The state of California has long been at the forefront of regulating online privacy in the United States.
It was first with Caloppa, and now with the CCPA.
Although these two pieces of legislations both protect the rights to privacy of California residents, the CCPA requires much more than Caloppa and set a much higher standard of rights to privacy and consumer protection.
CCPA compliance for bloggers seems much more complex than what it was required under Caloppa.
To the point that the CCPA has been referred to by many as America’s GDPR or GDPR light.
However, the release of these new regulations has been surrounded by confusion and misconceptions.
First of all, not many bloggers are aware of the CCPA to start with.
And so, if you’re here, kudos to you!
That means you are way ahead of the average blogger and it’s great that you take your blog seriously and want to protect your business legally.
But in reality, not many bloggers know about the CCPA and even those who know about it may dimiss it thinking that it wouldn’t apply to their blog.
This is usually due to one of five common misconceptions.
And today, I’m here to debunk these myths so that you are compliant with the law and your blog is legally protected!
But before we dive in, please let me quickly go through my disclaimers and disclosures.
Also, this post is quite long so if you’re in a bit of a rush, don’t worry, you can always pin it and come back to it later when you’re ready to work on your CCPA compliance for your blog.
DISCLAIMER: Although I’m a lawyer specialized in International and EU Law (LLB, LLM, PhD) by profession, this article is meant for educational and informational purposes only. It doesn’t constitute legal advice and doesn’t create an attorney-client relationship. I will not be held liable for any losses or damages caused by acting or failing to act on the ground of the content of this article. Should your circumstances require, I encourage you to seek legal advice through other avenues. Please read my full disclaimer for further information.
This post may contain affiliate links, which means we may receive a commission, at no cost to you, if you make a purchase through a link. Please see our full disclosure for further information. If not otherwise stated, all prices are intended in US$.
What’s CCPA
So, first things first.
What’s the CCPA?
Well, CCPA stands for California Consumer Privacy Act.
And it’s a new piece of legislation of the State of California which was signed into law in June 2018 in the aftermath of the Cambridge Analytica scandal.
The CCPA is intended to enhance privacy rights and consumer protection for residents of California.
The CCPA applies to any business – including blogs – that have customers from California if some conditions are met.
This new law may or may not apply to you depending on your specific circumstances.
But it may apply even if you’re not based in California.
Effective on the 1st of January 2020 and enforceable by July of the same year, the CCPA requires you to take some action towards compliance.
I have discussed what these new regulations means for bloggers with my friend Sasha Lassey of EveryDayShesSparkling.com in her Facebook group Blogging Babes Collective and you can catch our interview in this replay video.
And you can always join my own Facebook Group Blogging for New Bloggers (25K+ selected members) for help and support with the legal side of blogging and blogging in general. If you’re not part of this community, honestly, you’re missing out!
What happens if you don’t comply with the CCPA?
If you don’t comply with the CCPA, you may expose yourself and your blog at the risk of fines and lawsuits.
Fines
Although the fines are not as steep as those under the GDPR which can go up to 20 million Euro, the fines under the CCPA are still something that can set you and your blog back.
You can face fines for up to $2,5oo for each violation and up to $7,5o0 dollars for each intentional violation.
Lawsuits
In addition to that, the CCPA affords the private right to action to consumers.
So, your users may sue you to recover damages for not less than 100 dollars and not more than 750 dollars per consumer per incident, which means that you will get charged for each incident separately even if it’s about the same consumer so this can add up pretty quickly.
However, many bloggers are under the wrong impression that the CCPA doesn’t apply to them. As a consequence, they’re not working towards CCPA compliance leaving themselves and their blogs exposed to risks of fines and lawsuits.
This is usually due to one or more of the following 5 common misconceptions.
legal courses + templates for bloggers
Legally Blogs
Legal Course for Bloggers-
Access from all your devices
-
Lifetime access to current and future updates
-
BONUS: Facebook Group
-
Suitable for bloggers worldwide
Legal Bundle Value Pack
Legal Templates for Bloggers-
4 legal templates - bundle
-
Extra bonuses included
-
Save $50+
-
Access from all your devices
-
Lifetime access to current and future updates
-
Suitable for bloggers worldwide
GDPR compliant blog
Legal Course for Bloggers-
Privacy policy + cookie policy included
-
10+ extra bonuses
-
Access from all your devices
-
Lifetime access to current and future updates
-
Suitable for bloggers worldwide
Myth #1 – I don’t process personal data
The first misconception is that some bloggers may erroneously believe they don’t process any personal information.
For example, they may think
“Well, I don’t have an email list, I don’t collect email addresses so I don’t process any personal data and so the CCPA doesn’t apply to me.”
But that’s not true!
And this is because personal data is a broad definition.
It can be anything that can be used to identify an individual.
Under the CCPA personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably linked directly or indirectly with a particular consumer or household.
So, yes, of course, name, email address, date of birth, but also their login details, their location data, their IP address, their cookies, and so on.
With the clarification that personal information under the CCPA definition does not include publicly available information.
And so, even if you think you’re not processing any data, you, as a blogger, are most likely to process personal data on a regular basis.
There are so many activities or tasks performed on your blog every day that involve data processing.
Yes, the first that comes to mind is when someone joins your newsletter or email list and gives you their name and email address.
But it’s not only that.
Just to give you a few examples:
- Contact forms – In your contact page, you may use forms requesting a name and email address.
- Comment systems – In order for users to comment on your blog, your comment system or plugin probably require them to leave their email address and other information such as name and a link to their website.
- Google Analytics – They track tons of information relating to your users, including their location, type of operating system, browser type, duration of stay, time of visitation, etc.
- Cookies – All the data that you collect about your visitors using cookies installed on their devices.
- Login details and history into membership areas or affiliate dashboards.
- And so much more.
You may need to comply with the CCPA even if you don't collect email addresses!
Myth #2 – The CCPA only applies to bloggers based in California
The other misconception is that being the CCPA a legislation of California, many people think it only applies to bloggers located in California.
So, let’s clarify this. Let’s take a closer look at the territorial application of the CCPA.
If you are located in another state of the US, so you’re not based in California, or if you’re located in Australia, or Canada, South Africa, India or anywhere else in the world…
Does the CCPA apply to your blog?
The answer to this question is that … it might.
In fact, whether the CCPA will apply to your blog or not, it depends on your specific circumstances and whether you meet certains conditions and thresholds.
But before we go through these conditions and thresholds, please let me make it crystal clear that while the CCPA affords rights and consumer protection only to your visitors from California, i.e. only those located in California, you DO NOT need to be based in California for it to apply.
The CCPA is a Californian privacy act and so it protects the rights of California residents.
However, it does the potential to apply outside of California if some conditions are met.
This means two things:
- The CCPA may apply to you even if you’re not from California as long as you do business in California, e.g. you have visitors from California
- If the CCPA applies to you, you need to ensure you afford these rights to your visitors from California but you’re not required by law to do the same for all your other visitors, unless of course, you want to.
The CCPA applies to any business which can be a sole proprietorship, a partnership, a company, a corporation so any business (including blogs) that does business in the State of California, and that satisfies one or more of the following three conditions:
- Has annual gross revenues in excess of 25 million dollars.
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
Let’s go through these conditions one by one as they are at earth of the next common misconceptions.
But please bear in mind that these conditions are not cumulative, so if you meet just one of them, the CCPA will apply to you.
Free Legal course for bloggers
Myth #3 – the CCPA only applies to the big fish
The first threshold to meet for the CCPA to apply is that you make at least 25 million dollars a year blogging.
Now, I don’t know about you; you may be killing it with your blog, who knows?
But I guess this won’t apply to too many blogs.
But the second condition may sound like a lot but it’s actually not.
In fact, it would take only 137 visitors to your website per day for the CCPA to apply.
Or it can even be less than that if some visitors use multiple devices to access your blog.
If you don’t know how many visitors you get to your blog off the top of your head you can easily found out this figure by checking under audience in your Google analytics.
Does the CCPA apply to small/solo bloggers?
This question is closely related to the interpretation of the threshold of 50K annual visitors.
Do these visitors need to be from California or are we talking about your visitors in general?
Because this does make a huge difference.
Well, the CCPA defines consumers as the residents of California and so that part is clear.
The problem though is that the definition of household or devices in the CCPA is not as clear as it doesn’t specify whether these terms only refer to households and devices located in California or not.
The regulations define household as a person or group of people occupying a single dwelling but doesn’t specify whether these households need to be located in California nor it does for the definition of devices.
In my view, it would make more sense for a consistent interpretation of the act, to interpret it as households and devices located in California.
Because if the consumers are defined as residents of California it would make much more sense to take the words households and devices to be intended as households and devices located in California.
At the same time, one could argue, if the legislator wanted to refer only to households and devices located in California, then the CCPA would expressly said so, as does it for the definition of consumer.
So there are definitely valid arguments for both interpretations.
Did you know the CCPA may apply to you even if you're not based in California? Comply with the law and protect your blog legally today!
But and there is a but.
When it’s about protecting your blog legally, always err on the side of caution so, when in doubt always take the most conservative approach.
And this is because if you interpret legislation conservatively and you’re wrong you have just afforded a higher standard of protection to your users than what you would be required by law but that’s still a nice and commendable thing to do after all.
While in the opposite scenario, if you’re wrong, you are exposing yourself and your blog at the risk of fines, complaints and lawsuits.
Obviously, it all depends on your risk tolerance and if you’re fine with dealing with lawsuits or paying fines in the thousands if case be, then that’s alright.
But generally speaking, my suggestion is to always take a conservative approach which means in this case,
until this will be specifically clarified by the legislators or caselaw, the safest option is to take the threshold of 5oK visitors as meaning any devices regardless of whether they’re located in California or not.
And so if that means any visitors, and not only those from California, 137 visitors a day are nothing.
Most blogs would reach that threshold within the first year of blogging.
If on the other hand, it should be intended as 137 visitors located in California a day, which does seem to be more in line with the whole rationale of the act in general, it’s still not something that can’t be easily achieved by a small business or a small blog.
Think of niche blogs targeting Californians or real estate blogs, travel blogs… – it could be anything really.
So, dismissing the CCPA as something that would only apply to large businesses is a total misconception that could get you in trouble.
And from the day the CCPA was passed in June 2018, there has been ongoing criticism and debate about the fact that the CCPA was introducing requirements that would be too onerous for small businesses and especially for small businesses solely operating online, such as for example, the requirement to have a toll-free number.
No, don’t worry, you won’t be required to operate a toll free number for your blog, because this requirement has been amended so that small businesses operating only online would be exempted.
The point I’m making here is if the CCPA only applied to large businesses, then what months and months of debate were about, right?
Or what these exemptions for small businesses operating exclusively online, would even mean, right?
So, yes, the CCPA may apply to small businesses and blogs.
However, unlike the GDPR, it only applies to businesses, meaning only blogs for profit.
So, if you blog as a hobby and you don’t make money blogging, then the GDPR may apply to you but the CCPA definitely DOES NOT apply to you.
On the contrary, if your aim is to make money through blogging, then the CCPA may apply to you if you meet one of those three thresholds and you will need to comply.
And speaking of thresholds, let’s what’s the third one.
The last threshold is if the business derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Which brings us to the next myth.
But before we move on to the next misconception, let me remind you that these conditions are not cumulative. It suffice to meet just one of these conditions – most likely the second one, i.e. the condition about the 50K consumers, households and devices – for the CCPA to apply to you.
Need help with CCPA compliance?
Myth #4 – I don’t sell personal information
Another common misconception is that you as a regular blogger don’t sell personal information.
While is true that most bloggers don’t directly sell personal information of their visitors or subscribers to third parties in exchange for money, you have to remember that as I mentioned earlier, personal information is a broad definition that includes browsing history, search history, and information regarding the interaction of your users with your website or ads.
Plus, the CCPA definition of selling of personal data is also very broad.
Under the CCPA selling personal information means selling, renting, releasing, disclosing, disseminating, making available, transferring, etc. personal information orally, in writing, or by electronic or other means, to another business or a third party for financial or other valuable consideration.
So, basically, if you’re running target ads on your blog, you are selling personal information under the CCPA.
If you have the Facebook pixel installed on your blog, you’re selling information under the CCPA.
If you run Facebook ads and upload a custom audience, then again, you’re selling personal information.
But there are a few exceptions.
If you share with a service provider personal information that is necessary to perform a business purpose, that’s not considered sale.
And so for example, when I share the personal information of my subscribers with ConvertKit, that’s not selling personal information under the CCPA as long as I provide notice that this is what happens in my terms and conditions (which I do) and as long as ConvertKit doesn’t re-sell their information to third parties (which they don’t).
You think you're not selling personal information but under the CCPA, your blog may be selling personal information! Find out here why!
Myth #5 – If my blog is GDPR compliant, it’s also CCPA compliant
False!
It’s true that the CCPA and GDPR are quite similar.
Sure, there are some differences between the two but there is also lots of similarities.
Although the GDPR is much stricter, in their basic intent both laws are quite similar. They aim to give users the right to control and understand what personal information gets collected and with whom it may be shared.
It’s also true that if your blog is fully GDPR compliant, then there is really little that you need to do to work towards your CCPA compliance.
If you have taken my GDPR Compliant Blog course, your CCPA compliance will be quite easy because you’ve done 90% of the work already and for some things you’ve actually done more than what the CCPA requires from you.
YAY!
At the same time though they’re not exactly the same so even if your blog is fully GDPR compliant you still need to take some extra steps to also make it CCPA compliant.
For example, the CCPA requires that you offer the possibility to opt out from the sale of personal information to your users and you need to have conspicuous do not sell my personal information link on your home page.
By contrast, the GDPR doesn’t require this.
But that’s not the only extra requirement under the CCPA.
The CCPA only applies to bloggers in California. FALSE! That's a myth! Find out whether the CCPA applies to you here.
CCPA Compliance for Bloggers
So, what do you need to do to comply with the CCPA?
Well, the CCPA provides users who resides in California with 5 main privacy rights:
- the right to know what data is being collected, sold or disclosed about them
- the right to access the data you have collected about them
- the right to request their data to be deleted
- the right to opt out from the sale of their personal data
- and the right to equal service and price, even if they exercise their privacy rights.
In order for you to afford your users from California each and everyone of these rights and so in order for you to be CCPA compliant, you will need to change or add a few things to your blog.
First of all, you will need to have a CCPA Compliant privacy policy.
And that’s why, I have updated my privacy policy workshop and template to make it CCPA compliant. So, if you’re one of the students enrolled in my privacy policy course, you already have access to the CCPA update, including a CCPA + GDPR compliant template, at no extra cost to you.
Secondly, you will have to add a conspicuous Do Not Sell My Personal Information Link on your homepage (or a separate page for visitors from California) and your privacy policy, directing to an opt out page which needs to meet specific requirements.
If you offer freebies, you will also have to add a notice of financial incentives.
Moreover, you will have to implement a few processes to handle privacy rights requests and uphold your ongoing obligations under the CCPA.
I know, it may sound overwhelming but once you know what to do, it’s actually quite simple to make your blog CCPA compliant.
If you need help with your CCPA compliance for your blog, I got you covered!
I prepared a Masterclass where I give you tons of actionable tips on what you need to do right now to make your blog CCPA compliant in 5 easy steps.
CCPA for Bloggers Masterclass
My CCPA Compliance for Bloggers Masterclass covers everything you need to know and do to make your blog CCPA compliant.
In this Masterclass, I will walk you through
- What the CCPA is
- Whether it actually applies to you
- What you need to do to comply with the CCPA
- More importantly, I will give you tons of actionable tips on how to work towards your compliance in just 5 easy steps.
- We will see how you can make your blog CCPA compliant easily with the help of a plugin
- We will talk about how you can offer freebies lawfully under the CCPA
- And finally, we will discuss what happens if you don’t comply with the CCPA.
You can enroll in my Masterclass here. Get advantage of the launch price. Only available for a limited time.
After you enroll in my CCPA for Bloggers Masterclass, you’ll finally be able to make your blog CCPA compliant in just 5 easy steps.
Now, because one of these steps is to have a CCPA compliant privacy policy, I also made available a CCPA compliance for bloggers bundle so that you can get both my Masterclass and my Privacy Policy WorkShop and Template at a discounted price.
Thousands of bloggers have already taken my masterclass and my legal courses and have left raving testimonials and reviews.
CCPA Compliance for Bloggers Bundle
Have no time to figure out legal requirements and how to write your CCPA + GDPR + FTC compliant privacy policy?
Don’t have the budget to consult with a local lawyer who will charge you upwards of $300 an hour and may not fully understand your needs as a blogger?
No need to worry!
The CCPA Compliance for Bloggers Bundle is all you need!
It includes my CCPA for Bloggers Masterclass AND my Privacy Policy Template Course which comes with a plug-and-play CCPA + GDPR + FTC compliant privacy policy perfect for bloggers.
You will have everything you need to make you blog CCPA compliant in less than ½ hour!
And when you get the bundle, you will save $$!
Need help with CCPA compliance?
Why you need to comply with the CCPA
As we’ve seen, most of the information surrounding the CCPA are actually false myth and most bloggers may actually need to comply with the CCPA. The CCPA is the law and so, if it does apply to you, you will need to work towards compliance to meet these legal requirements or else you will expose yourself and your blog at the risk of facing fines and lawsuits.
But please bear in mind that even in the event the CCPA doesn’t apply to you, you may want to look into it anyway and see whether you would like to comply with it completely or in part.
In fact there are several reasons why you as a blogger may want to comply with the CCPA even if you’re not required by law to do so.
Here are a few reasons you may want to consider:
Ethics
Ethically, you agree with the standards of privacy and data protection afforded by the CCPA (and/or the GDPR) and want to ensure the same standard to all your users.
Partnerships
In the future, you may be requested to do so by partner brands, ad networks, and affiliate programs TOS (it has happened in the past for other regulations, e.g. the GDPR, the FTC guidelines).
Professionalism
You’d like to make your blog look more professional and build trust with your audience.
Thresholds and traffic growth
You’d like to be ready for when you will reach the threshold that will make the CCPA applicable to you.
Kick-starting your compliance with future privacy regulations
You’d like to kickstart your compliance in view of similar data and privacy regulations coming to force soon, such as for example, the Online Privacy Act.
There is a proposed bill in the United States for an Online Privacy Act which would be applicable at the federal level, and would even create a Digital Privacy Agency.
As a lawyer and GDPR expert, I have been saying for years, that the GDPR would have a domino effect and would cause a chain reaction and as a result, many other similar privacy regulations would be issued around the world.
Now this all happening.
The CCPA is here.
Other regulations will come.
Don’t stay behind.
Work on your GDPR and CCPA compliance today.
If you need help, check out my FREE and premium legal courses for bloggers, or let me know in the comment section how I can help you to make your blog compliant.
Related posts to ccpa compliance for bloggers
legal courses + templates for bloggers
Legally Blogs
Legal Course for Bloggers-
Access from all your devices
-
Lifetime access to current and future updates
-
BONUS: Facebook Group
-
Suitable for bloggers worldwide
Legal Bundle Value Pack
Legal Templates for Bloggers-
4 legal templates - bundle
-
Extra bonuses included
-
Save $50+
-
Access from all your devices
-
Lifetime access to current and future updates
-
Suitable for bloggers worldwide
gdpr compliant blog
Legal Course for Bloggers-
Privacy policy + cookie policy included
-
10+ extra bonuses
-
Access from all your devices
-
Lifetime access to current and future updates
-
Suitable for bloggers worldwide
You may also like
5 SEO Monitoring Tips to Boost Your Site Rankings
9 Ways to Grow Your Email List Quickly
8 Website Accessibility Changes to Improve SEO
free 5-day email course
Blogging for new bloggers fast track
Get the exact blueprint that makes me $20K+ every single month. Enroll now to start your blog the right way and make money blogging within the next 6 months.
Unsubscribe at any time – Privacy Policy
Powered by ConvertKit
1 thought on “5 Common Myths and Misconceptions About CCPA Compliance for Bloggers”
Thanks for this thorough article, Lucrezia. I had heard of this but hadn’t looked into it thoroughly, so this was great to catch me up to speed!
One thing I’m curious about: with Californians’ right to see their collected data, are companies supposed to provide back the actual specific pieces of information back to the customer? Or are companies legally OK not to show the actual value of the personal information?