Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

CCPA vs GDPR Comparison and Compliance for WordPress

Last updated on:
CCPA vs GDPR Comparison and Compliance for WordPress

Last May, the GDPR came into force. An event that raised many questions about how to comply with this legislation. Do American businesses also have to comply? And what about processing agreements? What are they? Do I really have to add a cookie notice? And these are just a few of the common questions asked around the web. A few months on, it seems that the hectic period regarding the GDPR has cooled down. But now there has been a new legislation announcement for California. The CCPA.

So what is the CCPA? How does it compare to the GDPR? And do you already comply with the CCPA if you comply with the GDPR?

IMPORTANT: This is a friendly reminder that we are not lawyers. We are simply sharing information about the CCPA and GDPR. Please consult a lawyer or specialized consultant to be sure your website is in full, legal compliance.

The GDPR

The GDPR

First a brief recap about the GDPR. The General Data Protection Regulation (or GDPR for short), is a European legislation created in 2016. At that time it was agreed that the legislation would be put into effect starting May, 25 2018. The GDPR focuses on the following aspects:

  • Strengthening and extending privacy rights
  • More responsibilities for organizations
  • The same, solid authority for all European privacy supervisors, such as the power to impose fines of up to 20 million euros
  • And above all, transparency for visitors about what happens to their data

In short this was a radical addition to the law for several EU countries. It was also a drastic change for WordPress websites.

For example, you had to show a cookie notification on the website where cookies would only be placed after approval. You had to draw up a privacy policy. Processing agreements were now required. And of course you must always give users the opportunity to request and/or remove their personal data. Plus so much more.

That is a lot of regulation. Especially for small organizations. Luckily, for those using WordPress a number of plugins stepped in to pick up some of the slack. If you do a quick Google search you’ll find many options, however we’ve collected our own list of the best GDPR compliance WordPress plugins to help.

With websites just beginning to become comfortable with the GDPR there’s now a new regulation on the horizon. The CCPA.

The CCPA

The CCPA

The California Consumer Privacy Act (CCPA) was signed into law by California Governor Brown on June 28, 2018. This law is likely one of the toughest and farthest-reaching consumer privacy laws in the country. Scheduled to go into effect in 2020, this act will give Californians new privacy rights.

The CCPA was drafted and passed in just a week as a reaction to ongoing privacy concerns. Mainly as a way for consumers to effectively protect their personal information in light of recent data breaches and related privacy incidents. Specifically breaches of Equifax, Target and Cambridge Analytics that have affected millions.

The CCPA focuses primarily on:

  • Control of personal data
  • Protection of personal data
  • Insight into information acquired by companies

So, in general, it looks a lot like the GDPR. But you do not meet the GDPR if you meet the CCPA and vice versa. There are many differences between the two laws.

CCPA vs GDPR

It is obvious that both legislations focus on the protection of personal data and the sharing thereof. Nevertheless, the GDPR seems a bit stricter if you look at the key points of the laws covered below.

Cookies: With the GDPR it is mandatory to place cookies based on opt-in. With the CCPA this is based on opt-out. With the latter you are also obligated to state which cookies you place.

Privacy Policy: Both legislations require you to show a privacy policy on your website.

Cookie Policy: You need a cookie policy with the GDPR, with the CCPA you can incorporate this in your DNSMPI (Do Not Sell My Personal Information) page.

Application: With the GDPR the legislation applies to anyone who processes personal data, with the CCPA it concerns the following:

  • When you make $24 million profit per year.
  • You have more than 50,000 lines of personal data from households, persons or devices. This means that if your site is receiving at least 50,000 visitors a year you will have to comply, as you’re gathering IP addresses, placing tracking cookies etc.
  • Also, when half of your profit consists of selling personal data you will need to comply to the CCPA.

Fines: GDPR fines are higher than the CCPA. 4% of the annual turnover or €20 million (whichever is higher). With the CCPA, a violation costs $7500 plus $750 per individual involved.

Disclosures: Another interesting difference is specificity about disclosures. The GDPR states that data subjects must be provided with an explanation that is clear and specific of what purposes the data will be used for. The Data Controller has some freedom in how this is to be done.

The CCPA is more prescriptive. It states that a business will provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.

Age Requirement: Finally, another difference. Children between the ages of 13 and 16 must explicitly authorize the sale of personal data. When the child is under 13, a parent must authorize the sale and sharing of personal data.

As you can see, there are many differences despite the two being so similar. And to be honest, it’s a bit confusing and overwhelming to have to keep track of all these requirements. So what impact does this have on your WordPress website? And how can you be sure you’re in compliance with both the GDPR and CCPA?

How Do I Comply with CCPA on My WordPress Website?

How Do I Comply with CaCPA on My WordPress Website?

For most WordPress websites, you likely already had to comply with the GDPR in some way or form. Below is a brief overview of current GDPR compliance requirements:

  • Cookie Policy
  • Cookie Consent Banner (with a link to Cookie Policy)
  • Privacy Policy
  • Processing agreements
  • Possibility to view personal data and be able to send these data within one month
  • Blocking cookies until permitted
  • Secure connection (SSL)

Luckily there are many plugins that can help you with this majority of this list (as we mentioned and linked to above).

With the upcoming CCPA the following aspects are required for your WordPress website to comply:

  • Privacy Policy
  • Cookie Consent Banner (opt-out options with a link to Privacy Policy and Do Not Sell My Personal Information page)
  • Secure connection (SSL)
  • Do Not Sell My Personal Information document
  • Processing agreement with all processors and/or Service Providers
  • Age verification

Again, very similar to the GDPR but not identical. This means that if you are concerned about the CCPA you’ll either need to make sure you manually add a DNSMPI page, create processing agreements and find a way to confirm users age (to obtain consent from users 13-16, and ensure privacy for users under 13). That’s a pretty big task, but luckily some developers have already update their plugins to help.

The Solution

Complianz GDPR Privacy Bundle for WordPress

One quick and easy solution to get CCPA ready is to install a plugin. More specifically, the Complianz plugin.

The plugin includes important settings to ensure your WordPress site is GDPR and CCPA ready. For example, Complianz uses geolocation to determine which cookie banner a user needs. Or which privacy policy should be shown in which situation. The plugin even supports an option to create a separate processing agreement for each country or legislation.

Besides the possibility to comply with both laws, Complianz also supplies:

  • A disclaimer
  • Cookie Policy
  • Cookie Consent Banner
  • Do Not Sell My Personal Information page
  • Privacy Policy
  • Privacy Policy for Children (According to the COPPA law)
  • Data leak reports
  • Statistics to analyze which cookie banner performs best
  • A/B testing
  • Tag Manager implementation

The plugin is also ePrivacy ready. This is a new European legislation planned to come into effect sometime in 2020. Also, the plugin is COPPA ready. This is an American law that guarantees the online privacy of children beneath 13 years old. So, with one plugin you can ensure your WordPress site is already compliant with four legislations!

Concluding Our Look at CCPA vs GDPR

Unfortunately, just because you already comply with the EU GDPR legislation it does not mean that you comply with the new CCPA legislation. There are more requirements you should pay attention to. Plus for US residents (particularly those in the golden state) I would think the likelihood of receiving a fine is higher. So your best bet is to plan ahead and be prepared.

Luckily like most things WordPress, the answer is to simply install a plugin. With a bit of help from Complianz your site can be both GDPR and CCPA. But of course, it goes further than that. Also becoming more aware of how you deal with data is an aspect you have to take into account. Expect more and more governments will follow suit in the coming years, reinforcing the importance of privacy protection. Making it all the more important for you to get your website data management in order sooner rather than later.

Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.

1 comment

  1. Rohit

    Thanks for this – I’m concerned about the California laws and this gave me some good ways to get prepared.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.