Your WordPress.com Site and the CCPA

We care about your privacy and the privacy of your site visitors. The California Consumer Privacy Act (CCPA) is a new law that gives California consumers more transparency into, and control over, the personal information that for-profit companies doing business in California collect about them. WordPress.com is committed to operating in accordance with the CCPA, as well as giving you tools and resources to help you better understand and comply with the law on your own site–like this guide.

If you have questions about any of the choices we’ve made, tools or features we’ve created, or feedback on how we can make this all a little bit easier, we’d love to hear from you at https://wordpress.com/help/contact/.

Who Does the Law Apply To?

If you are a for-profit company doing business in California, or with Californians, then CCPA applies to your company if you meet one or more of the following criteria:

1. Your annual gross revenue exceeds $25 million
2. You collect personal data from 50,000 or more people — for example: customers, mailing list recipients, or followers
3. 50% or more of your annual revenue comes from selling the information of California consumers

If you’re unsure if CCPA applies to your business a qualified attorney should be able to help you answer that question.

↑ Table of Contents ↑

Our CCPA Recommendations for Site Owners

To get ready for CCPA, some of the steps you can take as a site owner are listed here in our guide, which focuses on the CCPA requirements most likely to affect WordPress.com site owners. For the full list of CCPA requirements you should refer to the links in our Learn More section. An attorney can also help you determine which requirements apply to you and your business.

Publish a Privacy Policy

Your Privacy Policy should let your users know what information your site is collecting about them, what you are doing with that information, who you are sharing that information with, and provide a way for people to contact you. If you don’t know what information your site is collecting we’ve put together the following resources to help you get started:

• https://automattic.com/privacy-notice/
• https://automattic.com/cookies/

When researching the information your site is collecting you should also review the plugins you’ve installed, the tools you are using for marketing or running your site, and all custom scripts you’ve added. These kinds of extra functionality are common on sites running our Business and Ecommerce plans and, depending on their purpose, could be an additional source of information your site is collecting and/or sharing. Be sure to also look at any other tools (online or offline) that you use for your business that collect information about your site visitors and customers.

The CCPA has specific requirements for what to include in your Privacy Policy and how to make it available to your site visitors — for example, making it easy to find by adding a link to it from your homepage, updating it at least once a year, describing the categories of personal information shared with third parties (like your vendors and service providers), along with the purposes for collecting and sharing information, and including the rights of California consumers in your policy. You can find the full list in the links in our Learn More section.

If you aren’t sure how to get started with your Privacy Policy you are welcome to use ours as a template (note that we are still working on updating it for CCPA). We release our Privacy Policy under a Creative Commons Sharealike license, which means you’re more than welcome to copy it, adapt it, and repurpose it for your own use. Just make sure to revise the language so that your policy reflects your actual practices and how you are complying with the CCPA and other privacy laws.

Provide a Way for Your Site’s Visitors to Access/Delete Their Information

CCPA requires that you tell people what personal information you collected about them and what you’ve done with that information when they ask. Your response should include, among other things, the categories of service providers and others you share data with; for example, you share data with us as your site’s host.

CCPA additionally requires that you delete this information upon request, though there are situations in which you would be allowed to keep the information even after receiving a deletion request. For example, you may need to keep some information for tax purposes or to comply with a legal obligation. 

Much of the personal information collected by your site can be gathered/deleted by you through your site’s dashboard. For example, you can search for and delete comments from a specific individual via your site’s comments admin area. You can do the same for information submitted through our built in Contact Form. Our Privacy Notice has a good overview of the information your site collects but if you receive a request for either access or deletion and you aren’t sure how to honor it, you can reach out to us for help at https://wordpress.com/help/contact.

As part of implementing your CCPA deletion process you may want to establish a retention policy for the personal information your business collects. There isn’t a single right answer for how long your retention policy should be, but in general it’s a good idea to only keep information for as long as you need it. You can use the Bulk Actions option in the wp-admin dashboard to edit or delete collected information in a variety of areas including WooCommerce Orders, Contact Form Submissions, and Comments.

Provide Your Visitors/Customers an Opt-out If You Sell Their Information

If you are selling the information your site collects about your customers or site visitors, you should provide an option for them to opt-out, or to opt-in if they are under the age of 16 (parental approval required for minors under 13). For example, if your site collects email addresses and you sell them to an affiliate you would need a clearly displayed “Do Not Sell My Info” link on your website. More information on what the CCPA defines as a “sale” is in the links in the Learn More section.

WordAds

Our WordAds program allows you to choose to place ads on your qualifying sites. Participating in WordAds is a way for you to earn revenue to support and grow your sites. WordAds shares some information about your site’s visitors with our advertising partners. The advertising partners may use that information to display personalized ads to those visitors. 

The information we share includes online identifiers; internet or other network or device activity, and geolocation data, but never a name or contact information. The sharing of this information with our advertising partners may be considered a “sale” of information under the CCPA. We have provided the following opt-out tools to help you comply with CCPA requirements.

For sites on the free WordPress.com plan (and on the logged-out WordPress.com homepage), we have added a “Do Not Sell My Personal Information” link to the site. When a visitor clicks this link, they are directed to our Advertising on WordPress.com Sites and Sites in the WordAds Program page where they can find more information and a button that lets them opt out of ads being personalized to them based on their visits to any *.wordpress.com domain.

For sites on a paid WordPress.com plan, we have introduced a toggle in the WordAds settings page in the dashboard that allows you to enable targeted advertising in California. You can choose whether or not you want to enable this on your site. If you choose not to enable targeted advertising, then generic ads will be displayed for any of your visitors who come from California IP addresses.

Enabling targeted ads in California for sites on a paid plan is a two-step process:

1. You enable the targeted advertising toggle on the WordAds settings page.
Make sure to save the settings before moving to step 2 below.
2. You enable the CCPA Consent Widget or use the [ccpa-do-not-sell-link] shortcode with a Text Widget to add the “Do Not Sell My Personal Information” link to your site. If your site has a paid plan, it is mandatory to add this link if you want to show targeted ads in California.

When you add the “Do Not Sell My Personal Information” link to a site with a paid plan, any visitor who clicks on the link will get a pop-up modal that allows them to opt out of ads being personalized to them based on their visits to your site. When you enable the toggle on the WordAds settings page, you have the option of providing a link to your site’s privacy policy. If you choose to do so, the link you provide will be included as part of the pop-up modal text.

The “Do Not Sell My Personal Information” links for free and paid sites only display to California IP addresses. You will also be able to see the link when you are logged in regardless of your geolocation so that you can test and preview the position of the link.

↑ Table of Contents ↑

Our CCPA Commitments to WordPress.com Users

Your privacy is important to you — and to us, too. It’s why we’ve already integrated these recommendations (and a few others) into our products. This means that as a WordPress.com user, you can…

• Learn what information we collect and how we use it by reading our Privacy Policy.
• Contact us at https://wordpress.com/help/contact to gain access to the information we’re storing about you and to request a Data Processing Agreement. 
• Delete your personal account information by closing your account. 
• Delete your site and all its contents.
• Exercise the above options without any effect on the prices we charge for our upgrades. 

Not in California? No Problem! These privacy options are available to everyone, regardless of location.

Beyond these proactive steps you can take on your end, you can also expect WordPress.com to protect the privacy of your personal information, to only collect your information when we need to, and to delete your personal information once it’s no longer necessary.

↑ Table of Contents ↑

Learn More

The full text of the CCPA is available online. The law takes effect on January 1, 2020.

Additionally, there are draft regulations and a CCPA fact sheet published by the California Attorney General’s office. These regulations provide more details about how to implement the CCPA’s requirements and are still under review. They will not be finalized until April or June 2020. 

---

NOTE: This guide is not intended as a replacement for legal counsel; if you have concerns about whether CCPA applies to you, or if your site is CCPA compliant, we encourage you to seek the advice of a qualified attorney.