Ensuring Website Compliance With CCPA
The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020 and affected businesses must update their operations within the next six months to avoid potentially significant penalties. This includes not only corporate policy and operational changes, but also ensuring website compliance with CCPA.
In short, the CCPA guarantees California residents control over their personal information (PI). Under the CCPA, Californians can demand to know who has their information, what they are doing with it, specifically what kind of information they have, why they want it, and with whom they are sharing it. Organizations doing business in California will be obligated to provide this information promptly and completely. A more detailed overview of the CCPA is available here.
Not all businesses in the United States are mandated to comply with the CCPA, but all should take notice, as this legislation likely represents the beginning of a national and/or multi-state privacy legislation movement. Currently, CCPA-affected businesses include all companies that collect and process data from California residents that also meet any one of the below requirements:
- Exceed $25MM Gross Annual Revenue
- Obtain PI from 50,000+ California residents, households or devices per year
- Earn 50% or more of annual revenue from selling California residents’ PI
Website Upgrades Needed for CCPA Compliance
The CCPA is the most broad sweeping privacy regulation in the United States to date, with major impacts on many companies around the country. The legislation will require updates across numerous operational areas, including Customer Service, HR, Marketing, Sales and beyond. Nearly all websites will require updating, some of them heavy front and backend design. To ensure website compliance with CCPA, web designers should focus on several aspects, including:
- Privacy policy
- Ensuring opt-in/opt-out ability across site
- Ease of requesting information
- Data collection and processing
- Backend design
- Special concern for minors
In general, any website updates needed for CCPA compliance should be solely on the technical side, not design or aesthetic related. That said, in order to implement some of the new requirements, it is strongly recommended that organizations upgrade their site to the latest version possible on their platform in order to ensure technical capabilities. (If this is a major upgrade, you should probably consider a full-website redesign at the same time, in order to maximize efficiency.)
Let’s take a look at the different areas of a website that need to be updated for CCPA, one at a time.
Website Compliance for CCPA Checklist
Privacy Policy
Updating the privacy policy on the website for CCPA is one of the biggest changes that will be needed. Obviously, updating the privacy policy for the CCPA is more than just a “website issue” — it is a corporate-level adjustment that may require systemic policy changes..
The entire organization needs to become crystal clear on exactly how PI is being used throughout the business. Ask yourselves:
- What kind of personal information you are collecting and/or processing
- How are you collecting and processing it
- Why do you need it and what are you using it for
- Who are you sharing the PI with or selling the PI to
- How can consumers access, change or delete any PI that you possess
- How will you verify the identity of the individual or household making the request
As a corporation, the answers to these questions must guide your operations moving forward. This process must be clearly delineated and disseminated throughout your entire organization to ensure 100% compliance. Once the entire PI collection and processing pathway has been finalized, it needs to be clearly communicated in your online privacy policy in order to ensure a CCPA-compliant website.
Things you will need to explicitly state in your Privacy Policy:
- A specific list of exactly what categories of information you are collecting, how you are using it and what the purpose of this information is
- Links for people to opt-out of data collection or have their data removed
- Include a link titled “Do Not Sell My Personal Information” and link to custom page
- Information explaining at least two methods of contacting you in order to update, change, remove or transfer PI
- Include a description of all rights afforded to consumers under the CCPA
- Confirm non-discriminatory practices to ensure equal treatment for Californians
- Notify your database that the Privacy Policy has been updated
Some companies may choose to have separate Privacy Policies for California residents and maintain their existing policy for everyone else. Companies that choose to do so must guarantee that California residents do not suffer any adverse effects, either in pricing or quality of product or service.
Opting Out Made Easier
One of the most pervasive changes the CCPA requires for your website is the opt-out checkbox and a “Do Not Sell My Personal Information” link prominently placed on the homepage. An opt-out checkbox must be located at every single location where your website collects data. This also includes e-newsletter subscription forms.
Homepages must feature a conspicuous “Do Not Sell My Personal Information” link, making it clear to consumers (Californians) that they can prevent companies from trading their PI.
Provide Information Access
In addition to making sure your website informs California residents about their rights under the CCPA, your website must also enable them to enact their rights. This is really a two-step process.
- Disclose a minimum of two distinct ways for consumers to access their PI. This should include a website address, as well as a phone number. Additional options can include a mailing address, email address, or online form.
- Verify the identity of the individual requesting information. Put a procedure in place to ensure you are not distributing PI to the wrong individuals.
Probably the least labor-intensive method of granting information access would be to implement a self-service website option that allows PI download or deletion. There are several existing plug-ins and apps that can help with this, depending upon your individual business. Alternatively, a CCPA web development team can build a custom version to fit your needs exactly.
Beyond the website, your internal customer service (or dedicated privacy team) will need to be trained on how to provide this access manually for consumers not using the online method.
Backend Website Data Collection and Processes
Much of the heavy lifting for the CCPA and website design will occur on the backend. The CCPA requires that all companies meeting requirements must prepare data maps of their California residents. This will not only require a careful analysis of the how, why, what and where of your data, but require the infrastructure to manipulate and share this information on-demand.
Companies will likely need to upgrade their databases to include all required information. This will include not only personal information collected, but also source information related to where you obtained the contact, how and when permission to use/share/sell their data was obtained, and any third-parties that processed their PI or with whom you may have shared or sold their information.
You may also need to spend significant time cleaning up your databases and ensuring that there is a single, centralized storage location. This means different departments or internal programs must use the same list. If a consumer requests a change or deletion in data, all records must be updated at the same time.
This likely will require updated linking between programs within the company, such as email marketing providers, sales tools, fulfillment, etc.
Additional backend website requirements for CCPA may include upgrading to the latest version of WordPress or your site platform; upgrading your SSL, developing a self-service PI access tool, and reconfiguring your internal list usage and program integrations.
Special Consideration for Children
The CCPA makes a special consideration for children under 16. If your organization collects, shares, processes or sells PI for children under 16, you must receive an Opt-In. Children from ages 13-16 may opt-in themselves. Children under 13 must have an opt-in from their parents. Under COPPA, the Children’s Online Privacy Protection Rule, the responsibility for knowing a child’s age rests with the company.
As a result, businesses complying with the CCPA must ask the age of children and require them to opt-in before any data collection may occur. Not doing so leaves them open to not only CCPA violation penalties, but also COPPA.
CCPA Updates for a GDPR-Compliant Website
If your organization has already gone through the efforts of becoming GDPR compliant, there is good news — the majority of your work has already been completed.
You should already have the ability to grant access to consumer data quickly and easily, while making it simple for consumers to change or delete their personal information.
If your site is GDPR-compliant, the main updates that you will need to make to achieve CCPA-compliance include:
- Updating privacy policy to include a reference to CCPA, as well as contact information and information about sharing and selling data.
- Add a “Do Not Sell My Personal Information” link on your home page.
- Develop procedures for all sources and channels that handle personal information and PI access requests
- Update incident response plan to include a “cure” for any data breaches
- Recognize and confirm a non-discriminatory practice for California residents
- Update opt-out/opt-in checkbox language to include CCPA requirements for adults and children
You will want to take a thorough pass through your entire site and ensure that language on cookies, Privacy Policy, data collection points and opt-in/out disclaimers all conform to both GDPR and CCPA.
Beyond California
There are pretty strict requirements that companies have to meet in order to fall under CCPA jurisdiction. So, for those companies that don’t — should you care?
The short answer is yes.
While CCPA privacy rules do not necessarily apply to you yet, there is a good chance that something along these lines will soon. California may be the first state to enact such broad sweeping privacy laws, but more are coming.
In the beginning of June 2019, Nevada passed a Privacy Amendment, which will take effect in October 2019. New York currently has a bill similar to the CCPA pending. Other states, like Texas and Washington have proposed stronger privacy legislation that failed, but indicate a movement in this direction.
Additionally, for the first time a US Federal Privacy Law is being considered, with a draft of the bill anticipated by the end of the summer.
Clearly, changes are coming. Whether your business is affected in the immediate future or longer term, making strides towards a stronger, more forward-thinking privacy policy can only be beneficial. Luckily, non-CCPA affected businesses have the luxury of a bit more time to work on their corporate processes and privacy execution.
CCPA Website Update Summary
Here is a short summary of the changes you will need to make on your website for CCPA compliance:
- Update Privacy Policy
- Include Opt-Out check boxes everywhere data is collected
- Provide cookie notifications
- Publicize easy access to PI through at least two methods, including web page and phone number
- Create a backend system to verify the identities of anyone requesting user data
- Develop a notification system to alert users of any privacy policy changes or data breaches
- Ensure backend data collection maintains sourcing information for all Californians
Time is running out for the January 1, 2020 deadline. There are several plug-ins available to help with portions of CCPA compliance, but the easiest – and most assured method — is to outsource your CCPA compliance to an experienced website development team. Talk to the experts at CMDS to help determine the steps you need to take to upgrade your website design to abide with the CCPA. Get in touch with us at 732-706-5555 or visit our Contact page here to get started.
More on CCPA
For a more detailed look at what the CCPA entails and how it will affect you and your customers, visit our CCPA Overview here.
Once you update your website for CCPA, you can’t forget your sales and marketing. Read on to learn how the CCPA affects your marketing and what you need to change to follow the new laws.