How to make your website compliant with CCPA

California Consumer Privacy Act (aka CCPA) is the set of rules around consumer data that came into force on January 1, 2020, in California, US. It regulates how businesses, including online companies, handle personal information in that state.

The CCPA applies to your business if it operates in California, US and either:

  • It makes at least $25 million in annual revenue.
  • It collects data on more than 50,000 users annually.
  • It makes more than half its money off of selling data of California residents.

If your company falls into this category, you need to apply certain information and mechanisms on your website, and Piwik PRO can help you accomplish that.

Check the number of visitors from California

Before we show you the guidelines, you can check if your website collects data from more than 50,000 users per year in California.

To find this information in Piwik PRO, follow these steps:

  1. Go to Menu > Analytics.
  2. Navigate to Reports.
  3. On the left, click Location.
  4. Choose the date range that displays the past year.
  5. Click United States to view a nested dimension with data from each state.
  6. Note the number of visitors from California.

    Tip: See how visitors are counted in Piwik PRO.

  7. Done!

Apply data privacy settings

Under the CCPA, your website visitors should be able to: (1) see the data you’ve gathered about them, (2) request the removal of their data and (3) opt out of having their data sold to third parties. Here’s what your website should include:

  • Information on your privacy policy page: Before collecting data from visitors, inform them of the types of personal data you will collect, how you will collect it, where you will use it and with whom (third parties) you will share it.

    Piwik PRO collects data using log files, cookies and other tracking technologies. It also uses the collected data to run scripts on your website if you use Tag Manager, to combine it with other data and to create audiences if you use Customer Data Platform.

    Tip: You can use this sample disclosure on your site.

  • Opt-out form on your privacy policy page: Add an opt-out mechanism to your website so people can opt out of data collection. You can use our opt-out form or consent form.

    Note: Make sure that Respect opt-out and DNT is on for every tag linked to third-party tools that make money from user data, such as Google Ads, Facebook Ads, data management platforms and other advertising platforms. Additionally, be aware that certain free services integrated into your website, like social share buttons, may generate revenue from data collected from the sites they’re embedded in.

  • Data deletion form on your privacy policy page: Add a form that allows visitors to request the deletion of their data. You can use our existing request form for this purpose. However, it’s crucial to verify the requester’s identity before proceeding with data deletion.
  • “Do Not Sell My Personal Information” link on your website: Add this link, preferably as a pop-up banner or bottom banner displayed to first-time visitors from California. The link should work with a mechanism to opt out of data collection. To do this, you can use our custom code with a link to the opt-out form on your privacy policy page.
  • Access to personal information in two ways: Inform visitors where they can find a privacy policy and CCPA compliance page and how they can contact you to exercise their rights. At a minimum, you must provide a toll-free telephone number and online contact information.
  • (Optional) Consent from minors under 16: If your website has users who are under 16 years old, they need to give their consent for data collection if you plan to sell or share their data with third parties. If the user is under 13 years old, a parent or legal guardian must provide consent on their behalf. To get such consent, you can use our consent form.

Personal information according to CCPA

The CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140.o1). Therefore, under the CCPA, this data is treated as personal data:

  • Direct identifiers: real name, alias, postal address and social security numbers
  • Unique identifiers: cookies, IP addresses and account names
  • Geolocation data: location history
  • Internet activity: browsing history, search history and data on the interaction with a website or app
  • Biometric data: face and voice recordings
  • Sensitive information: health data, personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, and financial and medical information

Anonymous or aggregated data is exempt from the CCPA unless it can be re-identified.

Things to know

When you use Piwik PRO on your website, you need to be aware that you’ll:

  • Use first-party cookies to collect data and run scripts on your website. All cookies are described in this article.
  • Collect data that are described in this article.
  • Share collected data with third-party tools if you use Google Ads, Meta Pixel tag or other advertising tools connected to Piwik PRO.
  • Combine collected data with other data and create audiences based on collected data if you use Customer Data Platform.

When you’re adjusting your website to CCPA guidelines, there’s no one way to follow. You’d need to work with your legal team to design a clear privacy policy and choose mechanisms that will guard visitors’ rights. You may also consider other forms of tracking that will limit the amount of collected data, like cookieless tracking or anonymous tracking. For more information on this topic, read this article.

Was this article helpful?

Technical support

If you still have any questions, visit our community.
There’s always someone happy to help!

Back to help center