Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

How to Make Your WordPress Site CCPA Compliant

September 30, 2021
How to Make Your WordPress Site CCPA Compliant

California Consumer Privacy Act (CCPA) is the US’ answer to the EU’s General Data Protection Regulation (GDPR). With largely similar rules, the CCPA is the most robust data privacy legislation in the US. The Act set motion to other privacy acts that have been in progress in the US for some time, like Virginia’s CDPA, Nevada privacy law, and Colorado Privacy Act.

Similar to GDPR, the CCPA lays out several rules for businesses to deal with the personal information of consumers and those apply to websites as well. So, we will cover what a WordPress user like you must follow to make your website CCPA compliant.

But before we discuss that, let us have a quick look at what CCPA is all about.

IMPORTANT: We (WPExplorer) are not lawyers, we are simply sharing information about the CCPA and general compliance tips. Following the steps below does not guarantee you fully comply with CCPA requirements. Please consult a lawyer or CCPA consultant to be sure your website is in full compliance.

CCPA is a state-wide data privacy law from California, USA. And like its European counterpart, the CCPA was passed to safeguard people’s personal information. It became effective on 1 January 2020.

The CCPA’s scope is limited to any for-profit business in the world that meets one of the criteria:

  • Has total annual revenue over $25 million
  • Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices
  • Acquires more than half of their annual revenue from selling the personal information of Californians

The consumers have several right sunder CCPA:

  • The right to know about the personal information a business collects and how it is used and shared or sold;
  • The right to delete personal information;
  • The right to opt-out of the sale of the personal information; and
  • The right to non-discrimination against those who exercise the CCPA rights.

There are consequences for violating the CCPA rules.

For unintentional violations, you could be fined up to $2500 per violation, and for intentional violations, $7500 per violation.

Consumers can seek legal consultation and claim $100 to $750 in damages for data breach and find legal complaints against the violator.

Can CCPA Affect Small Business Websites?

Unlike GDPR, the CCPA does not apply to all websites that serve its defined data subjects. In this case, California residents. As discussed earlier, it has to meet one of the three thresholds. These thresholds, however, seem to suggest that smaller websites are relaxed from complying with the law. However, one of the cornerstones of any business should be quality customer experience. Protecting your customers’ rights and interests should be a top priority especially if you handle their personal information. It is a good practice to protect their privacy and for that complying with CCPA is recommended even if your business falls outside its material scope.

Also, with rising cases of data breaches and privacy violations, it is imperative to provide your users with a space that they can trust and have more control over their personal information.

How to Make Your WordPress Website CCPA Compliant

CCPA requirements are much more relaxed compared with GDPR. A WordPress website that is already GDPR-ready may not require a lot of effort to prepare for the US law. But, there are a few standouts that the website must not miss to implement for CCPA compliance.

You can use this guide on how to make your WordPress website GDPR compliant, but if CCPA applies to you keep reading. Below are some steps to get your WordPress website ready for CCPA compliance.

1. Privacy Policy Page

A Privacy Policy discloses information related to your website’s data collection, use, sharing, and selling practices. It also provides information for users to contact you to exercise their right to privacy and file complaints.

As per CCPA, there is some information that a website must provide in a privacy policy:

  • What personal information does your site collect from the users?
  • Where does it collect the personal information from?
  • Why does it require to collect, sell or share personal information?
  • With whom (third parties) does the site share or sell the personal information?
  • What rights do the consumers have under the CCPA?
  • How can they contact you to exercise these rights?
  • A Do Not Sell My Personal Information link to or section that explains how users can opt-out of sharing or selling their personal information.

You must update the privacy policy every 12 months to include the changing business practices.

On a WordPress website, you can easily create or add a privacy page. In the latest version (4.9.6 and higher),  admin dashboard has a setting to create a privacy policy page where you can add the relevant content.

Just go to Settings > Privacy.

WordPress privacy policy page setting

If you select Create a new Privacy policy Page, you will get an auto-generated template that you can customize.

WordPress privacy policy page default template

You can also use the existing privacy policy page.

2. Do Not Sell My Personal Information Page

One of the rules that make CCPA different from GDPR is its relaxation on consent requirement for collecting and selling data. The CCPA emphasizes giving users control to object to selling their data than giving consent. Opt-out is a big part of the law and that is where the mechanism of “Do Not Sell My Personal Information” (DNSMPI) comes. DNSMPI is a method proposed by the CCPA to allow users to opt-out of websites selling thier personal information tothird parties. It is usually implemented via a dedicated page.

As mentioned before, this could also be a section in your privacy policy. On a separate page, you would be able to provide more detail of the opt-out mechanism.

The page must provide the following information:

  • Explanation of right to opt-out of the sale of personal information right.
  • A webform or any other method to submit opt-out requests.
  • A link to the privacy policy.

A website’s footer is the ideal place to include the link to the DNSMPI page.

Here is an example from Sony Music official website:

Example DNSMPI page link

The link leads to their DNSMPI page.

3. Cookie Consent Notice

CCPA recognized “unique personal identifiers” as personal information. Cookie identifiers, therefore, are personal information under the law. Unlike GDPR, for CCPA cookie consent, the website doesn’t need to get consent from users to store cookies on their browsers. However, it does require the sites to provide an opt-out option for such sale of personal information. And a cookie notice or popup is not just for asking for consent; it is also a method by which the users can opt-out of cookies.

The cookie notice must explain why you use cookies and include a button/link to opt-out of cookies (or the DNSMPI link).

CookieYes is an easy-to-use cookie consent tool to add a consent notice on your website and allow users to opt-out of cookies that sell personal information. You can customize the notice using the settings and CSS and geo-target it for US visitors. You can also create a privacy policy and cookie policy for your website in just a few clicks.

CookieYes consent notice

There is much more you can do with CookieYes to make your usage of cookies CCPA compliant. Best of all, it’s free to sign up and get started with CookieYes. The free plan offers cookie scan for up to 100 pages and 5000 consent logs per month (and there are premium plans for advanced features and increased usage). You can try the premium features free for 14 days (no credit card required and you can upgrade from the trial plan anytime) and see how it works for your website.

4. Data Access

The CCPA also requires websites to let users access their personal information upon request. You are liable to inform users about what information you collected, what you do with it, the category of the source of collection, and the category of the third party you share the information with.

The data access request can be implemented via contact forms. There are various types of forms that you can use. One of the most recommended plugins for building forms in WordPress is Ninja Forms.

Ninja Forms Builder

It is a simple drag and drop tool for adding forms on your website pages. You can use pre-made templates or create your own for users to submit data access requests.

5. Data Deletion

The CCPA requires websites to delete personal information upon user request.

Like data access, WordPress’ latest versions also have dedicated settings for your visitors to submit data deletion requests. Using this you can send a confirmation mail for data deletion.

To access this, after logging into your WordPress website, go to Tools on the admin menu. From there select Erase Personal Data.

WordPress data erasure request

Similarly for other information, such as comments on a post, you can go to the admin area and delete it.

The Ninja Forms plugin has several templates including one for data deletion requests. It is easy to use and you can create a simple form for users to submit their requests.

Ninja Forms data deletion requests template

All you need to do is publish and embed the form shortcode on the target page.

Frontend data deletion request form

We hope these steps will kickstart your WordPress website’s CCPA compliance in the right way. We will always recommend getting a legal consult for complete compliance. That way, you will be able to ensure that everything is in place.

Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.


No comments yet. Why don't you kick off the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.