10 CCPA Compliance Tips For Web Developers
Created by consumer advocates, not politicians or big tech companies, the California Consumer Privacy Act (CCPA) is currently the most aggressive and consumer-focused privacy regulation in the United States.The CCPA is a groundbreaking regulation because it’s designed solely to benefit consumers by:
- Increasing transparency around how companies collect and use their personal information
- Giving them control over how companies use and sell their personal information
- Requiring companies to increase their database security with fines for breaches that result in the exposure of personal information
There’s no question about it — achieving and maintaining CCPA compliance is a big task — and it’s one that web developers need to have on their to-do list. But, by methodically following the steps below, it’s totally doable. Are you ready? Let’s get started!
1. Start with a bit of Privacy By Design.
When privacy is tacked on at the last minute, it feels and looks haphazard. It doesn’t deliver on the user experience front OR the privacy front. But when you start with a Privacy By Design mentality on your websites, it’s a different story.
CCPA doesn’t specifically require privacy by design (PbD), but it’s an essential framework for web developers to use. PbD is all about looking ahead and identifying privacy concerns before you put pen to paper. (Or code to computer, whichever you prefer.) Don’t want to entangle your websites with privacy risks? Don’t create them in the first place.
This, of course, is easier said than done. But it’s also not as complicated as you might think. There are seven guiding principles to consider:
- Be proactive, not reactive. Keep privacy issues from reaching the user in the first place.
- Make privacy the default. Don’t make the user take extra steps to secure their privacy. This includes not assuming they’ve consented to data sharing.
- Put privacy into your design schema as a function.
- Privacy isn’t an either/or situation: It’s a balance of privacy and security.
- End-to-end lifecycle protection of personal data. Follow the best practices for minimizing, retaining, and deleting data.
- Make your privacy standards transparent. Form them in a way that stands up to evaluation. Document them in a way that users can understand them.
- Keep the user front and center. Allow for choice, strong security defaults, and transparent notification processes.
2. You can’t use an old map to explore a new world.
Remember maps? No, not Google Maps or Apple Maps. The old, non-digital kind. Unlike Siri’s 30-second warning before a left turn, using a map gave you a bird’s eye view of what your entire trip would look like. You knew what exits to look for before putting your key in the ignition.
Mapping your data gives you the same top-down view of what consumer information you have, how you’re using it, where you store it, and where it’s going. Why do you need this information?
First and foremost, you need it for compliant privacy policies, but it’s valuable for a host of other purposes:
- helps you minimize data collection on a website,
- implement appropriate security processes, and
- track and manage vendor relations.
And, of course, a good data set is critical to the digital marketing activities you or your clients have on the horizon.
3. Tell it straight.
Privacy policies. As a web developer, you’re not going to be writing them, but that doesn’t mean you don’t need to know your way around them.
A client’s privacy policy should detail what kind of information you’re collecting, what you’re doing with the data, who you’re sharing it with, and how long you’re storing it.
As the web developer, you need to be able to implement privacy notices, so the consumer is notified about data collection before or at the time of collection anywhere data is being collected.
But as a web developer, your design choices impact privacy policy needs, as well.
If your sites collect data to improve the user experience or allow for targeted ads or sharing information with third-party vendors, then you should work closely with your in-house privacy professional, fractional privacy officer, or consultant to make sure they have all the details of what to include in the privacy policy.
4. Don’t let your third parties be the weak link
Let’s dive a little bit deeper into the whole issue of third-party vendors. For web developers, third-party vendors are pretty dang important. They add functionality (like video conferencing or chat) and flash (Instagram feeds are awfully pretty, aren’t they?) to analytics (Google Analytics for the win!) to your products.
But being fluent in web design doesn’t mean that you’re knowledgeable about the whole flow of data between your site(s) and third parties.
Chances are high that you are sharing your customers’ information with at least some of your vendors, and their privacy and security practices (or lack thereof) can significantly impact your own. You need to make sure your vendors are:
- Following industry best practices for data security and privacy
- Notifying you of security breaches and data incidents
- Conducting their own independent security audits and allowing you to see the results
But once you’ve assessed your vendors, what next? You should build in annual vendor reviews and plan to renegotiate contracts. You must hold them to high privacy standards to keep your users’ safety and security front and center.
Making this part of your process is important and essential: communicating with your in-house privacy professional, fractional privacy officer, or consultant. They need this information to do their jobs, plus they’ve got expertise — get their insight in helping resolve vendor questions!
Check out Red Clover Advisor’s Vendor Management Guide for more information.
5. Do Not Sell
In addition to implementing updated privacy policies across the site, you need a clear and obvious “Do Not Sell My Personal Data” button on your home page with clear instructions on how consumers can manage their data. If data is sold via advertising, analytics, or other third-party pixels, additional configuration may be needed to ensure those opt-outs are appropriately captured.
While most users have to opt-out of having their personal information shared or sold to a third party, CCPA explicitly requires user consent to share or sell the personal data of minors under the age of 16. Luckily, a good data mapping program makes knowing which data is and isn’t sold much easier.
6. Cookies
A cookie notice is a subset of your privacy policy that includes detailed and specific information about the individual cookies on your site. While a cookie banner is not mandated, per se, by CCPA, it’s considered best practice to allow your visitors the option to opt-out of data collection via cookies.
Web developers should facilitate cookie compliance by setting up cookie consent tools correctly. Allow settings to be managed for opt-ins and configuring opt-outs of Do Not Sell My Personal Data, especially on platforms like Facebook or Google Analytics.
7. Individual Rights Requests
Individual rights requests are the teeth that give the CCPA its bite. Customers have the right to:
- Know what information is being collected, what it’s being used for, and who it’s being shared with
- Have their information deleted from your databases
- Opt-out of having their information sold
- Receive the same service at the same price as people who do not opt-out
To be CCPA compliant, you (or your client) must acknowledge receipt of and resolve these requests within a strict timeline.
What does this have to do with web development, though?
Firstly, data mapping. A good data map helps develop well-ordered, effective processes that will allow you to meet those timelines.
Developers can also support individual rights requests by creating manageable workflows. Make it easy for consumers to submit requests. CCPA requires companies with in-person operations to allow consumers to submit requests by calling a toll free number and:
- Emailing or
- Submitting a form on your website or
- Turning in a physical request at a store, branch, or company headquarters
Note:
Online-only companies are exempt from the requirement to have a 1–800 number.
8. Too much of a good thing.
Data minimization is part of PbD, but web developers haven’t always embraced it. Web developers used to collect every scrap of data they could and store it until they figured out what they wanted to do with it. But like your mom used to tell you at the sundae bar, you can have too much of a good thing.
Since privacy regulations like CCPA make companies increasingly liable for what happens to the information you collect, casting a wide data net is a risky practice. And hanging on to all that data for extended periods of time means taking on serious risk for something that may not even have any value.
Not only is it safer to collect the minimum amount of data needed, but it’s also smarter. Less data makes data mapping and inventory more efficient and easier to manage.
Keep third-party vendors to a minimum, too
Does that app spark joy? And by “spark joy,” I mean does it serve an active role for your site? If not, get rid of it.
In fact, avoid all applications, plug-ins, or databases that aren’t being used and all associated files.
9. Safety isn’t expensive. It’s priceless.
CCPA assesses fines up to $2,500 per violation and $7,500 per intentional violation on companies. This doesn’t include the potential civil penalties of between $100–750 per record that could result from a lawsuit from individuals resulting from a data breach in certain scenarios.
In the absence of clear guidelines, your best bet is to conduct a comprehensive review of your security protocol. Whether you do it yourself or hire a contractor, it’s critical that your team understands the full lifecycle of a data record, including where the record interacts with third parties.
This review will show you the holes in your security. You may need to restrict permissions, change personnel, or add encryption programs. Still, it’s better to find that out on your own when you can fix it rather than during the stress of an actual breach.
You should also assess your hosting provider. They constitute a significant part of your security landscape.
- Are they doing everything possible on their end to keep your site secure?
- Is backing up your data and restoring it a smooth and painless process?
- Do they provide a robust support channel?
If not, it’s time to consider a new host.
10. Training is (more than) half the battle.
Mistakes by employees cause nearly 95% of cloud-based breaches. And it’s not just your IT team making mistakes.
Major breaches can be caused by simple employee errors like:
- Responding to phishing emails
- Using work devices for personal transactions (or vice versa)
- Weak/shared passwords
- Using public WiFi networks
- Downloading unauthorized programs
- Not promptly installing software/hardware patches and updates
But avoiding hacks isn’t the only training your team will need if you are genuinely going to be compliant. Employees need to be trained on what makes a request valid and your processes for managing individual rights requests. CCPA compliance will require collaboration between your marketing, product, IT, HR, customer support, and legal functions.
Just start.
Achieving and maintaining CCPA compliance can feel overwhelming, but it can be done affordably by large corporations and small businesses. The trick is to take a deep breath and jump into the work.
Even if it doesn’t apply directly to you, adhering to the tenants of CCPA will set your company up for success both now and in the future. Consumers will continue to demand increased control of how their personal information is used online, and proactively meeting their expectations will increase how much trust they place in you.
This article originally appeared on Data Overhaulers. Read on to learn more tips to help you control your digital life.