California Consumer Privacy Act of 2018 — Handling CA's Privacy Laws

While we’re still trying to sort out the moving parts of the EU’s GDPR, California has passed its own consumer privacy regulation. It’s called the California Consumer Privacy Act of 2018 — and it gives consumers the right to prohibit businesses from selling their information, and the right to request deletion of their data.

Understanding Data Flow is Still the First Step

The idea of giving consumers more power over the use of their data should sound familiar. California’s new regulation shares many similarities with the GDPR. At the highest level, the intent of both is to give consumers insight and control over how their data is being collected and shared. And that means business leaders must develop an in-depth understanding of how they’re passing around consumer data.

That can be tricky, particularly for small online businesses. Millions of website owners rely on software platforms like WordPress that allow non-technical folks to share their brand and sell their products online. WordPress and the many plug-ins available to extend its functionality are collecting and holding consumer data — in ways that website owners may not know or understand.

WordPress Tools for Privacy

The WordPress community has responded by adding new tools to the platform to help website owners achieve GDPR (and now California Consumer Privacy Act of 2018) compliance. For example, WordPress 4.9.6 has these features:

• Ability to designate a privacy page on your website
• Ability for users to opt-out of cookie usage when leaving comments
• Ability for site admins to export and/or erase a user’s data

Email and Other Systems

These native WordPress features go a long way towards helping website owners get their arms around user data storage. But it’s also critical that website owners understand data collection outside of WordPress. For example, if you receive a request to erase someone’s data, a click of a button in WordPress isn’t the end of the job — for GDPR or the new California legislation. You may also need to erase data from your email subscriber list and any system where you might store consumer information.

Selling Information

The new California law has some extra requirements around the selling of consumer information. For example, when the law goes into effect in 2020, websites will be required to have a conspicuous link labeled “Do Not Sell My Personal Information.”

On the other side of this coin, businesses will be allowed to offer financial incentives for consumers who choose to share their personal information.

Next Steps

The California Consumer Privacy Act of 2018 goes into effect January 1, 2020. If your business is located in California or if you collect the information of consumers living in California, you must comply.

Your next steps to compliance are in line with what we’ve recommended for GDPR compliance:

1. Document how you are collecting consumer data
2. Review your privacy policies for accuracy
3. Implement a system to document when consumers opt-in to your privacy policy
4. Ask for new opt-ins every time you substantively update your privacy policy
5. Implement tools that allow you to erase an individual’s data upon request
6. Monitor privacy best practices by following GDPR and California Consumer Privacy Act of 2018 Coverage