California Consumer Privacy Act (aka CCPA) is the set of rules around consumer data that came into force on January 1, 2020, in California, US. It regulates how businesses, including online companies, handle personal information in that state.
The CCPA applies to your business if it operates in California, US and either:
- It makes at least $25 million in annual revenue.
- It collects data on more than 50,000 users annually.
- It makes more than half its money off of selling data of California residents.
If your company falls into this category, you need to apply certain information and mechanisms on your website, and Piwik PRO can help you accomplish that.
Check the number of visitors from California
But before we show you the guidelines, you can check if your website collects data from more than 50,000 users in California annually.
To find this information in Piwik PRO, follow these steps:
- Go to Menu > Analytics.
- Navigate to Reports.
- On the left, click Location.
- Select a date range that will show the last year.
- Click United States to view a nested dimension with data from the state.
- Note the number of visitors from California.
Tip: See how visitors are counted in Piwik PRO.
Apply data privacy settings
According to the CCPA, visitors of your website should be able to see what data you’ve collected about them, have that data deleted, and opt out of the company that sells it to third parties.
So here’s what your website should have:
- Information on the privacy policy page: Inform visitors before collecting their data about the types of personal data that you gather, how you collect it, where you use it, and with whom (third parties) you share it. Piwik PRO collects data from this scope using log files, cookies, and other tracking technologies. Piwik PRO also uses collected data to run scripts on the website if you use Tag Manager, to combine it with other data, and to create audiences if you use Audience Manager.
Tip: You can use this sample disclosure on your site.
- Opt-out form on the privacy policy page: Add an opt-out mechanism to your website so that people could opt out of data collection. For that, you can use our opt-out form or a consent form in Consent Manager.
Note: Make sure that Respect opt-out and DNT is turned on for each tag connected to third-party tools that profit off of user data, for example, Google Ads, Facebook Ads, data management platforms, and other ad platforms. Also, some free services that you use on your website, like social share buttons, may monetize data from sites where they are embedded.
- Form for deleting data on the privacy policy page: Add a form that will allow people to delete their data. You need to verify the identity of a person who requests user data. For that, you can use a form for data subject requests in Consent Manager that is linked to a panel for managing data subject requests.
- Link reading “Do Not Sell My Personal Information” on your website: Add this link, preferably as a pop-up or bottom banner displayed for first-time visitors from California. The link should work with the mechanism that opts out of data collection. For that, you can use our custom code with a link to an opt-out form on the privacy policy page.
- Access to personal information via two methods: Tell visitors where they can find a privacy policy page and CCPA compliance, and how they can contact you to exercise their rights. You must provide at least a toll-free phone number and online contact details.
- Additionally, if your website has minors under the age of 16 among its users, they need to consent to data collection if data are sold or disclosed to third parties. If the minor is under the age of 13, a parent or legal guardian must opt in for him. For that, you can use a modal or bottom consent form in Consent Manager.
Personal information according to CCPA
The CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140.o1).
So according to the CCPA, this data is treated as personal information:
- Direct identifiers: real name, alias, postal address, social security numbers.
- Unique identifiers: cookies, IP addresses, and account names.
- Geolocation data: location history.
- Internet activity: browsing history, search history, data on the interaction with a website or app.
- Biometric data: face and voice recordings.
- Sensitive information: health data, personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, and financial and medical information.
Data that is anonymous or aggregated is exempt from the CCPA unless it can be re-identifiable.
When you use Piwik PRO on your website, you need to be aware that you’ll:
- Use first-party cookies to collect data and run scripts on your website. All cookies are described in this article.
- Collect data that are described in this article.
- Share collected data with third-party tools if you use Google Ads or Meta Pixel tag or other advertising tools connected to Piwik PRO.
- Combine collected data with other data and create audiences based on collected data if you use Audience Manager.
When you’re adjusting your website to CCPA guidelines, there’s no one way to follow. You’d need to work with the legal team to design a clear privacy policy and choose mechanisms that will guard visitors’ rights. You may also consider other forms of tracking that will limit the amount of collected data, like cookieless tracking or anonymous tracking. For more information on this topic, read this article.