California has a lot of privacy laws that affect Privacy Policies, and your business doesn't need to be based in California - or even in the U.S. - to be affected by these laws.
Each of these California privacy laws impact the way Privacy Policies are drafted and displayed. This article explains what each law requires with regard to Privacy Policies, and how to meet the requirements.
- 1. A Brief Overview of California Privacy Laws
- 1.1. The California Consumer Privacy Act (CCPA)
- 1.2. The California Online Privacy Protection Act (CalOPPA)
- 1.3. Children's Online Privacy Protection Act (COPPA)
- 2.1. 12 Month Updates
- 2.2. 'Do Not Sell My Personal Information'
- 2.4. Children's Opt-In
- 2.5. Consumer Rights
- 3.2. 'Do Not Track' (DNT) Clause
- 3.4. Communication of Policy Updates
- 3.5. Disclose Consumer Rights
- 4.1. Privacy Policies Must be Displayed Prominently
- 4.2. Privacy Policies Must be Easy to Understand
- 4.3. Parental Rights
- 4.4. Parental Consent and Verification
- 4.5. Sharing Data with Third Parties
- 5.1. What Data We Collect
- 5.2. How We Use Personal Data
- 5.3. How We Keep Data Secure
- 5.4. How Long is Data Stored For
- 5.6. How to Contact Us
- 7. Summary
A Brief Overview of California Privacy Laws
The California Consumer Privacy Act (CCPA)
The CCPA brought in strict transparency requirements which enable Californian consumers to view all of the personal data a company holds on them. It was amended and expanded in January 2023 by the CPRA.
The Act gives consumers the right to know all of the third parties their personal information is shared with and to stop their data from being shared with third parties.
Finally, the CCPA (CPRA) allows consumers to sue businesses that fail to comply with its rules.
The California Online Privacy Protection Act (CalOPPA)
CalOPPA aims to protect the personal data and privacy of residents of California.
In addition, CalOPPA requires Privacy Policies to be posted "conspicuously" on websites.
Children's Online Privacy Protection Act (COPPA)
COPPA works to protect the privacy of children under the age of 13. The Act makes it unlawful to collect the data of children under 13 without the prior consent of their parents or guardians.
The CCPA applies to any business that:
- Has an annual gross revenue of $25 million or more,
- Collects or receives the personal data of 50,000 people or more, or
- Makes more than half of its gross annual revenue from selling personal data
12 Month Updates
Microsoft displays the date its Privacy Statement was last updated and provides a link to what's new in the update:
'Do Not Sell My Personal Information'
However, companies that do not sell personal information are exempt from this requirement. Therefore, if your company does not sell personal information you do not need to include this link, although many companies choose to include a section explaining that they do not sell personal information to ensure clarity.
StarKist has added a "Do Not Sell My Personal Information" link on the website's homepage:
Costco links to its policy on its homepage:
Standard placement for the link is in a website footer. Your site visitors will know to look here, so it's a sure way to be conspicuous.
The CCPA (CPRA) creates an opt in requirement for children which states that companies can only sell the personal data of a child aged 13-16 if the child has opted in to the sale.
If the child is younger than 13 the company must obtain the parent or guardian's consent prior to selling the data. This applies to any business with "actual knowledge" of the child's age and will be especially relevant to websites and apps targeting children.
NVA advises that its website is not intended for children under 16 and states that no data from children under 16 is knowingly collected:
Consumers have a number of rights, including the following:
- To know whether their personal information is being collected
- To access and correct (if needed) their personal data
- To delete their personal data
- To limit the ways others use their personal data and sensitive personal data
- To opt out of their information being shared with third parties
- Not to be discriminated against for exercising their rights under the CCPA
- Inform users if you collect their personal information and if so, advise what categories of personal data are collected and why
- Advise users how to access their personal data and inform them that you will respond to their request within 45 days
- Advise users of their right to delete their personal information and explain how the user is able to make this request
- Advise consumers of their right to opt out of information being shared and explain how to do this. You should also tell consumers who their data is shared with and inform users what categories of personal data have been disclosed for business purposes over the last year.
The policy goes on to explain the rights and how to use them. For example, this is how the website explains deletion request rights, including exceptions for when the requests may be denied:
Cellbrite advises of the above rights in one succinct paragraph and explains how to exercise the rights. The company provides a link consumers can use for the same:
Providing a link to a pre-created form for exercising rights is a nice touch, but isn't necessary so long as you clearly inform users what they need to do and what steps to take to exert the rights.
Virtually every website that collects personal data must comply with CalOPPA because it is impossible to restrict the website's availablity to prevent citizens of California from accessing it, therefore it is likely that Californians will access the website.
Make sure you don't hide the link or make it a smaller font than other links. It needs to at minimum stand out as much as any other link, and needs to include the word "Privacy" in the link name.
'Do Not Track' (DNT) Clause
CalOPPA requires businesses to state how they will respond to DNT requests.
The law does not require companies to comply with the request. It simply requires companies to state how they will respond to requests.
Meeting this requirement is as simple as that.
Communication of Policy Updates
CalOPPA requires companies to explain how they will inform users of any updates to the policy.
For example, does your company send emails about material changes? Or is a pop-up notice displayed on your website?
Note how it lets users know that if any changes are made, there will be an update notice added to the website home page. Material changes will come with a notice as well. Users are also encouraged to periodically check the policy page for the most up-to-date information.
Disclose Consumer Rights
CalOPPA gives consumers the right to know what types of 'personally identifiable information' is collected about them and what information is shared with third parties.
Additionally, the Act gives users the right to make requests to review and delete personally identifiable information.
Here's how Walmart does this in a clause dedicated to California customers:
COPPA applies to all websites and apps with 'actual knowledge' that the company is collecting personal data from children under 13.
Privacy Policies Must be Displayed Prominently
Similarly to California's other privacy laws, COPPA requires Privacy Policies to be displayed prominently on websites.
However, unlike other laws, it does not satisfy the requirements of COPPA to include a small link in a website's footer. Instead, the link must be distinguishable from other links.
This can be as simple as making the link bolder or larger than other links.
Additionally, the link must appear on any page that collects children's personal data, as well as being displayed on your website's home page.
Privacy Policies Must be Easy to Understand
Hasbro has written a clause in its Privacy Notice that's directed specifically towards children:
The clause is easier to read because it uses simple language, and encourages kids to "ask your mom and dad to help you and explain all this" if needed.
COPPA gives parents certain rights, including the right:
- To request access to personal information
- To refuse further data collection or use
- To delete the child's personal data
Everfi includes a clause which explains the parent's right to review, delete and control the use of their child's personal data. The company provides an email address which parents can use to exercise their rights:
Walt Disney advises parents on how to request access to and delete their child's personal information:
Parental Consent and Verification
Websites and apps that collect personal data from children under 13 must obtain 'verifiable parental consent' prior to the data collection.
Verifying parental consent can be tricky for businesses, and COPPA does not state exactly how parental consent should be verified.
However, the Federal Trade Commission (FTC) advises utilizing downloadable consent forms and requiring parents to use their credit card to verify their identity.
Alternatively, the FTC suggests providing a toll-free phone number or accepting digital signatures via email.
Here's how Walt Disney lets parents know that it will ask for parental email addresses to seek consent and other methods it may use:
Sharing Data with Third Parties
COPPA states that companies should not share children's data with third parties unless it is necessary for the website or app to function. If the disclosure is necessary, parents must be told that their child's data is being disclosed to third parties.
Here's how Disney does this:
This can be accomplished through a general update clause as discussed above.
What Data We Collect
All Privacy Policies should include a clause informing individuals what personal data is collected.
Target explains the types of data the store collects and advises that if consumers decide not to provide information, the retailer may not be able to provide certain services:
Try to be as all-inclusive and specific as possible in this clause, and remember to update it if you start to collect additional information.
How We Use Personal Data
This clause explains why your company collects personal data i.e. what it is used for.
McAfee advises that the company uses personal data as part of its security strategy and to run its business effectively:
Note that this is just an excerpt of the clause that also addresses advertising purposes. Again, be as thorough as possible.
How We Keep Data Secure
It's essential to include a clause that details how you protect personal data.
Target advises that it uses industry standard methods, and also adds in that no system is completely secure or "hacker proof":
You don't have to be overly specific in this clause and go into detail about what your exact methods are. In fact, being too specific can actually be bad for security.
How Long is Data Stored For
This clause explains how long data is retained for.
Legal and General advises that personal data is kept for the minimum retention period required by law and that information will only be retained after this time is there's a legitimate reason to do so:
It's advisable (and in some cases legally required) to not retain personal information for longer than the information is necessary to keep. Consider doing regular purges of data to make sure you're only keeping the minimum data required for your purposes.
Additionally, The Guardian provides an overview of the changes made to the policy to date:
How to Contact Us
All Privacy Policies should include a clause which informs consumers how they can contact the company.
Publisher Atex advises how individuals can contact the company via post, email and contact form:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
There are three main California laws which impact the content of companies Privacy Policies, as well as the way in which they are displayed. These laws are: the CCPA (CPRA), CalOPPA and COPPA.
Although the laws have different requirements, they share the following traits:
- They seek to protect the privacy and personal data of residents of California
- They state that Privacy Policies must be clear and prominently displayed
- They state that residents of California must be informed if their personal data is being collected