Yet another privacy law for all of us bloggers to worry about…CCPA. What in the world do you need to do to be compliant for the California Consumer Protection Act that went into law in January 2020?
In order to cover yourself legally, there are some things you need to do on your blog to be CCPA compliant if you receive any visitors from California (in addition to the privacy regulation for GDPR from the EU!).
Please note that while Mariam is a lawyer, her answers in this interview do not constitute legal advice. She is providing recommendations only.
Who Is Mariam Tsaturyan?
Mariam is a licensed and practicing attorney in the USA.
She started her blog FreelanceAndMarketing.com as a hobby but quickly realized it could become an actual business, which helped when she made the decision to close her law office to stay home with her son.
She put her legal skills to good use and now helps other bloggers by providing legal recommendations and legal templates in her shop.
What follows are answers to common questions about CCPA and Mariam’s recommendations:
What is CCPA?
CCPA stands for California Consumer Privacy Act, and it’s the U.S. equivalent of the EU’s GDPR. This is a measure that California adopted to protect and give rights to people in regards to their private data that gets collected by various websites and businesses.
The final amendments to the CCPA were signed on October 11, 2019 by the California Governor, and the law went into effect starting January 1, 2020.
Under the CCPA, California residents and consumers will have various rights to control and say what happens to their personal information similar to those consumers have under GDPR.
Consumers can control how the businesses use their personal data, and also dictate what businesses are allowed or not allowed to do with it to some extent.
What is required for CCPA compliance?
Under CCPA a business (a blog is also a business if it earned even just one cent) must comply with the CCPA legal requirements if it’s subject to CCPA.
If the consumer exercises his or her rights under CCPa and makes requests such as request for disclosure, deletion, etc., then the business must deliver whatever it is that the consumer requested within 45 days after verifying the consumer’s request.
The business must deliver the requested information free of charge. In the event that there are reasonable basis as to why the requested information cannot be delivered within 45 days, the business may extend the time period for delivery by another 45 days one time only. However, the consumer must be notified in advance.
Moreover, to actually comply with the CCPA, a business must make it easy for the consumers to exercise their rights if they so choose. This means that a business must provide two or more methods for consumers to make requests.
However, if you’re a blogger or an online entrepreneur and you primarily operate online, then you would only need to provide an email address to the consumers as a means and a method to exercise their rights and make requests.
The website itself must be an option for submitting such requests. This means you should have a link on your site, or an optin (opt-out) form or a contact form for the consumers to be able to make requests directly on your website.
A business must disclose to the consumer if it’s selling or plans to sell consumer’s information and provide the consumer with the option to request that a business does not sell.
This is one of the main requirements of CCPA for compliance purposes. A CCPA subject business or website must have a link in a visible place that says “Do not sell my personal information”. When clicked, this link must give the consumer a means to opt out. It can lead to a contact form, an opt-out form, or provide your email with instructions on how to reach you to exercise their rights.
This “Do not sell my personal information” link must be on your website whether or not you sell information. You can create this link manually or use a plugin. Whichever option you settle on, make sure to implement it.
How does CCPA differ from GDPR?
For the most part, CCPA and GDPR are similar. However, there are some major differences as well that are worth mentioning.
For GDPR compliance, the rule of law is that you need to have prior and valid consent before you can process personal and identifiable data. This means adding anyone to your email list, sharing the data with third party platforms, selling the data and so on. In other words, GDPR compliance boils down to consent.
Under CCPA, there is no need to acquire prior consent before processing consumer’s data. The CCPA gives the consumer the right to know how their already collected data is being used, and also giving them the option to opt out or request that a business does not sell their information.
Essentially, GDPR is based on prior consent, CCPA is based on opting-out.
There are some rights that are unique to the GDPR, and others that are specific to the CCPA. For example, under CCPA, the right to request that a business does not sell your personal information is unique. There is nothing like that under the GDPR.
There is the right to withdraw consent under GDPR that is somewhat similar, but it’s not the same.
Do all websites and blogs need to comply with CCPA?
CCPA compliance is based on several different criteria. Whether a blog or website must be CCPA compliant is a fact based situation and every case must be examined and analyzed separately.
In other words, there is no “one size fits all” approach. Generally, these are the requirements that must be analyzed to determine if a website or blog need to comply with CCPA:
- It’s a for profit business (meaning you make money);
- The business or someone on its behalf collects consumers’ personal information;
- The business determines the purposes and methods of the processing of consumers’ personal information;
- The business does business in California; and (this doesn’t mean the business is located in California, simply that it does business. If someone from California purchases from that business, it’s considered doing business);
- It meets any of the thresholds listed below (it’s enough to satisfy only one threshold from the below options)
Here are the thresholds:
- The business has annual gross revenue in excess of $25 million;
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- The business derives 50% or more of its annual revenues from selling consumers’ personal information.
That second threshold regarding “receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices” is the threshold that makes most websites and blogs subject to CCPA.
This means that if a website gets approximately 138 visits to their website, interacts with the site, ads, or does anything on the website, then that website will hit the 50,000 consumers requirement. This is not a big number. Only the very new bloggers who have 0 traffic and consumer data might be exempt from complying with CCPA.
However, that bloggers or website owners will grow and will have to comply sooner or later. Complying with CCPA is not difficult, therefore, it doesn’t make sense to not do it and risk being liable.
How can I make my blog CCPA compliant?
Second, you need to have the “do not sell my personal information” link on your site in a visible and easily accessible area.
Compliance with CCPA is not difficult or time-consuming. You just need to decide to do it, and the rest will take care of itself.
Do You Need Help Getting CCPA (And GDPR) Compliant?
Hi, this is Kristine of BloggingAboutMomming now – I help bloggers and website owners become CCPA and GDPR compliant if they live in the USA and have a WordPress site. Plus, you may be able to get my services at a discount. Find out how I can help you get compliant here.
Was this article helpful? Save it for later or share with others!