
Since GDPR went into effect, many other countries and states have created their own regulations. One such set of rules is the California Consumer Privacy Act (CCPA), a privacy regulation that will affect businesses with customers in California(which we compared in our GDPR vs CCPA article).
While collecting consent to drop cookies was a major change websites had to make to comply with GDPR, the biggest challenge for websites in CCPA is the Do Not Sell part of the regulation.
In this article, we’ll take a look at what the Do Not Sell rule is as well as how WordPress users can use a simple plugin to stay compliant with the upcoming CCPA regulation.
What is CCPA and the Do Not Sell Rule?
The Do Not Sell rule is a key part of the regulation. It states that businesses must give consumers the option to opt-out of the sale of their personal data.
Specifically, the regulation says that businesses must:
- Have a page on their website titled “Do Not Sell My Personal Information.” On this page, consumers based in California can opt-out of the sale of their personal data.
- The business must clearly link to the “Do Not Sell My Personal Information” webpage from the homepage.
- Once a user requests that a business not sell their personal information, the business must respect this decision for a minimum of 12 months.
- Finally, websites should have a way to prove that they are respecting these customer requests.
Businesses and website owners need to put processes in place that will help them adhere to the above guidelines.
Those that fail to comply with the regulations put themselves at risk of receiving a fine of up to $7,500 per intentional violation and $2,500 per each non-intentional violation.
What is a Do Not Sell Button?
A Do Not Sell button is a floating button that website owners can add to their website to allow visitors to opt-out of the sale of their personal information as well as direct them to key pages such as the “Do Not Sell My Personal Information” page.
A Do Not Sell button is just one piece of a wider solution to help website owners comply with the Do Not Sell requirements.
A complementary element to Do Not Sell is the CookiePro Consumer Rights Management solution. The solution helps website owners create CCPA compliant web forms that they can add to the “Do Not Sell My Personal Information” button and dedicated page. Website visitors can use these forms to opt-out of the sale of their personal data. CookiePro then processes these requests and, through the synchronization with other technologies in use on your website, stop the sale of data for consumers who have opted out.
Do I Need a CCPA Do Not Sell Button?
To know if you need a Do Not Sell button, you’ll first have to determine if your business is subject to CCPA and if your business is selling personal data. If you fulfill both requirements, you need a Do Not Sell button.
CCPA effects businesses that collect data from California residents whether or not the business is based in the state. However, unlike GDPR which affects all companies operating in the area, businesses will only be subject to CCPA if they meet one of the following three requirements:
- If they generate $25 million in annual revenue.
- In the case they collect, buy, receive, or sell the information of more than 50,000 Californians in a year.
- If they earn 50% or more of their revenue from selling the personal data of Californians.
These may seem like quite lofty requirements. However, when you consider that IP address and online identifiers count as personal data, it is actually quite easy for websites to hit the threshold. Essentially, you just need to collect the data of 137 website visitors from California per day to reach the annual total.
Additionally, it isn’t just data from cookies that fall under CCPA regulations. Other types of personal data mentioned by the regulation includes anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes names, addresses, online identifiers, IP addresses, social security numbers, passport numbers, etc. You should include these data points in your calculations to determine if you’re required to comply with CCPA.
The next step is to work out if your business sells the personal data it collects. For companies, such as data brokers, this will be obvious. However, there are plenty of other businesses where it may be less clear.
In part, this comes down to the CCPA definition which considers a “sale” to be basically any form of disclosing personal information. CCPA defines selling as:
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
This definition means that online publishers or websites that provide visitor data to advertisers to display personalized ads could be classified as selling data.
When online publishers sell advertising space, they often share information about the user currently on the website with third parties including ad networks and exchanges. This allows the advertiser to show its adverts to users it thinks will be interested in its products.
Due to the above definitions of “Sale” and “Personal data,” this practice is likely to be considered selling, meaning websites that use targeted ads may have to provide users with the option to opt-out of the sale of their data.
If this sounds like something your website does, you may need a Do Not Sell Button to avoid regulatory trouble.
How to Use CookiePro to Add a Do Not Sell Button to Your Website
The easiest way to add a Do Not Sell button to your website is to use a plugin (like the one provided by CookiePro) that will take care of the whole process for you. CookiePro’s Do Not Sell plugin was developed specifically for WordPress sites. Here are instructions to implement it on your website.
- Install and activate the CookiePro Do Not Sell plugin on your WordPress website.
- Once activated, the CookiePro CCPA plugin will appear in the left-hand navigation of your WordPress dashboard.
- Customize your Do Not Sell button and modal.
Optional: Copy and paste the CookiePro Consumer Rights form link into the CookiePro CCPA plugin
- Click save and publish.
Once you have installed the plugin, visitors from California will see a button with a link to the Do Not Sell My Personal Information page when they visit your website.
When the visitor clicks on the button they can choose to opt-out of personalized ads or submit a consumer rights request to ensure that other technologies on your website do not sell the data of the customer.
The CCPA adds a new layer of compliance that many sites will need to be aware of. Check the conditions listed before, and if your site meets any of them you’ll want to get your Do Not Sell button added soon. You have until January 1, 2020 to make updates to your site to avoid penalties. But luckily, with WordPress this can be as simple as installing a plugin.
If your online business is subject to CCPA and you want to implement a Do Not Sell button on your website, click here to find out more how CookiePro can help keep your business compliant with CCPA and other privacy regulations.