Menu

Magento 2 California Consumer Privacy Act (CCPA) Compliance

Overview of Magento 2 CCPA Extension

Consumer Rights Under the CCPA Law In 2018 California State Legislature passed a bill - The California Consumer Privacy Act (CCPA). This new bill is intended to protect the data privacy rights of consumers who reside in the State of California, USA. We at Plumrocket have developed an add-on for GDPR Magento 2 extension that enables CCPA functionality at your Magento 2 store. The new privacy law becomes effective on January 1st, 2020 and will apply to all companies that collect and process data of California residents. The full text of the law and CCPA requirements can be found on the official website of the California State Legislature.

Consumer Rights Under the CCPA Law

Even though the CCPA law has similarities with the GDPR law (effective since 2018 in the European Union), there are still a number of differences between them. Nevertheless, all CCPA law requirements are covered by the Plumrocket Magento 2 CCPA extension. Below we will illustrate all consumer privacy rights protected by the California law and how to make your Magento store CCPA compliant.

Quick Menu:

 

The "Right To Opt-out" Of The Sale Of The Consumer’s Personal Information

Magento Do Not Sell My Personal Information - store.plumrocket.com

Section 8 of the new privacy law requires businesses to "provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information". In plain language, in order to be CCPA compliant, you must have a “Do Not Sell My Personal Information” page at your Magento store, dedicated only to one specific function - allow visitors to opt-out of the sale of the personal information. Website visitors should be able to access this page from your store homepage. The link to the new page should be also named as "Do Not Sell My Personal Information" and can be styled as a regular-sized link or a button or even as a small banner on your homepage. Either way, store owners must make sure that visitors can find it easily. Additionally, California Senate Bill No.1121 states: "A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information". This means that all Magento visitor types, including registered customers and guest users, should be able to opt-out on this page. Lastly, the law allows businesses working with customers outside of State of California to maintain two separate home pages - one for general public and one for California residents, as long as "business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally". 

We at Plumrocket have implemented all required opt-out CCPA features as follows: 

  • Once the extension is installed, a new “Do Not Sell My Personal Information” CMS page with the "opt-out" form is automatically created. Merchants can edit page contents and enable or disable the page from the backend.
  • The link to this page is automatically added in the website footer. Additionally, Merchants can enable a link to this page from the "My Privacy Center" dashboard in the "My Account" section of the Magento store. 
  • The same page works for registered and guest visitors. Guest visitors will need to enter their name and email to be added to the "do not sell" list. While registered customers will be able to opt-out by simply saying "no" to the sale of personal information. 
  • Merchants will be able to show “Do Not Sell My Personal Information” link only to the residents of California state, thanks to the built-in Plumrocket GeoIP plugin. 
  • All consumers who opt-out of the sale of personal information will be saved in the Magento database. Merchants can view the history of "do not sell" requests and export those lists in CSV format. 
  • Merchants can create “Do Not Sell My Personal Information” consent checkboxes, display them anywhere across the site and track customer preferences from the Magento backend. 

 

The "Right To Opt-in" - Protection For Minors

Magento the right to optin CCPA - store.plumrocket.com

Section 5 of the "SB 1121, Dodd. California Consumer Privacy Act of 2018" states: "a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age." There are however exceptions to this rule: "unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information." In other words, you may sell personal information of minors only in two cases: 

  • If a consumer is between the age of 13 and 16 have personally authorized a business to sell their personal information
  • If a consumer is less than 13 years old, and consumer’s parent or guardian authorized a business to sell their personal information

Unlike with adults, California privacy law strictly prohibits the sale of the personal information of minors before they have provided explicit authorization. While you are allowed to sell information of adult consumers until adult consumer does not submit a "do not sell" request via the “Do Not Sell My Personal Information” page. 

Please note, that Section 9 of the CCPA law clearly explains, that selling information means a lot more than just sale for money: "“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration."

Here is how "The Right To Opt-in" is implemented in Plumrocket GDPR / CCPA extension: 

  • Merchants can use CCPA functionality to create "consent checkboxes" from Magento backend. 
  • An example of such checkbox can be: "I am over 16 years old" or "Confirm you're at least 16 years old"
  • Consent checkboxes can be placed in standard and custom locations across the Magento store. An example of the checkbox location can be - customer registration page, checkout page, newsletter subscription page, contact us page or any other page with HTML form. 
  • Merchants can make consent checkboxes "required" in order to sign up at the website or place an order. 
  • Additionally, you may use the built-in GeoLocation feature to display "I am over 16 years old" checkbox only to consumers from California State. 
  • With this feature, Merchants can keep track of all minors or simply restrict registrations and checkout to all minors from California state. 
  • All consents are saved in Magento and can be viewed by a customer from the "My Consents" tab in My Account section as well as by Admin from Magento backend. 

 

The "Right To Delete" Personal Information

Magento CCPA the right to delete information - store.plumrocket.com

Section 2 of the California Privacy law declares: "A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer." This right guarantees that any resident of the State of California can submit a request to delete their personal data collected by any business. They should be able to exercise this right starting on January 1st, 2020. Additionally, the law requires the Merchant to verify the owner of the personal information and delete his personal information not only from their website but also from any third party service where consumer's information might be saved: "A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records." Lastly, the CCPA gives a business 9 exceptions when the request to delete the consumer’s personal information can be denied. Some of these cases are: when a merchant requires consumer information in order to complete the transaction, provide goods or services,  perform a contract between the business and the consumer, detect security incidents, etc. 

Learn how California's "right to delete" is implemented in Plumrocket GDPR / CCPA Magento extension: 

  • After the extension is installed, consumers will see a new tab "Privacy Center" in the My Account section of your Magento store. 
  • From the Privacy Center Dashboard, consumers will be able to access Privacy Policy, Cookie Policy, Email Preferences, Download their Personal Data, Delete Personal Data and access Do Not Sell My Personal Information page. 
  • Delete Personal Data functionality is available for Guests and Registered Customers
  • In order to comply with the "verifiable consumer request" requirement described above, our plugin requires registered customers to re-enter a password in order to be able to delete the account. The original account owner is then notified by email  that the account will be deleted in 24 hours. The account owner or the Admin can cancel the account removal request. 
  • The extension will prevent customers with pending orders from deleting their accounts until all orders are completed or canceled.
  • Guest users will be able to confirm their account removal requests via a unique link sent to their email address. Still, they can cancel those requests by contacting store Admin. 
  • If your business stores consumer information on third party services, you can use our online API documentation to delete information from those locations as well. 
  • Admin can view the full log of account removal requests from Magento backend. 

 

The "Right To Access" Personal Information in Portable Format

Magento CCPA the right to access information - store.plumrocket.com

Section 1 of the California Consumer Privacy Act of 2018 states: "A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period." You must export consumer data upon request in formats suitable for migrating data from one service to another. Magento CCPA compliance is achievable by exporting consumer data in CSV, XML, JSON, or another format. However, from our point of view, CSV format is the most user-friendly, since customers can open it in MS Excel or another spreadsheet software.

Learn how California's "right to access" is implemented in Plumrocket GDPR / CCPA Magento extension: 

  • Similar to "right to delete", the right to access allows customers to download personal information from the "Privacy Center" tab in the My Account section of your Magento store. 
  • Customers are asked to re-enter their account password to access their data and guests are required to confirm their request via the secure email link.
  • The data is downloaded in a portable and in a readily useable format (Excel, CSV).
  • Admin can view all download requests via “Log of Account Data Downloads” in Magento backend. 
  • Additional information can be exported from Magento using the provided API. Follow our developer’s guide if you need to include customer data from your third-party extensions or services in the downloadable ZIP archive.

 

The "Right to Know" What Categories Of Personal Information a Business has Collected About You

The Right To Opt-out Of The Sale Of The Consumer’s Personal Information

Perhaps one of the most fundamental privacy rights under the CCPA law is "The Right to Know". The law requires businesses to disclose categories of personal information collected about the consumer in the preceding 12 months.

Section 7 of the CCPA law describes this right in detail. It requires businesses to: "Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer." In other words, Merchants must notify consumers about the information they collected about the consumer. This information must be disclosed in the Privacy Policy page or "any California-specific description of consumers’ privacy rights.", which means you can maintain two separate Privacy Policies, one for the general public and one for California residents, where all this information will be described in detail. Merchants must "disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its Internet Web site, and update that information at least once every 12 months": 

  • a description of the consumer's rights under the CCPA;
  • two or more designated methods for submitting information requests, including a toll-free number and a website address (contact us page or another page);
  • a list of the categories of personal information collected by the business in the preceding 12 months;
  • a list of the categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
  • or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact;
  • a link to a “Do Not Sell My Personal Information” page;
  • a description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a discount to consumers who provide their email addresses for marketing purposes, this incentive should be disclosed in the privacy policy);

According to the CCPA, you must update your Magento store privacy policy page or California-specific policy page before January 1st, 2020. It is also required to update your policy page at least once every 12 months. You must specify if you have started collecting any additional personal information about the consumer in the preceding 12 months. It is also advised to notify your customer base about the update of Privacy Policy via email to ensure that everyone knows about their rights. 

The right to know CCPA feature available in Plumrocket GDPR / CCPA Magento Extension: 

  • When Admin creates or edits the Privacy Policy page (or any other CMS page) in Magento, each version of this page is saved to retain a history.
  • Admin can also specify a version of the Privacy Policy (example: "v1.2" or any other numbering format). 
  • When a consumer agrees to this Privacy Policy, by clicking on "I agree to the Privacy Policy" checkbox, the consent is saved into the "Log of Customer Consents" grid.
  • Admin can notify customers about the privacy policy update via popup notification. This popup will be displayed automatically on customer login asking the customer to agree to the updated version of the Privacy Policy. 

 

The "Right to Equality" and Non-discrimination

Section 6 of the CCPA says: "A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title". It identifies the following as discrimination: 

  • denying goods or services to the consumer;
  • charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • providing a different level or quality of goods or services to the consumer;
  • suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services;

Magento platform allows you to create flexible discount rules or customer groups. It is up to your organization how to charge your customers for products or services, but you should not discriminate whether the customer is from California or another part of the world. 

 

Magento 2 GDPR / CCPA Extension Demo and Screenshots

We hope this information was useful for your business and you are now one step closer to become CCPA compliant. You can view the demo of the CCPA extension and screenshots on GDPR Magento 2 extension page. If you have any questions about this extension, feel free to contact our customer care team