California · CCPA + CPRAWordPress hosting with CCPA plugin built into the platform.
Do-Not-Sell-or-Share link, privacy portal, consumer request workflow, and signed DPA — handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. It's how every Yovale site ships, on every plan.
We may share limited data with advertising partners to improve our service. You can opt out of sale and sharing, or limit how we use sensitive information.
Five rights you have to honor.
The California Consumer Privacy Act, in force since January 1, 2020 and strengthened by CPRA on January 1, 2023, gives California residents enforceable rights over their personal information. Hosting a WordPress site that reaches California traffic means honoring these — and the California Privacy Protection Agency now has standalone authority to investigate and fine.
- 01
Right to know
Anyone can request the categories and specific pieces of personal information you've collected about them in the past 12 months — including sources, business purposes, and any third parties you shared it with.
- 02
Right to delete
California consumers can request deletion of personal information you hold. You must comply within 45 days, plus pass the request to every service provider downstream.
- 03
Right to opt out of sale or sharing
A clear and conspicuous 'Do Not Sell or Share My Personal Information' link must appear on your homepage. The opt-out has to be at least as easy as opting in. Global Privacy Control signals count as a valid opt-out.
- 04
Right to correct
CPRA added the right to fix inaccurate personal information. You have 45 days to respond, with one 45-day extension allowed if you explain why.
- 05
Right to limit sensitive info use
Consumers can restrict use of sensitive personal information — SSN, precise geolocation, race, religion, health, sexual orientation, biometric data — to what's strictly necessary to deliver your service.
- 06
No retaliation
You cannot deny service, charge different prices, or offer worse quality because someone exercised a privacy right. Financial-incentive programs need a separate written notice.
Built into the platform. Not a plugin you install.
Yovale ships CCPA + CPRA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.
Do-Not-Sell notice + opt-out
Geo-aware. California visitors see the required 'Do Not Sell or Share My Personal Information' link plus an opt-out toggle. Global Privacy Control headers are honored automatically. EU visitors switch to GDPR opt-in. Renders in 8 locales, configurable in the dashboard.
Privacy portal
/.well-known/privacy on every Yovale site. Visitors view, export, delete, or correct their data without filing a support ticket. You see every verifiable consumer request in the Compliance dashboard tab with the 45-day SLA timer.
Audit log
Every opt-out, deletion, access, and correction request is logged at the Cloudflare edge worker layer. Tamper-proof, queryable, retained for 24 months (the CCPA recordkeeping minimum).
Signed DPA
Pre-signed Data Processing Agreement available in your dashboard, written to CCPA service-provider terms (not 'sale,' purpose-limited). Lists every sub-processor (Cloudflare, Anexia, R2), data flows, security measures, and breach notification SLAs. PDF download for your records.
Why infrastructure beats a plugin.
Typical WordPress CCPA plugin
- Adds 200-500ms to every page load (banner JS, opt-out scan, DB writes)
- Stores opt-out records in wp_options — slow, untyped, breaks with object caching
- Ignores Global Privacy Control signals or implements them inconsistently
- Costs $49-119/year per site (Complianz, CookieBot, CookieYes)
- Breaks when you migrate hosts; opt-out history and audit log lost
Yovale's built-in approach
- 0ms latency — opt-out state computed at the edge worker, cached in the CDN
- Audit log in a dedicated database, queryable, never blocks page render
- Global Privacy Control honored automatically on every request
- Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
- Travels with your site forever — opt-out history is yours to export
14 regulations. One toggle each. All automatic.
- Do Not Sell or Share link
- Consumer access + deletion rights
- Honor Global Privacy Control
- Limit sensitive info use
- Non-discrimination
CCPA + Yovale, answered.
Do I need to install a CCPA plugin on top of Yovale?
No. The compliance MU-plugin is part of the hosting, not something you add. Installing a separate CCPA plugin (Complianz, CookieBot, CookieYes) on top of Yovale would create duplicate Do-Not-Sell links and confuse visitors. The platform handles it, including Global Privacy Control headers.
Does CCPA apply to my business?
CCPA applies if you do business in California and meet one of: gross annual revenue over $25M, buy/sell personal info on 100,000+ consumers/households, or earn 50%+ revenue from selling personal info. Even sites below those thresholds frequently opt into CCPA-style notices to avoid edge cases — the Yovale platform handles both audiences with the same hosting.
What if I get a consumer request?
California consumers handle most requests themselves through the privacy portal at /.well-known/privacy on your domain. For requests that require human review (specific data deletion, correction with proof), you see them in your dashboard Compliance tab with a 45-day SLA timer (one 45-day extension allowed with notice).
Is the DPA written to CCPA standards?
Yes. Yovale is listed as a service provider under CCPA terms — we process personal information only for the limited business purposes you specify, never sell it, and pass deletion requests downstream. Available as a PDF download in the dashboard, alongside the GDPR DPA for sites with EU traffic.
Does it honor Global Privacy Control?
Yes. The Sec-GPC: 1 request header is treated as a valid opt-out signal under CPRA, processed at the Cloudflare edge before any tracking script can fire. This is required by the California AG and the CPPA — most plugin solutions miss it.
What about other US state laws (VCDPA, CPA, CTDPA)?
The same Yovale system covers Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and the growing list of US state privacy laws. They share the opt-out structure and most rights — the platform handles each jurisdiction automatically based on the visitor's location.
Ship a CCPA-compliant WordPress site in 60 seconds.
Every Yovale site is CCPA + CPRA-ready from the moment you deploy. No plugin to install. No DPA to chase. No Do-Not-Sell link to wire up. Start the free Growth trial and see your first compliance dashboard.