CCPA, GDPR, 2020 And What They Mean To Your Site

CCPA AND GDPR Shoulda Made It On Your Radar by now, but I bet it hasn’t.  At least based on the random 24 sites I visited today.  Nearly three in four sites have no CCPA or GDPR mandated announcements.




From the early days of the internet you’ve received cookies.  Cookies are a small text file that identifies you to a site once you visit it.  Now how does it identify you?  Not specifically in and of themselves, think of them as tokens.  Or prize tickets … the token or ticket doesn’t have to have information directly about you it could be just a number.

Say you visit my site I give you a cookie and it has a number I assigned to you.  You’re 777.  You come back a day later and your computer shows your cookie and I know that 777 was here yesterday so you’ve returned.  I may show content specifically for a returning visitor.  I may already know what content you saw on my site from last time.

Seems harmless enough but that was the dawn of the internet today sites aggregate data, for instance Google Analytics runs on a lot of sites.  Maybe too many …

According to BuiltWith, Google Analytics is currently in use at around 57% of the 10,000 most popular websites. Overall 12,376,541 websites were using Google Analytics: 372,404 websites within the top million most visited sites on the internet and an additional 12,004,137 websites on the rest of the Internet.

So in this scenario now Google assigns you the number 666 we’ll randomly say. Google then can track your visits to about half the sites in the top 10,000. Thats a lot of knowledge, page by page … site by site. 

 Why would sites allow this? Google shares insights back to these sites, mostly just about your use of their site for free. But the knowledge Google gains is immense. Your cookie might as well be your name now.

Whats CCPA?

Effective January 1 2020 all sites visited by a resident of California must adhere to the California Cookie Privacy Act (teasing its the California Consumer Privacy Act) which deals with cookies.  

This act requires you to be given an opportunity to “opt out” of being tracked…it allows you to say “no cookies please”.   Sounds great but it basically means that sites wont know who you are when you return or what you’ve seen and that kinda breaks the internet.  But thats if you opt out …. if you click accept the game keeps going as normal.

There are additional parts of CCPA such as the ability to consent and later renounce that consent and to be able to ask to be forgotten.

That creates a lot of work for IT environments to do and how it affects the site’s SEO and ranking is debated.

Whats GDPR? 

For simplicity its the same as CCPA but its a law made in Europe and it requires an “Opt In.”  That difference in opt in vs opt out is huge actually.

The EU law also says that it is required of any site in any country that a European visits.  So does that mean that the local First Baptist Church in Anytown USA has to meet the standards of GDPR.  Thats the presumption and it is already in force.  

What Do They Look Like On Sites? Examples Of CCPA. CCPA

cookie bar ccpa GDPR

ccpa banner

 Visa CCPA

gdpr ccpa cookie bar

Other Sites And CCPA

cookie barccpa

Privacy Page

Right to be forgotten

Penalties For NonCompliance To CCPA And GDPR?

Yes.  CCPA ranges from 100 to $750 per user per incident that private data is not compliant.  So if 100,000 users arent asked about a cookie over 10 times the fine could be as much as $750,000,000.

Now that would really suck for First Baptist Church from our earlier example.  Not many small town organizations have that kind of money.  But wait … there are exemptions too.

CCPA Exemptions?

You have to do $25 million a year in revenue among other various clauses.  So if you do $1000000 a year online you are exempt for now from CCPA.  

GDPR Exemptions?

Well those are just as complicated as the GDPR law is itself.

There are limited GDPR exemptions related to the processing of personal data as detailed below:

  • When data are processed during the course of an activity that falls outside of the law of the European Union
  • GDPR does not apply to individuals that process data for personal or household activity
  • GDPR does not apply to government agencies and law enforcement when data are collected and processed for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties or for preventing threats to public safety
  • GDPR does not apply to the processing of personal data by Member States for activities under the scope of Chapter 2, Title V, of the Treaty on European Union.

What does that second bullet even mean?  What individual is tracking my personal data for household activity?  

Well…there are a billion more points to note on this but if you’re reading this now its also after the deadline and you likely need to give up the DIY effort and hire a consultant to bring you up to speed.

What WordPress Cookies Are CCPA GDPR Compliant?

None.  You see a plugin still needs to be configured and if you take the plugin from one site that is compliant and place it on your site, that doesn’t magically mean you’re compliant.  Its all about how you use a tool to get the job done right.

Who Can Help Me With CCPA And GDPR?

Beware of consultants who start everything with “I’m not a lawyer but” because thats basically them saying you should contact a lawyer, I’m not one and anything I say after is of no real value.

Ultimate SEO is a complete team of technical, marketing and legal professionals.  Our Genral Counsel, Christopher Lee Coffman is part of any CCPA / GDPR project we undertake and we can tell you what you need to know without starting off telling to contact someone else.

Contact Us About CCPA GDPR Compliance On Your Site.

Visit our SEO Store for a Professional CCPA GDPR Site Review.