The California Consumer Privacy Act (CCPA) requires businesses to document the controls they’ve instituted to protect consumer data privacy rights in a written privacy policy notice. The following checklist identifies requirements, recommended content, and considerations to help businesses understand and fulfill the notice obligation.
CCPA privacy notice requirements
Generally speaking, the CCPA mandates two distinct types of privacy notices: one at the point of collection (POC), and the other in the company’s privacy policy.
Two additional notices – the notice of financial incentive and the notice of right to opt out – are conditional. They’re required only if a business is providing a financial incentive, or if the business sells personal information.
Point of collection (POC) notice
Businesses that collect consumers’ personal information must inform them, at or before the point of collection, about the categories of personal information to be collected and the purposes for which those categories of information will be used. Subsequent notice must be provided if additional categories of personal information are collected or used for additional purposes.
Privacy policy notice
The CCPA privacy policy notice requirement is two-tiered:
- It must appear in a business’ online privacy policy (if it has one).
- It must be included in any California-specific description of consumer’s privacy rights.
These notices must include a description of consumers’ CCPA rights and certain details about the categories of personal information collected, disclosed, or sold in the preceding year. Since the information to be conveyed is identical – namely, a description of consumers’ privacy rights and methods by which consumers may exercise their rights – organizations may want to consider folding the California-specific notice into the CCPA privacy policy.
Do you need a CCPA privacy policy?
Any for-profit entity doing business in California (whether or not the business is actually based in California) that collects or processes consumers’ personal information (or on whose behalf such information is collected) may be required to provide a CCPA privacy policy if they also satisfy at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million, as adjusted pursuant to the law.
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
- Derives half or more of its annual revenue from selling consumers’ personal information.
Privacy policy design and accessibility
CCPA privacy policies are required to be designed and presented in a way that’s easy to read and understandable to consumers. A CCPA privacy policy should:
- Use plain, straightforward language and avoid technical or legal jargon.
- Use a readable format, including on smaller screens, if applicable. This can include a table of contents or jump links for easy navigation, expand/collapse features, or links to pages with supplemental information.
- Make the policy available in the languages in which the business provides contracts, disclaimers, sale announcements, and other information to consumers in California.
- Make the policy reasonably accessible to consumers with disabilities.
- Make the policy in a format that allows a consumer to print it out as a document.
Your privacy policy should be available to consumers both online and offline and should address both online and offline practices. Publish the privacy policy online with a conspicuous link using the word “privacy” on the website’s homepage, or on every page of your website in a recurring header or footer.
What should be in a privacy policy?
In general, CCPA privacy policies are required to include a description of consumer rights, methods for exercising those rights, contact information, and the date the policy was last updated. Also be sure to specify that the privacy policy is limited in scope and applies only to California residents.
CCPA privacy policies should include:
- A description of California consumer privacy rights, including:
- The right to know (request disclosure of) personal information collected or sold.
- The right to deletion of personal information collected from the consumer.
- The right to nondiscriminatory treatment for exercising any rights.
- The right to opt out of the sale of personal information (if applicable).
- The right to opt in to the sale of personal information of minors (if applicable).
- An explanation of designated methods for exercising consumer rights.
- Instructions for submitting a verifiable consumer request.
- A description of the process used to verify consumer requests.
- Instructions on how an authorized agent can make a request on a consumer’s behalf.
- A statement of whether the business sells personal information and, if it does, notice of the right to opt out or a “Do Not Sell My Personal Information” link.
- Categories of personal information collected about consumers in the past 12 months.
- Categories of personal information disclosed for a business purpose or sold to third parties in the preceding 12 months.
- Categories of sources from which personal information is collected.
- Categories of third parties to whom personal information was disclosed or sold.
- The business purpose or commercial purpose for collecting or selling personal information.
- A statement of whether the business has actual knowledge that it sells the personal information of minors.
- Contact information for questions or concerns about the business’ privacy policy or practices.
- The date the CCPA privacy policy was last updated.
How to review and maintain your privacy policy to ensure compliance
The CCPA privacy policy should be maintained periodically and notice of any changes to the policy must be clearly made. Here are some recommended measures to consider for maintenance and notice of changes:
- Document and maintain a procedure for maintaining and updating the privacy policy.
- Monitor developments with the CCPA and related regulations to identify potential regulatory changes.
- Update the privacy policy at least annually.
- Review any relevant vendor agreements to confirm and, as needed, revise terms and conditions to address your privacy policy procedure.
- Deliver and record periodic training to individuals responsible for maintaining or carrying out the privacy policy procedure.
- Monitor and test the process periodically to set a compliance baseline against which to measure effectiveness.
- Maintain the privacy policy procedure via periodic reviews and amend as needed to factor in operational and regulatory changes.
- Retain the records for at least four years – the statute of limitations likely applicable to CCPA enforcement actions.
A smarter, faster approach to CCPA compliance with Bloomberg Law
As organizations shift their business practices to align with California’s data privacy laws and disclosure obligations, it’s imperative that they have a solid understanding of when those requirements apply and how to comply. Stay ahead of consumer data privacy law compliance and enforcement developments with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law.
Sign up for your guided Bloomberg Law demo today.