Last May, the GDPR came into force. An event that raised many questions about how to comply with this legislation. Do American businesses also have to comply? And what about processing agreements? What are they? Do I really have to add a cookie notice? And these are just a few of the common questions asked around the web. A few months on, it seems that the hectic period regarding the GDPR has cooled down. But now there has been a new legislation announcement for California. The CCPA.
So what is the CCPA? How does it compare to the GDPR? And do you already comply with the CCPA if you comply with the GDPR?
IMPORTANT: This is a friendly reminder that we are not lawyers. We are simply sharing information about the CCPA and GDPR. Please consult a lawyer or specialized consultant to be sure your website is in full, legal compliance.
First a brief recap about the GDPR. The General Data Protection Regulation (or GDPR for short), is a European legislation created in 2016. At that time it was agreed that the legislation would be put into effect starting May, 25 2018. The GDPR focuses on the following aspects:
- Strengthening and extending privacy rights
- More responsibilities for organizations
- The same, solid authority for all European privacy supervisors, such as the power to impose fines of up to 20 million euros
- And above all, transparency for visitors about what happens to their data
In short this was a radical addition to the law for several EU countries. It was also a drastic change for WordPress websites.
That is a lot of regulation. Especially for small organizations. Luckily, for those using WordPress a number of plugins stepped in to pick up some of the slack. If you do a quick Google search you’ll find many options, however we’ve collected our own list of the best GDPR compliance WordPress plugins to help.
With websites just beginning to become comfortable with the GDPR there’s now a new regulation on the horizon. The CCPA.
The California Consumer Privacy Act (CCPA) was signed into law by California Governor Brown on June 28, 2018. This law is likely one of the toughest and farthest-reaching consumer privacy laws in the country. Scheduled to go into effect in 2020, this act will give Californians new privacy rights.
The CCPA was drafted and passed in just a week as a reaction to ongoing privacy concerns. Mainly as a way for consumers to effectively protect their personal information in light of recent data breaches and related privacy incidents. Specifically breaches of Equifax, Target and Cambridge Analytics that have affected millions.
The CCPA focuses primarily on:
- Control of personal data
- Protection of personal data
- Insight into information acquired by companies
So, in general, it looks a lot like the GDPR. But you do not meet the GDPR if you meet the CCPA and vice versa. There are many differences between the two laws.
CCPA vs GDPR
It is obvious that both legislations focus on the protection of personal data and the sharing thereof. Nevertheless, the GDPR seems a bit stricter if you look at the key points of the laws covered below.
Cookies: With the GDPR it is mandatory to place cookies based on opt-in. With the CCPA this is based on opt-out. With the latter you are also obligated to state which cookies you place.
Application: With the GDPR the legislation applies to anyone who processes personal data, with the CCPA it concerns the following:
- When you make $24 million profit per year.
- You have more than 50,000 lines of personal data from households, persons or devices. This means that if your site is receiving at least 50,000 visitors a year you will have to comply, as you’re gathering IP addresses, placing tracking cookies etc.
- Also, when half of your profit consists of selling personal data you will need to comply to the CCPA.
Fines: GDPR fines are higher than the CCPA. 4% of the annual turnover or €20 million (whichever is higher). With the CCPA, a violation costs $7500 plus $750 per individual involved.
Disclosures: Another interesting difference is specificity about disclosures. The GDPR states that data subjects must be provided with an explanation that is clear and specific of what purposes the data will be used for. The Data Controller has some freedom in how this is to be done.
The CCPA is more prescriptive. It states that a business will provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.
Age Requirement: Finally, another difference. Children between the ages of 13 and 16 must explicitly authorize the sale of personal data. When the child is under 13, a parent must authorize the sale and sharing of personal data.
As you can see, there are many differences despite the two being so similar. And to be honest, it’s a bit confusing and overwhelming to have to keep track of all these requirements. So what impact does this have on your WordPress website? And how can you be sure you’re in compliance with both the GDPR and CCPA?
How Do I Comply with CCPA on My WordPress Website?
For most WordPress websites, you likely already had to comply with the GDPR in some way or form. Below is a brief overview of current GDPR compliance requirements:
- Processing agreements
- Possibility to view personal data and be able to send these data within one month
- Blocking cookies until permitted
- Secure connection (SSL)
Luckily there are many plugins that can help you with this majority of this list (as we mentioned and linked to above).
With the upcoming CCPA the following aspects are required for your WordPress website to comply:
- Secure connection (SSL)
- Do Not Sell My Personal Information document
- Processing agreement with all processors and/or Service Providers
- Age verification
Again, very similar to the GDPR but not identical. This means that if you are concerned about the CCPA you’ll either need to make sure you manually add a DNSMPI page, create processing agreements and find a way to confirm users age (to obtain consent from users 13-16, and ensure privacy for users under 13). That’s a pretty big task, but luckily some developers have already update their plugins to help.
One quick and easy solution to get CCPA ready is to install a plugin. More specifically, the Complianz plugin.
Besides the possibility to comply with both laws, Complianz also supplies:
- A disclaimer
- Cookie Consent Banner
- Do Not Sell My Personal Information page
- Data leak reports
- Statistics to analyze which cookie banner performs best
- A/B testing
- Tag Manager implementation
The plugin is also ePrivacy ready. This is a new European legislation planned to come into effect sometime in 2020. Also, the plugin is COPPA ready. This is an American law that guarantees the online privacy of children beneath 13 years old. So, with one plugin you can ensure your WordPress site is already compliant with four legislations!
Concluding Our Look at CCPA vs GDPR
Unfortunately, just because you already comply with the EU GDPR legislation it does not mean that you comply with the new CCPA legislation. There are more requirements you should pay attention to. Plus for US residents (particularly those in the golden state) I would think the likelihood of receiving a fine is higher. So your best bet is to plan ahead and be prepared.
Luckily like most things WordPress, the answer is to simply install a plugin. With a bit of help from Complianz your site can be both GDPR and CCPA. But of course, it goes further than that. Also becoming more aware of how you deal with data is an aspect you have to take into account. Expect more and more governments will follow suit in the coming years, reinforcing the importance of privacy protection. Making it all the more important for you to get your website data management in order sooner rather than later.