GDPR, these 4 letters were a real headache for almost every digital entrepreneur, starting from small eCommerce merchants to Mark Zuckerberg. General Data Protection Regulation was the first breakthrough data security law that changed the face of personal data security and business ethics.
On January 1, 2020, a new player came into play — CCPA (California Consumer Privacy Act). It’s the newest privacy law that aims to enhance data security for the residents of California, United States. In this article, we’ll figure out its requirements and differences from GDPR. Simply put, everything every online retailer should know about these two Data Regulation acts.
CCPA is mandatory for any for-profit business in the State of California that processes personal data of the residents of California. The California Consumer Privacy Act puts in place new requirements for processing personal information and grants Consumers additional rights.
What are these rights? Let’s briefly overview them:
- The Right to Be Informed
Customers under CCPA have a right to know what personal information an entity collects, stores, shares, and sells. Moreover, you must disclose the way you collect the information, third-parties you share this data with, your purpose for data collection. You should also inform customers how they can object to selling their data.
- The Right of Access
Customers have the right to access their personal information, the sources from which this info was collected, the list of third parties that have access to their personal data, sold information and its buyer, the purposes for selling and collecting customers’ personal information.
- The Right to Portability
When a client requests any personal information, a website must fulfill this request within 45 days and free of charge. Information can be sent by regular mail or in electronic format. An entity may refuse to satisfy these requests if the client has already requested it more than 2 times within 12 months, and if the organization does not sell, collect, store or use personal data for re-identification.
- The Right to Be Deleted
This act grants consumers the right to delete all the personal information collected about them. When a website receives a removal request, you must delete all the recorded information about a client and instruct your third-party partners to do the same if you have already shared this data with them.
This request must be fulfilled within 45 days and free of charge. It’s possible to prolong this period by an additional 45 days if it’s necessary. When you change the frame date, you should notify the customer about it within the first 45 days.
- The Right to Refuse the Sale of Personal Data
If you sell personal information to third parties you should inform your consumers about this fact. Consumers can’t be asked to create an account to opt-out. You should have a link “Do Not Sell My Personal Information” on your website.
- The Right to Opt-In (consent for minors)
It’s prohibited to sell information of consumers who are under 16. There are only two scenarios when it’s allowed: a user between 13 and 16 has opted-in or the consumer’s parent or guardian has opted-in on the consumer’s behalf (if a consumer is under 13).
- The Right to Not Be Discriminated Against
Discrimination includes: denying goods and services, providing a different level of service, charging different price ranges for goods and services.
In the case of non-compliance, your business will be charged up for $2.500 for an unintentional violation and up to $7.500 for intentional ones.
First of all, you should provide your customers with:
- A CCPA notification about data collection
- A “Do Not Sell My Personal Information” (DNSMPI) link
- A toll-free telephone number for customers to provide them the possibility to exercise their privacy rights offline
- A possibility to download customers’ personal data in a readable form
- A possibility to delete personal data
- An “opt-out” option (the right to say no to the sale of personal data)
- An “opt-in” option (for minors who are between 13 & 16 + parents and guardians of the consumers who are under 13)
CCPA Backend Recommendations:
- Set up email notifications and templates relevant to CCPA
- Set up Google Tag manager which will prevent the execution of third parties actions on the site before the consent is given
- It’s highly recommended to have and organize the following data:
- personal information that you collected, sold or shared in the past 12 months;
- third parties that you share the personal information with;
- sources from which you collect consumers’ personal information;
- your business/ commercial purpose for collecting or selling the consumer’s personal information;
- Implement cookie management grid
- Maintain records of consent to demonstrate CCPA compliance
- Anonymize customer accounts when they are deleted
Before jumping to the comparison of CCPA and GDPR, let’s recall some basiс principles of GDPR.
General Data Protection Regulation is the EU law that regulates data protection and privacy in the European Union and European Economic Area. It should be complied not only by entities that are based in the EU but by any entity that targets EU consumers.
It means that the location of organizations doesn’t affect the observance of GDPR. If you’re a US online store that sells products to the citizens of the European Union, you have to obey this law. Penalties for non-compliance are terrifying: €20 million ($22 million) or 4% of annual global revenue, which is even scarier.
GDPR provides grants consumers the same rights as CCPA: to be informed, to portability, to be deleted, to object, of access.
In order not to violate GDPR, every website should:
- Inform customers that the site processes their data and why you do it
- Get consents for the collection of personal data during the registration, checkout, mailing subscription and contact us pages. The same applies to cookies
- Allow customers to edit their privacy consents at any time
- Let customers download account data
- Let customers delete their accounts
GDPR backend recommendations:
- Set up Google Tag manager to prevent the execution of third parties actions on the site before the consent is given
- Your customer grid should contain relevant GDPR attributes: logs of customer consents, account removals, downloads
- Anonymize customer account (when a customer deletes an account)
- You should have a cookie management grid
- Set up GDPR relevant email templates and notifications
You fall under the CCPA, if your business meet one of the following attribute:
- annual gross revenue exceeds $25 million;
- 50 % of your revenue comes from selling consumers’ personal data;
- processes the personal data of at least 50K Californian consumers (simply put, you have 50K website visits from California residents)
How to Comply With GDPR and CCPA Simultaneously?
Theoretically, you can comply with these laws without installing any third-party extensions. However, it will require manual clients’ requests processing, which may entail GDPR and CCPA violations. First of all, you shouldn’t forget that human mistakes can take place. If a store admin somehow won’t satisfy a customer’s request to due any circumstances, you’ll be fined. Moreover, manual client request management will be time-consuming.
So far, there’s one solid extension that helps Magento merchants to comply with both GDPR and CCPA — Magento 2 GDPR Extension by Plumrocket.
Full Compliance with the California Consumer Privacy Act (CCPA) & GDPR
The extension covers all the consumer rights under these two laws: the right to be deleted, to be informed, to access, to opt-in & opt-out. This extension adds a Privacy Center Dashboard, that displays all the necessary data security options.
Customer Account Data Management
Customers can download any account data starting from personal information to wishlists and compared products. This process is protected with a password accessible only to customers. They get all the information in Excel or CSV formats. Admin can track all the downloads from the admin panel.
Delete & Anonymize
The extension automatically deletes customers’ accounts and erases all the personal information within 24 hours after getting a removal request. Customers can cancel account removal by logging in before the end of removal. Admins can view all the removal requests from the admin panel.
Control Cookie Usage
Display cookie notifications on your Magento 2. Cookies will be used only after a customer accepts cookies. They will have a choice to opt-in or not. Set up Google Tag Manager to prevent the execution of your third party services before cookie consent is given.
You can add consent checkboxes on registration, checkout & newsletter subscription pages directly from your admin panel. The data of opted-in customers is stored in the Magento consent log. This log includes customer name, email, IP address, consent location, etc.
GeoIP functionality allows merchants to track the consent location which will help them to personalize their offers in the future. Moreover, store admins can enable Cookie Notice and Consent Checkboxes to only European or California customers, and disable them for the rest of the world.
Popup and Email Notifications
Use email notifications and popups that meet both CCPA and GDPR requirements. Notify users whether their data was successfully downloaded or removed.
If you want to find out more eCommerce tips, articles and news, visit our eCommerce blog.
About the author:
E-commerce Journalist at Mobecls
2+ years experience
Feel free to ask me anything about this post in the comments below