Is your WordPress website CCPA-ready? Making data-driven decisions is one of the ways to succeed as a business. It helps you understand the needs, interests, and purchasing behavior of your target audience to create a more effective marketing strategy. You’re able to sell the right products at the right price to them too, thus driving your sales and revenue. But the California Consumer Privacy Act of 2018 (CCPA) compliance requirements have put the brakes on how you can handle this data.

CCPA came into effect on January 1, 2020. It is data-driven legislation that gives California residents control over the personal data businesses collect from them.

CCPA grants consumers the right to:

  • Know what kind of personal information a business is collecting and how they use, share, or sell it.
  • Opt out of the sale of personal information
  • Delete personal information a site collects
  • Non-discrimination for exercising their CCPA rights

Unintentional non-compliance with CCPA rules can lead to a $2500 fine per violation. Similarly, for intentional violations, the fine is $7500 per violation. In addition, consumers can sue your business for data breaches and claim up to $750 per incident.

Who is subject to CCPA compliance?

Not all businesses are subject to CCPA compliance.

To start with, your business needs to be a for-profit business operating in California or with Californians. It also has to meet the following criteria:

  • Has a gross annual revenue exceeding $25 million
  • Collects or sells personal data from 50,000 consumers from California, households, or devices
  • You draw at least half of your annual revenue from selling the personal information of Californians

You can always work with an attorney to confirm if your WordPress website is subject to CCPA.

How to make WordPress CCPA compliant?

Here are some crucial actions you should take to ensure effective CCPA compliance for your WordPress website.

1. Take an audit of data

The first step to compliance with the California Consumer Privacy Act (CCPA) involves checking which personal information your WordPress website is collecting. This includes any information that can be used to identify a person, such as a name, address, email address, or phone number. To do this, check the data collected by your lead generation software, custom scripts, plugins, and other tools.

It’s easier to keep track of this information through data mapping. This is the process of keeping records of customer data collected and understanding how data flows in your organization—using automated systems can make it easier.

2. Add a Privacy Policy

To comply with the California Consumer Privacy Act (CCPA), you must add a privacy policy to your WordPress website. This privacy policy must state the types of data you collect from site visitors, how you use that data, and with whom you share it.

Once you have all the necessary information from data mapping, you can include all the required details in the Privacy Policy, such as:

  • The information you’ll be collecting from them
  • What you’ll do with this information
  • Who you’re sharing it with
  • Your reasons for collecting and sharing the information
  • Your practices in the sale of this information
  • Their privacy rights—right to know, delete, opt out of the sale of information, and non-discrimination—and how to exercise them

Make it easy for your WordPress site visitors to find the Privacy Policy page. You can link it in the footer of your homepage with a link title like “California Privacy Rights” or simply “Privacy Policy”.

On WordPress, go to Settings > Privacy to add a privacy policy page or you can use any online policy generators.

WordPress privacy policy option for CCPA
WordPress Privacy settings

3. Give an opt-out option

If you sell the personal information of your visitors, you need to make sure that they have the option to opt out of it. Whether you’re collecting visitor information to create targeted videos or to sell it to third-parties, you must provide them with the option to opt out. You can do this by adding a link to your website that says “Do Not Sell My Personal Information” and linking it to an opt-out page. If the user is under 16 years old, you will need parental approval before selling their personal information. 

After a user opts out, you will have to wait at least one year before you can ask him or her to opt back into the sale of his or her personal information.

There are exceptions here, though, where your business may refuse a customer’s request to stop selling their personal information, such as:

  • If the sale of information is necessary for complying with legal obligations
  • If the personal information involved is exempt from CCPA, such as medical and consumer credit reporting information

4.  Make it possible for users to access and delete data

One of the other CCPA compliance requirements is for users of your WordPress website to be able to access their personal data upon request. For instance, if you have a referral program on your WordPress website, participants have the right to ask what personal information you’ve collected, shared, or sold and for what reasons.

Instructions on how to make this request should also be on your Privacy Policy.

You should provide the information requested at no charge and respond within 45 calendar days, with the option to extend for another 45 days. But you must notify the user of the extension.

CCPA also requires you to delete user information upon request, except in certain cases, such as when the information is necessary to comply with a legal obligation. You don’t need to wait for a user to request the deletion of their data. It’s a good practice to establish a data retention policy where you keep the personal information you need only for as long as you need it.

In WordPress, go to Tools > Export Personal Data and Erase Personal Data to enable the right to access and delete. 

WordPress export personal data option for CCPA
WordPress Export Personal Data settings
WordPress erase personal data option for CCPA
WordPress Erase Personal Data settings

5. Add a cookie notice 

Under CCPA, “unique personal identifiers” are considered personal information.

This is because they can directly or indirectly identify a consumer or device. Cookie identifiers are unique personal identifiers and therefore fall under CCPA.

As such, the sale of information related to cookie identifiers requires a cookie consent notice that complies with the right to opt out of such sales. The notice itself must explain why you’re using cookies and provide users with the option to opt out of any sale of information related to cookie identifiers as well as strictly necessary tracking cookies used for advertising purposes.

ccpa cookie notice on wordpress

You should also make sure that your cookie notice is easy to locate on your WordPress website and that it uses language that’s easy to understand.


Add a CCPA opt-out cookie banner to WordPress

Hassle-free cookie banner setup and cookie consent management for CCPA compliance on your WordPress website..

Add CCPA opt-out banner

*No credit card required. *Cancel any time.


6. Boost data security

While collecting customer data, you must ensure the data is secure and protected from unauthorized access, loss, theft, or misuse. Under CCPA, consumers have the right to sue you for loss of privacy that results from a data breach.

Here are some measures you can take to maximize data protection:

  • If you’re using automation tools, ensure they offer data security features.
  • Evaluate the procedures you use to handle data to ensure the protection of user records
  • Ensure you have an SSL certificate
  • Use strong passwords for your logins and unique usernames
  • Keep your WordPress website updated
  • Only source your plugins and themes from trusted developers and keep them updated
  • Ensure you’re using the latest version of PHP

7. Use plugins for CCPA compliance

You can use dedicated WordPress plugins to make CCPA compliance easier.

For instance, you can use plugins like CookieYes to create a cookie consent notice and Privacy Policy.

Additionally, add an extra layer of security to your WordPress website with a security plugin like Wordfence and iThemes Security Pro. You can also assess your WordPress website for vulnerabilities using a plugin like WPScan.

How WordPress is making CCPA compliance easier

WordPress has made its WordAds program more CCPA compliant. WordAds program shares personal information about your site users with its advertising partners, who then use it to personalize ads. This counts as a “sale” of personal information.

However, in line with CCPA compliance requirements, WordPress has taken specific measures.

Free WordPress.com plans

If you’re on a free WordPress.com plan, WordPress will add a “Do Not Sell My Personal Information” link to your website. The link directs users to the WordAds Program page where they can opt out of these personalized ads.

Paid WordPress.com plans

If you’re on a paid WordPress.com plan, as the site owner, you can disable targeted advertising to California consumers through the dashboard on the WordAds settings page.

If you want to enable targeted advertising, you must add a “Do Not Sell My Personal Information” link to your site. It enables visitors to opt out of personalized ads. This link will only appear to California IP addresses.

You can also add the link by enabling the CCPA Consent Widget or using the [ccpa-do-not-sell-link] shortcode.

Taking these steps will help you kickstart your WordPress site’s compliance with the California Consumer Privacy Act. However, it is important to consult an attorney to ensure that you are fully compliant. You will not only avoid the consequences of non-compliance, but your customers will have the assurance that their personal data is safe with you, which builds their trust.

Lastly, take appropriate measures to be vigilant with how you collect, share, use, and sell the data of all your consumers, not just California residents.

Frequently asked questions

Do I need CCPA on my website?

Yes, you need to comply with the California Consumer Privacy Act (CCPA) if your website collects personal information from California residents. However, not all websites are covered by the law. CCPA applies to your business if you meet at least one of the following:

1. Your annual global revenue is more than $25,000,000

2. You buy or sell the personal information of 50,000 or more consumers or households

3. You earn more than half of your annual revenue from selling consumers’ personal information

Is WordPress GDPR compliant?

Yes, the latest versions of WordPress are GDPR-compliant. These versions include several features that ensure that WordPress is GDPR-compliant, including a privacy policy template, comments opt-in checkbox, and other settings like exporting and erasing personal data.

Like CCPA, you can make your WordPress GDPR compliant.

How do I add a CCPA cookie notice to my website?

To add a CCPA cookie notice to your website, you can use a cookie consent banner. This is a piece of code that will appear on every page of your website and inform users about cookies and allow them to opt out of cookies.

CookieYes has a free tool that allows you to add this banner to your website and manage cookie consent for CCPA compliance.

What is CPRA?

California Privacy Rights Act (CPRA) is an upcoming privacy act and it is an amendment to CCPA. It will come into effect on 1 January 2023. The Act has made changes to consumer rights and provisions like consent and sensitive personal data processing have clear definitions. Additionally, it also covers the “sharing” of personal information under its threshold for compliance.

To learn more about how CPRA is different from CCPA, read this article.

Author Bio: Gaurav Sharma is the founder and CEO of Attrock, a results-driven digital marketing agency. He has grown the company from 5-figure to 7-figure revenue in just two years and has contributed to top publications like HuffPost, Adweek, Business 2 Community, and TechCrunch.

Disclaimer: This guest article is for general informational purposes only and should not be relied upon as legal or professional advice. The views expressed in this article are the guest author’s own and do not necessarily reflect those of CookieLawInfo, which will not be held liable for any inaccuracy. We do not endorse any products or services mentioned in the article.