CCPA Privacy Policy requirements

Privacy policies serve a number of different functions. For businesses, Privacy Policies provide an opportunity to directly communicate its privacy practices to consumers. Pertinent information in the policies, such as who may access the consumer’s information, how long the data is stored, and the purpose of the data collection, ultimately provide the consumer with a greater understanding of how her personal information is being used. For businesses, privacy laws may require that their websites display up-to-date and compliant privacy policies. Failing to have a compliant Privacy Policy may result in large fines and lawsuits for businesses. 

In the United States, many websites have incorporated comprehensive Privacy Policies containing substantial “legalese” that may take hours upon hours to read, to say nothing of actually comprehending the information within the policy. A number of states require websites to include a Privacy Policy, including Nevada and California. 

The CCPA: California Consumer Privacy Act, compared to other privacy statutes in the United States, is especially unique with respect to its Privacy Policy requirements. Each of these requirements will be discussed with reference to the updated CCPA regulations. Please note that these regulations have yet to be finalized.  

This article will discuss the components of a CCPA compliant Privacy Policy, including the following: 

  • The purpose and layout of the Privacy Policy 
  • The location of the Privacy Policy on the business’s website 
  • The information required to be within the Privacy Policy 
  • The benefits of a CCPA compliant Privacy Policy 

Privacy Policy requirements:

Purpose and layout of the Privacy Policy 

The proposed CCPA regulations specify both the purpose and layout of a CCPA compliant Privacy Policy. With respect to the purpose of the policy, a compliant CCPA Privacy Policy must provide the consumer with a “comprehensive description of a business’s online and offline practices,” comprised of the following: 

  • The collection of personal information 
  • The use of personal information 
  • Disclosure of personal information 
  • The sale of personal information 
  • The consumer’s rights under the CCPA 

With respect to the layout of the Privacy Policy, the regulations require the following:

  • The language of the policy should avoid technical and legal jargon and instead convey plain, straightforward language 
  • The format of the policy should be readable, including on smaller screens 
  • Be available in languages that, in the ordinary course of business, the business typically communicates with in contracts, disclaimers, and sale announcements 
  • The Privacy Policy must be reasonably accessible to those with disabilities. Privacy Policies posted online must comply with generally recognized industry standards. 
  • The policy must be contained in a format that allows the consumer to print it. 

The location of the Privacy Policy

A business’s Privacy Policy must be posted via a conspicuous link. Otherwise known as a browsewrap link, the link must include the word “privacy” and be located on the business’s website homepage. If a business has included a specific description of CCPA rights for California-based citizens on its website, the business’s Privacy Policy must also be included within the description. For mobile applications, the link must be located on the download or landing page. 

Required information within the Privacy Policy 

The CCPA specifies a number of required components of a compliant Privacy Policy, including the following: 

  • A description of a consumer’s rights under the CCPA, in addition to one or more methods for submitting requests under those rights ;
  • The right to know what personal information is being collected about them;
  • The right to know whether their personal information is sold or disclosed and to whom;
  • The right to opt-out of the sale of personal information;
  • The right to access their personal information; and
  • The right to equal service and price, even if consumers exercise their privacy rights
  • A list of categories of consumers’ personal information that the business has collected within the last 12 months, by reference to two lists: 
  1. a list of categories of personal information that the business has sold in the last 12 months; and 
  2. a list of categories of personal information that the business has disclosed in the last 12 months
  • If the business has neither sold nor disclosed personal information about the consumer, this must be stated within the Privacy Policy 
  • If personal information has been sold by the business, a link to the “Do Not Sell My Personal Information” page must be included within the Privacy Policy 

Additionally, the California Attorney General’s CCPA regulations specify that the following should be incorporated into the Privacy Policy: 

  • Instructions for how an authorized agent may make a CCPA request on behalf of the consumer 
  • An option for the consumer to contact the business for additional information regarding the business’s Privacy Policies and practices. 
  • The date that the Privacy Policy was last updated 
  • If the business buys, receives or shares for commercial purposes, or sells the personal information of 10,000,000 California consumers in a calendar year, the following data must be included within the business’s Privacy Policy or within a link accessible via the Privacy Policy: 
    • The number of requests to know that have been received, including the amount complied with in whole or in part and denied 
    • The number of deletion requests that have been received, including the amount complied with in whole or in part and and denied 
    • The number of opt-out requests that have been received, including the amount complied with in whole or in part and denied 
    • The mean or median amount of days that it took for the business to substantively respond to requests to know, delete, and opt-out 

One of the required components of a CCPA compliant Privacy Policy is notice regarding the business’s collection, disclosure, and sale of personal information. Specifically, the policy must state that the consumer has the right to know what personal information is collected, disclosed, and sold, as well as the process for submitting a verifiable request to the business for the disclosure. The business must specify what information the consumer must provide to submit the request, as well as how the business will subsequently verify the authenticity of the request. 

With respect to the business’s collection of the consumer’s personal information, the Privacy Policy must contain both the categories and sources of personal information the business has collected in the last 12 months. The regulations specify that consumers should be provided with a “meaningful understanding” of the information the business collects. Finally, the policy should specify the business or commercial purpose for the collection itself. 

Additionally, the business’s Privacy Policy must contain the categories of personal information that have been disclosed for business purposes or sold to third parties. Again, this must include personal information disclosed or sold within the preceding 12 months. For each category of personal information identified in the Privacy Policy, the categories of third parties who have received that particular category of information must be identified as well. In addition to the CCPA, the California Online Privacy Protection Act (CalOPPA) also requires the disclosure of categories of personal information and third parties. Under both the CCPA and CalOPPA, failing to disclose these categories may result in significant fines and lawsuits. 

Benefits of a CCPA compliant Privacy Policy 

A CCPA compliant Privacy Policy provides a variety of benefits to organizations. Besides the more obvious benefits, including the avoidance of fines and possible litigation under the CCPA, a compliant Privacy Policy equips organizations with the competitive advantage of marketing themselves as privacy-conscious. This allows businesses to better meet the privacy expectations of both current and potential customers. 

As CCPA consumer rights become more commonplace, consumers will naturally expect businesses to create and implement sound privacy practices. From the business’s perspective, Privacy Policies must be living documents that update as the business develops, tests, and reviews the policy in order to maintain compliance with the CCPA. In order to comply with the provisions of the CCPA, websites must have an up-to-date Privacy Policy. Businesses may obtain a CCPA compliant Privacy Policy by using Termageddon’s Privacy Policy generator