đź’ˇ Confused about the CCPA? Here’s what you need to do:
In this guide, we’ll show you how to meet the notice of collection and opt-out requirements of the California Consumer Privacy Act (CCPA) with our Cookie Solution.
Our Solution allows you to meet these requirements in three ways:
Our solution allows you to display a notice which informs Californian consumers that their data might be collected and of their right to opt-out. The notice also displays a “Do Not Sell My Personal Information” link as legally required.
Our solution displays a DNSMPI (opt-out) link within the collection notice (as legally required) and also allows you to add the link to your site for easy user access (as legally required).
The CCPA also requires that you facilitate consumers’ opt-out requests. Our solution handles this in the following ways:
Our solution allows you to automatically apply either or both CCPA and GDPR standards to the same users when legally required.
Facebook’s new Limited Data Use (LDU) allows site owners who fall under the CCPA and who use Facebook’s services in their advertising or on their site, to request that Facebook limit their data processing for Californian residents.
According to Facebook:
“If we receive a flag for a person in California, we will process data in accordance with our role as a service provider and limit the use of that data subject to our State-Specific Terms. Limited Data Use is only effective for people in California. If businesses do not set the parameters to US and California, we will determine if a person is in California. Businesses may notice an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited.”
In general, there are two ways by which facebook identifies where to apply these settings:
Obviously the second approach is generally preferable and gives you more control.
We’re happy to say that iubenda’s Cookie Solution supports Facebook’s Limited Data Usage.
For a look at how you can set up your Cookie Solution to pass relevant LDU settings data to Facebook, please see the code example below.
See the Pen Facebook Limited Data Use by iubenda (@iubenda) on CodePen.
This setup will allow you to seamlessly pass the right variables when your users apply a CCPA opt-out.
The following scenarios and the accompanying instructions will allow you to:
Add <script src="//cdn.iubenda.com/cs/ccpa/stub.js"></script>
before your Cookie Solution embedding code and make sure that both codes are placed as very first scripts of the page (e.g. right after the opening of the <head> tag).
For example, you’re a non-EU business that has Californian users but does not have EU-based users.
This particular scenario actually has two use cases:
(a) You’d like to apply CCPA standards to all your users.
If you want to apply CCPA standards to all your users, but not apply the GDPR to any of them, select “Apply CCPA” and “Always Apply CCPA“:
Code:
"enableCcpa": true,
"ccpaApplies": true,
"enableGdpr": false,
"gdprApplies": false,
"gdprAppliesGlobally": false,
(b) You’d like to apply CCPA standards to only your Californian users.
If you want grant CCPA standards only to users from California by automatically detecting users connecting from California and only applying the CCPA to them, select “Apply CCPA” and “Automatically detect when to apply CCPA based on user location“:
Code:
"enableCcpa": true,
"countryDetection": true,
"enableGdpr": false,
Open on CodePen
For example, you’re a non-EU business that has both EU-based and Californian users
Based on country detection, we’ll apply the CCPA when we detect that the user is connecting from California and the GDPR when the user is connecting from the EU. Select “Apply both” and “Automatically detect when to apply CCPA based on user location“:
Then, select “Request consent to EU users only” in “Advanced View”:
Code:
"enableGdpr": true, //true by default, so it's not strictly needed
"enableCcpa": true,
"gdprAppliesGlobally": false,
"countryDetection": true,
For example, you’re an EU business that has Californian users.
Important: remember that, if you’re based in the EU, you are required to apply the GDPR worldwide.
Select “Apply both” and “Automatically detect when to apply CCPA based on user location“:
Code:
"enableGdpr": true, //true by default, so it's not strictly needed
"enableCcpa": true,
"gdprAppliesGlobally": true,
"countryDetection": true,
In this case, we’ll show Californian users a notice that incorporates both the GDPR and the CCPA requirements, while users outside of California receive only the GDPR standards.
The examples below cover both scenarios 2 & 3. For this reason, we suggest opening these examples in CodePen in order to read the full description.
CCPA & GDPR enabled:
Open on CodePen
CCPA & GDPR enabled with TCF active:
Open on CodePen
For example, you’re an EU business that does not have Californian users
If the CCPA doesn’t apply to you, you can use the default Cookie Solution snippet.
If the user expresses the choice to opt-out of the sale of their data, this choice must be honored. There are three ways to make sure of this.
In this case, our integration with the CCPA Compliance Framework will take care of notifying the vendors that an opt-out from sale has occurred.
This is, for instance, the case with Google, which allows you to send a specific signal whenever an opt-out has occurred. The instructions are provided in this article and apply to Google Ads and to Google Analytics.
Other vendors may provide similar instructions.
In this case, you’ll have to apply the class _iub_cs_activate
to the script
tag of each of these services, change the type attribute from text/javascript
to text/plain
and add the data-iub-blockifccpaoptout
attribute:
<script class="_iub_cs_activate" type="text/plain" data-iub-blockifccpaoptout src="...">
...
</script>
This can be done manually or via a tag manager like Google Tag Manager.
The CodePen example here demonstrates how to manage scripts for the CCPA (and the GDPR) using Google Tag Manager.
As a requirement under the consumer’s right to opt-out, you must provide an easily accessible, clear and conspicuous “Do Not Sell My Personal Information” link on your website.
By following the instructions above, you’ll be displaying a “Do Not Sell” link in the CCPA notice, but we also offer the possibility to add a standalone link, by adding the class iubenda-ccpa-opt-out
. It is recommended that you add an easily accessible link somewhere on your site (typically the footer) so that users can still opt-out even after closing the notice, if they so choose (legally required).
For example, you could add a link to the footer as follows:
<a href="javascript:void(0)" class="iubenda-ccpa-opt-out">Do Not Sell My Personal Information</a>
When clicked, this link will display a dialog where the user can confirm their intention to opt-out from the sale of their personal information.
If you prefer not to display an actual banner to notify users about CCPA, you can do so by using the following settings:
ccpaNoticeDisplay: false
This option is also available through the configurator (“Only link the privacy policy on every page”).
You can choose to:
ccpaAcknowledgeOnDisplay: false
, default);ccpaAcknowledgeOnDisplay: true
); or These settings are also available through the configurator.
ccpaCookie: { expireAfter: 365 }
– Allows you to customize the expiration of the cookie that stores the acknowledgment of the notice.
privacyPolicyUrl: "https://yoursite.com/privacypolicy"
– Allows you to customize the privacy policy link. On the configurator (under “Advanced view”):
ccpaLspa: true / false / undefined
(default) – Allows you to specify whether the transaction should be performed under the Limited Service Provider Agreement (LSPA) by iab.
onCcpaAcknowledged
– Invoked when the CCPA notice has been acknowledged.
onCcpaFirstAcknowledged
– Invoked the first time the CCPA notice has been acknowledged.
onCcpaOptOut
– Invoked when the user has opted out from sale.
onCcpaFirstOptOut
– Invoked the first time the user has opted out from sale.
_iub.cs.api.ccpaApplies()
– Returns whether the CCPA protections are applied to the current user.
_iub.cs.api.askCcpaOptOut()
– Pops up the dialog to request confirmation for the opt-out from sale.
_iub.cs.api.isCcpaAcknowledged()
– Returns whether the CCPA notice has been acknowledged.
_iub.cs.api.isCcpaOptedOut()
– Returns whether the user has opted out from sale.