In 2018 California State Legislature passed a bill - The California Consumer Privacy Act (CCPA). This new bill is intended to protect the data privacy rights of consumers who reside in the State of California, USA. We at Plumrocket have developed an add-on for GDPR Magento 2 extension that enables CCPA functionality at your Magento 2 store. The new privacy law becomes effective on January 1st, 2020 and will apply to all companies that collect and process data of California residents. The full text of the law and CCPA requirements can be found on the official website of the California State Legislature.
Even though the CCPA law has similarities with the GDPR law (effective since 2018 in the European Union), there are still a number of differences between them. Nevertheless, all CCPA law requirements are covered by the Plumrocket Magento 2 CCPA extension. Below we will illustrate all consumer privacy rights protected by the California law and how to make your Magento store CCPA compliant.
Section 8 of the new privacy law requires businesses to "provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information". In plain language, in order to be CCPA compliant, you must have a “Do Not Sell My Personal Information” page at your Magento store, dedicated only to one specific function - allow visitors to opt-out of the sale of the personal information. Website visitors should be able to access this page from your store homepage. The link to the new page should be also named as "Do Not Sell My Personal Information" and can be styled as a regular-sized link or a button or even as a small banner on your homepage. Either way, store owners must make sure that visitors can find it easily. Additionally, California Senate Bill No.1121 states: "A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information". This means that all Magento visitor types, including registered customers and guest users, should be able to opt-out on this page. Lastly, the law allows businesses working with customers outside of State of California to maintain two separate home pages - one for general public and one for California residents, as long as "business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally".
We at Plumrocket have implemented all required opt-out CCPA features as follows:
Section 5 of the "SB 1121, Dodd. California Consumer Privacy Act of 2018" states: "a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age." There are however exceptions to this rule: "unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information." In other words, you may sell personal information of minors only in two cases:
Unlike with adults, California privacy law strictly prohibits the sale of the personal information of minors before they have provided explicit authorization. While you are allowed to sell information of adult consumers until adult consumer does not submit a "do not sell" request via the “Do Not Sell My Personal Information” page.
Please note, that Section 9 of the CCPA law clearly explains, that selling information means a lot more than just sale for money: "“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration."
Here is how "The Right To Opt-in" is implemented in Plumrocket GDPR / CCPA extension:
Section 2 of the California Privacy law declares: "A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer." This right guarantees that any resident of the State of California can submit a request to delete their personal data collected by any business. They should be able to exercise this right starting on January 1st, 2020. Additionally, the law requires the Merchant to verify the owner of the personal information and delete his personal information not only from their website but also from any third party service where consumer's information might be saved: "A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records." Lastly, the CCPA gives a business 9 exceptions when the request to delete the consumer’s personal information can be denied. Some of these cases are: when a merchant requires consumer information in order to complete the transaction, provide goods or services, perform a contract between the business and the consumer, detect security incidents, etc.
Learn how California's "right to delete" is implemented in Plumrocket GDPR / CCPA Magento extension:
Section 1 of the California Consumer Privacy Act of 2018 states: "A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period." You must export consumer data upon request in formats suitable for migrating data from one service to another. Magento CCPA compliance is achievable by exporting consumer data in CSV, XML, JSON, or another format. However, from our point of view, CSV format is the most user-friendly, since customers can open it in MS Excel or another spreadsheet software.
Learn how California's "right to access" is implemented in Plumrocket GDPR / CCPA Magento extension:
Perhaps one of the most fundamental privacy rights under the CCPA law is "The Right to Know". The law requires businesses to disclose categories of personal information collected about the consumer in the preceding 12 months.
The right to know CCPA feature available in Plumrocket GDPR / CCPA Magento Extension:
Section 6 of the CCPA says: "A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title". It identifies the following as discrimination:
Magento platform allows you to create flexible discount rules or customer groups. It is up to your organization how to charge your customers for products or services, but you should not discriminate whether the customer is from California or another part of the world.
We hope this information was useful for your business and you are now one step closer to become CCPA compliant. You can view the demo of the CCPA extension and screenshots on GDPR Magento 2 extension page. If you have any questions about this extension, feel free to contact our customer care team.