CCPA: Online Privacy Comes Stateside

Michael Wiegand, Director of Analytics

NOTE: we are not lawyers. Please talk to your legal counsel before proceeding with compliance measures.

In May of 2018, Europe grappled with online privacy with the implementation of GDPR. With a lot of gray areas around how US-based businesses should comply with GDPR and how enforceable the law was here, we instructed our clients to consult their legal counsel on the matter and provided some free tools to aid in compliance.

Now the online privacy legislation battle has arrived on our shores, with several states either considering or actively having passed bills. California – the world’s 5th largest economy – passed a bill called CCPA in 2019, and it’ll go into law on January 1st, 2020. Other states weighing similarly-written bills at the time of this post going live include New York, Maryland, Massachusetts, Hawaii, and North Dakota.

Key Differences in CCPA vs. GDPR

The critical difference between these domestic laws and GDPR seems to be regarding opt-in and opt-out policies. The European law requires explicit opt-in for the firing of any cookies or other data collection, but our US laws only need notification of cookies and a clear pathway to opt-out functionality.

Aside from that distinction, the concepts of “right to delete” and “right to access” any data collected by a website are all present in each state’s legislation, as well as broad definitions of what constitutes Personally Identifiable Information (PII). In some ways, bills like CCPA are more stringent than GDPR in their wording because they extend their PII definitions to “households” and not just “individuals.”

Unlike GDPR, where the likelihood of an EU citizen triggering any complaints against businesses that operate solely in the US was relatively low, CCPA and its domestic clones will have much broader implications for all companies doing business across state lines. As more states consider these laws in isolation, the likelihood that a federal privacy law will emerge is high.

Paid Solutions for Complying with CCPA

So how should businesses comply with the coming onslaught of domestic online privacy laws? There are several ways. Here at Portent, our parent company has chosen to buy a tool called OneTrust. It offers a variety of ways to present notification banners and gives compliance officers at an organization full control over how privacy policy information and corresponding opt-out functionality is shared. The tool starts at $30/month per domain, which is pretty expensive for smaller and mid-sized businesses with control over many unique web properties.

Free Solutions for Complying with CCPA

Other vendors like Osano, that we mentioned in our GDPR cookie banner response last year, have a free solution. But it’s less robust in how you can word the cookie banner and how it can be applied to compliance for certain laws. It’s also limited to a maximum of 7,500 consent views per month, which won’t work for sites with tens of thousands of visitors monthly.

How to Set Up Osano for CCPA Compliance

If you don’t have the budget for a bells-and-whistles solution like OneTrust, here’s a quick step-by-step to configure Osano to help comply with some of the new domestic privacy laws for free.

  1. Get an account. Signup for free on their plans page.Screenshot of Osano's plans and pricing page
  2. Configure the domain you want the banner to appear on and link to your privacy policy.Screenshot showing how to link to your company's privacy policy in Osano
  3. Choose a compliance type from the dropdown and style the banner visually using hex colors.Screenshot of Osano visual stying page showing how to select a compliance type from the drop down.
  4. Assign a category to your tracking scripts and then click “Get Code” to get the Osano script that enables the banner.Screenshot showing how to add a script category in Osana

Online Privacy Going Forward

We can’t predict the future to understand if all these laws will pass, but we can prepare based on what we know about CCPA in the present. Expect more states and countries to pass similar laws and that cookie banners will be the new normal across the internet!

Michael Wiegand, Director of Analytics
Director of Analytics

Over two decades as a marketer, Michael's experience has run the gamut from design, development, direct mail, multivariate testing, print and search. He now heads Portent's analytics practice, overseeing everything from Google Tag Management, to CRM integration for closed-loop analytics, to solving ponderous digital marketing questions. Outside of work, he enjoys recording music, playing D&D, and supporting Seattle Sounders FC.

Start call to action

See how Portent can help you own your piece of the web.

End call to action


  1. Hello Micheal
    Great post! this post really help me to understand the difference between CCPA vs GDPR very clearly
    Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *

Close search overlay