NOTE: we are not lawyers. Please talk to your legal counsel before proceeding with compliance measures.
In May of 2018, Europe grappled with online privacy with the implementation of GDPR. With a lot of gray areas around how US-based businesses should comply with GDPR and how enforceable the law was here, we instructed our clients to consult their legal counsel on the matter and provided some free tools to aid in compliance.
Now the online privacy legislation battle has arrived on our shores, with several states either considering or actively having passed bills. California – the world’s 5th largest economy – passed a bill called CCPA in 2019, and it’ll go into law on January 1st, 2020. Other states weighing similarly-written bills at the time of this post going live include New York, Maryland, Massachusetts, Hawaii, and North Dakota.
Key Differences in CCPA vs. GDPR
The critical difference between these domestic laws and GDPR seems to be regarding opt-in and opt-out policies. The European law requires explicit opt-in for the firing of any cookies or other data collection, but our US laws only need notification of cookies and a clear pathway to opt-out functionality.
Aside from that distinction, the concepts of “right to delete” and “right to access” any data collected by a website are all present in each state’s legislation, as well as broad definitions of what constitutes Personally Identifiable Information (PII). In some ways, bills like CCPA are more stringent than GDPR in their wording because they extend their PII definitions to “households” and not just “individuals.”
Unlike GDPR, where the likelihood of an EU citizen triggering any complaints against businesses that operate solely in the US was relatively low, CCPA and its domestic clones will have much broader implications for all companies doing business across state lines. As more states consider these laws in isolation, the likelihood that a federal privacy law will emerge is high.
Paid Solutions for Complying with CCPA
Free Solutions for Complying with CCPA
Other vendors like Osano, that we mentioned in our GDPR cookie banner response last year, have a free solution. But it’s less robust in how you can word the cookie banner and how it can be applied to compliance for certain laws. It’s also limited to a maximum of 7,500 consent views per month, which won’t work for sites with tens of thousands of visitors monthly.
How to Set Up Osano for CCPA Compliance
If you don’t have the budget for a bells-and-whistles solution like OneTrust, here’s a quick step-by-step to configure Osano to help comply with some of the new domestic privacy laws for free.
- Get an account. Signup for free on their plans page.
- Choose a compliance type from the dropdown and style the banner visually using hex colors.
- Assign a category to your tracking scripts and then click “Get Code” to get the Osano script that enables the banner.
Online Privacy Going Forward
We can’t predict the future to understand if all these laws will pass, but we can prepare based on what we know about CCPA in the present. Expect more states and countries to pass similar laws and that cookie banners will be the new normal across the internet!