How can ePublishing help me comply with CCPA?

ePublishing has provided functionality so that you can present an accept/deny message to your users regarding CCPA. 

What is CCPA?

From https://oag.ca.gov/privacy/ccpa: CCPA was signed into law on June 28, 2018, and went into effect on January 1, 2020. CCPA grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect, as well as additional protections for minors.

How does CCPA differ from GDPR?

General Data Protection Regulation (GDPR) was specifically for the users in the European Union, whereas CCPA has no geographical boundaries though it was developed specifically to protect residents of California. Our approach for CCPA thus removes the existing use of the geographic database to identify EU visitors by IP address. GDPR was also assumed that users were opted in unless they specifically declined. CCPA also requires users to actively accept or deny tracking cookies.

How does this work?

The CCPA functionality uses the same banner overlay functionality that’s used for our standard cookie policy overlay. 

 

More info can be found about that in these Knowledge Base articles:

How do I add the cookie policy notification to my site?

How do I update the cookie policy notification message?

 

This means that you can not use both banners at the same time. If you have both enabled, the CCPA banner will take priority. Once you have it set up and enabled, visitors will be presented with your messaging and an option to accept or deny. Visitors will not be able to close this banner unless they accept or deny.

 

If a visitor clicks accept...

ePublishing will set the visitor’s consent_status to true and the consent_date to the current date and time. We will also set consent_type to ‘website’. These values will be stored in cookies for anonymous visitors or in their user record for visitors who are logged in. These cookies will have no set expiration date.

In addition, if your site is integrated with Omeda (and an oly_enc_id cookie value is present), ePublishing will POST to Omeda’s GDPR Permission API to keep the user record updated with Omeda. 

Fields passed to Omeda will include:

  1. Consent date - format YYYY-MM-DD
  2. IP Address of the visitor
  3. URL - the url the visitor is on when they click Accept
  4. Consent - string value of “yes”

 

If a visitor clicks deny...

The visitor is then taken to a page (/consumer-privacy) on your site where you can control the copy presented to the visitor. This page will be a dynamic page with copy driven by an Editorial Content record. That copy should explain to the visitor the consequences of their decision to not allow tracking by the site. It will also include a button to allow the visitor to reverse their decision and accept tracking, just in case they change their mind or clicked Deny by mistake from the overlay. This will be a page that can be linked to from the footer or other location on the website so that visitors may easily find where to consent or not consent to tracking.

IF the visitor confirms their intent by clicking “Deny” on this page, ePublishing will set their consent_status to false and consent_date to current date and time. We will also set consent_type to ‘website’. These values will be stored in cookies for anonymous visitors or in their user record for visitors who are logged in. Any cookies set for this data will expire in 1 year. (Yes, it is very ironic that we have to use cookies to track the fact that someone told us not to track them.)

At that point, all cookies under ePublishing control are immediately cleared, and the visitor is logged out of the site if they were logged in, and redirected to the homepage.

In addition, if your site is integrated with Omeda (and an oly_enc_id cookie value is present), ePublishing will POST to Omeda’s GDPR Permission API to keep the user record updated with Omeda. 

Fields passed will include:

  1. Consent date - format YYYY-MM-DD
  2. IP Address of the visitor
  3. URL - the url the visitor is on when they click Deny
  4. Consent - string value of “no”

How do I enable this on my site?

First, populate and publish the following Editorial Content areas before enabling the CCPA overlay:

consumer.privacy.confirm

consumer.privacy.confirm.accept

consumer.privacy.banner.message

 

consumer.privacy.confirm - Populate the body field of this Editorial Content area to build the page that visitors will arrive at if they click deny on the CCPA overlay. The page is located at https://www.yourdomain.com/consumer-privacy

consumer.privacy.confirm.accept - If a visitor clicks Accept on /consumer-privacy then a flag will appear on this page displaying the text you placed in the Editorial Content body field 

consumer.privacy.banner.message - Use the body field of this Editorial Content area to populate the message that visitors will see in the CCPA overlay banner

 

Then update the following System Settings:

­privacy.­banner.­position

­privacy.­banner.enabled

­

privacy.­banner.­position - You can either display this banner at the top or bottom of your site. Therefore, the values to use in this setting are either top or bottom.

­privacy.­banner.enabled - A value of true will enable the CCPA functionality and false will disable it. 

 

After saving your System Setting updates, be sure to clear the Admin cache so that the setting updates will take effect immediately. Do that in Admin by visiting sys admin > Cache > Clear Cache. 

Customizing the Accept/Deny buttons

If you’d like to customize the appearance of the Accept and Deny buttons on the overlay and /consumer-privacy page, you can accomplish that with some simple CSS updates. 

If you’d like to learn more about making CSS updates on your site, check out this Knowledge Base article.

 

The Accept and Deny buttons are named as follows in our CSS:

.consumer-privacy-buttons__accept
.consumer-privacy-buttons__deny

 

Therefore, the update in your CSS file may look something like this example:

/* override CSS */
.consumer-privacy-buttons__accept {
  border: none;
  border-radius: 3px;
  background-color: #007795;
  color: #fff;
}
.consumer-privacy-buttons__deny {
  opacity: .7
}

Site Behavior Changes for Visitors who Opt-Out of Tracking

ePublishing can NOT prohibit or affect any cookies or tracking performed by other third parties such as advertising or analytics. 

 

Users will not be able to log into the site as logging in requires the use of tracking cookies. 

 

Content Gating - Hard Paywall & Metering

If a user Accepts tracking then everything works as it does today. If they Deny tracking, then they will no longer be able to access ANY GATED CONTENT. They will be experiencing the site as an anonymous visitor. No past purchases and order history will be accessible.

 

Just like the hard paywall, if a user Accepts tracking then everything works as it does today. If they Deny tracking, we have no way of metering their views of content. ePublishing has had to modify our platform’s metering logic so that it is completely disabled when a person has removed consent to tracking through the Deny mechanism. The visitor will then encounter the hard paywall user experience every time they access gated content if the consent_status cookie set for the user is false.

What if visitors are viewing my site in Incognito Mode or Private Browsing?

If visitors are viewing the site in Incognito Mode/Private Browsing, they will see the CCPA banner every time they view the site. If they approve or deny during their session, those preferences will only be stored for the duration of their session.

In the event a user calls your customer service team and requests that their consent status be updated, there are a couple ways to do this.

The user can simply clear their browser cookies, log back into the site, and make a selection.

If the user had previously accepted and would now like to deny, they can login to your site, visit /consumer-privacy, and click Deny. This will not work for a user who would like to change their status from Deny to Accept because the login process requires cookies and users who have denied will not have the login cookies set.

If your site is using Google Ad Manager (GAM) ads, ePublishing will pass a consent_status variable in your ad targeting code.

Additionally, we will also apply the setCookiesOption variable:

If consent_status = false (meaning the user has denied), we apply setCookiesOption = 1

If no choice has been made (consent_status = null or no consent_status) or the user has approved CCPA (consent_status = true), we apply setCookiesOption = 0

Additional information can be found here.

Changes needed in Google Tag Manager for Advertisements

Google Tag Manager (GTM) is often used in parallel with Google Analytics (GA) and other services to collect data on users to better advertise and target certain demographics with sales, ads, etc. GDPR and CCPA both limit the degree in which those services can be used in relation to your site. So the question is how do you set up GTM to ignore users that opt out of tracking?

ePublishing crafted a solution that makes this possible in 3 easy steps:

Step 1: Create a new Variable.

Select the account under which the website’s container (i.e. configuration) resides. For this example, we’ll be using a test site in the ePublishing account.

Once you’ve navigated to the container dashboard, navigate to the Variables tab in the sidebar. Once you’ve done this you’ll see a list of variables, both Built-in and User-Defined. You’ll be creating a new User-Defined variable. Click the button titled New and the new variable configuration will slide out onto the page.

Under “Choose variable type” options you’ll select 1st Party Cookie. Set the Cookie Name to consent_status. Name this Variable “Opt-Out Cookie”. Then click the save button in the upper right corner.

The consent_status cookie will be automatically populated with a user’s given consent status.

Step 2: Create a Trigger 

Now we need to create a new trigger. This will fire whenever a user hits a page and the user’s consent status is false. Under the Trigger section in the sidebar, click the button titled New. Select Custom Event as the Trigger Type. Name it Tracking Opt-Out. Then, importantly, give it an event name of “.*” and select the checkbox saying “use regex matching”. Then under “this trigger fires on” select Opt-Out Cookie -> equals -> false.

Step 3: Apply it

You’re almost done! The only thing left to do is apply your trigger to any tag you need to disable when a user has opted out. For this example I’ll be disabling Google Analytics, though you can apply it to any tag you see fit.

To accomplish this, navigate to the Tags section in the sidebar. Then select the tag you want to conditionally disable. We’re disabling GA so we’ll select “Universal Analytics” from the list. Under the Triggering panel you’ll then see an Add Exception link. Click it and select Tracking Opt-Out, the trigger we just created. Repeat step 3 with any and all Tags you need to disable.