CCPA Compliance for Divi Websites: What are The Rules

Motivated by Europe’s successful GDPR implementation, the CCPA, as the most important California data protection act change allowing Californians to fight for the personal data that state-wide businesses hold about them, stepped into force on Jan. 1, 2020.

And while the legislation technically affects Californian citizens only, Americans globally can use the CCPA regulation to regulate how businesses handle their data. 

For example, the CCPA has already unravelled that the retail giant Amazon logs everything we do on Kindle, from when you begin reading to when you highlight a certain phrase.

Without further ado, let’s explore what the CCPA regulation has in store for your Divi website-based business.

What Does CCPA Stand for?

The CCPA bill is a California state legislation introduced in 2018, but it is officially in force since January 2020. In the same vein as the GDPR, the CCPA regulation safeguards people’s data and online privacy rights. While GDPR protects EU citizens, CCPA is intended explicitly for preserving California residents’ rights.

The CCPA regulation is created to protect Californians’ data from unwanted sharing or disclosure, preventing countless situations such as the Cambridge Analytica scandal involving the personal data of nearly 87 million Facebook users without asking for their consent. 

Even as a California law, CCPA influences companies that, independently of their location, collect, share, or sell personal data of Californian citizens that are consumers or employees of various contractors.

The personal data volume globally collected has been increasing throughout the years and will continue to do so in the future. As a result, personal data has become the most significant asset that companies can have, which helps them learn more about the customer journey and their target consumers, as well as beat their competitors in the process.

If you don’t comply with CCPA, you risk getting a hefty fine, in the same vein as with the GDPR compliance.  The California Attorney General can set a civil case in motion if you decide not to meet the CCPA requirements 30 days upon being notified about them, with a fine of up to $7500 per single intentional data breach or violation, or $2,500 per non-intentional violation.

Does CCPA Apply to You?

The CCPA regulation applies to every business with annual gross revenue of over $25 million that receives personal data of at least 50,000 California residents and obtains more than half of its annual revenue from selling California citizens’ data.

In addition, California legislators also allow CCPA exemption for companies already under strict federal data protection laws.

Differences Between GDPR and CCPA

Both the GDPR and CCPA can affect your Divi website. For instance, as you’re maybe aware by now, according to GDPR, if you collect the data from any citizen that stays in a GDPR-protected country, you must be fully GDPR-compliant in protecting that citizen’s rights.

CCPA applies to businesses based in California that also have customers in GDPR-covered countries. While the CCPA rules sound equivalent to GDPR’s, they do have their differences. Namely, being GDPR-compliant doesn’t lead to an automatic CCPA-compliance.

The differences might be minor, but they’re critical. For example, according to CCPA, you must display the personal information categories that you’ve sold over the last 12 months, which is yet to be required with GDPR. There are several other CCPA guidelines that differ significantly, such as:

  • Including a “Do not sell my personal data” button on the homepage.
  • Introducing a way for users to request data removal or alteration.
  • Getting minors’ consent before selling their data.  

Which Personal Data is Covered with CCPA?

Any information related to the consumer is potentially CCPA-protected data. In other words, any information that is related to an individual or a household relates to an individual or household because of the nature of its content can be considered as personal data protected under CCPA.

Even if it’s only device-related information and the company that performs the data tracking can’t obtain the device owner’s identity, the California AG and courts would consider that as personal data under CCPA since it’s directly connected to individuals or households.

Moreover, every information or data that describes the consumer’s habits and practices and identifies the consumer is considered data within the CCPA scope. 

Additionally, the information that is reasonably linked to an individual or household also remains within the range of CCPA even when that type of information doesn’t directly identify a person or a household, as long as the information will ultimately result in an identification upon request.

The individual’s data identification is achieved via direct and indirect information such as the person’s name, physical address, photograph, etc. Or, for instance, a unique identity of a person registered in a certain online database.

CCPA and Data Privacy

As a business, if your Divi website is already GDPR-compliant, you’ll find CCPA-compliance much more straightforward. Incorporating certain rights and aspects in your Privacy Policy is pivotal if you want your Divi website to become CCPA compliant.

Right to Disclosure

When you collect information about CCPA-protected citizens, you must notify them about your purpose before the data collection begins.

For example, Forbes appends a Privacy Policy link when collecting email addresses for the newsletter, letting subscribers know that they provide their consent as soon as they sign up in the process:

When you collect information about CCPA-protected citizens, you must notify them about your purpose before the data collection begins.

For example, Forbes appends a Privacy Policy link when collecting email addresses for the newsletter, letting subscribers know that they provide their consent as soon as they sign up in the process:

CCPA rules: right to disclosure

Right to Access

Californian citizens have the right to ask you to provide them with the following information up to 45 days from their request:

  • The categories of personal data that you collect.
  • The pieces of personal information you already have about them.
  • The sources from which you collect personal data.
  • The commercial purpose for collecting the information.
  • The third parties that you disclose or sell personal information to.

Consumers can ask you for this information up to twice a year, and you must ensure a proper and swift method for consumers to exercise this right.

The Right to Not Sell Any Information

The CCPA allows selling users’ data. However, the regulation obliges you to let users opt-out of that if they don’t want their personal information to be shared for business purposes.

When selling users’ information, you must allow them to opt out of the sale, which complies with the web visitors having complete control over their data.

As per CCPA, when selling personal information to third parties, you must include a ‘Do Not Sell My Personal Information’ button on your homepage from where the users can ‘opt out’ from having their data sold. In addition, it’s always a good practice to include the same button within your Privacy Policy. For example, Coca-Cola explicitly informs the users that they can opt-out of selling their information:

CCPA compliance: The Right to Not Sell Any Information

Moreover, they also include the same button at a much prominent place, specifically, on the website’s footer.

Right to Equal Treatment

Nobody should be discriminated for opting out of personal data sales and sharing. CCPA explicitly prohibits the following:

  • Denying customers access to your products.
  • Charging various rates for goods and services, including imposed penalties and discounts.
  • Allowing different service quality levels according to customers’ status.
  • Indicating that consumers can get another price or quality by opting out of your service.  

Providing Access to Your Privacy Policy

Above everything, you must make your Privacy Policy visible to website visitors.  For instance, you can use a pop-up or a banner to bring more attention to your Policy and link the Policy on your website header or footer. Make sure that your privacy policy includes:

  •     The type of information you collect and process
  •     The purpose of collecting that information
  •     How you collect the information
  •     How consumers can access, delete, or alter their data
  •     How do you verify the consumers’ identities and locations
  •     How you sell users’ personal information and how they can opt-out of it.

Making Your Divi Website CCPA-Compliant

To make sure that your Divi website meets each CCPA requirement, there are several steps that you can take right now, starting from altering your privacy policies to how you conduct customer relationships:

  • Update Your Privacy Policy: Notify users what type of data you collect, as well as why and how you manage it; Let users know how they can access, alter, or ask for their data to be removed from your users’ database;Have a method of sharing users’ data with third parties and a method for allowing users to avoid having their data shared with third-parties.  
  • Get Minors Involved: According to CCPA, you must get minors or parental consent (for children under 13) before collecting and using their data when they arrive on your website or before you decide to use it the data. In any case, you can’t use any type of data without a valid consent.
  • Allow Users to Alter Their Data: You must continue to allow users to submit data changes requests either through contact forms on your website or via email address.
  • Include a “Don’t Sell My Personal Information” Link: Placing alink in a prominent space on your homepage is an excellent practice if you plan to allow users to start the process of opting out of selling their data.
  • Maintain Communication Records: Each user request must be taken seriously, which means that keeping communication records of requests and responses is a must.

Wrapping Up

To sum things up, CCPA protects various forms of personal data and other information used for identifying and processing individuals.

If you’re just getting started implementing the CCPA regulations for your Divi website, don’t worry, you’re not alone.

This article is just a head start for you to consider the rules that you must respect if you want to streamline the data of users from the State of California. Arguably, CCPA remains the first and foremost regulation of its kind in the U.S, providing customers with more rights and control over their personal information.