California has a lot of privacy laws that affect Privacy Policies, and your business doesn't need to be based in California - or even in the US - to be affected by these laws.

Each of these California privacy laws impact the way Privacy Policies are drafted and displayed. This article explains what each law requires with regard to Privacy Policies, and how to meet the requirements.


A Brief Overview of California Privacy Laws

The California Consumer Privacy Act (CCPA)

The CCPA brought in strict transparency requirements which enable Californian consumers to view all of the personal data a company holds on them.

The Act gives consumers the right to know all of the third parties their personal information is shared with and to stop their data from being shared with third parties.

Finally, the CCPA allows consumers to sue businesses that fail to comply with its rules.

The California Online Privacy Protection Act (CalOPPA)

CalOPPA aims to protect the personal data and privacy of residents of California.

The Act requires companies to include a 'Do Not Track' (DNT) disclosure in their Privacy Policy.

In addition, CalOPPA requires Privacy Policies to be posted "conspicuously" on websites.

Children's Online Privacy Protection Act (COPPA)

COPPA works to protect the privacy of children under the age of 13. The Act makes it unlawful to collect the data of children under 13 without the prior consent of their parents or guardians.

Additionally, COPPA tells websites what must be included in their Privacy Policy and where it should be posted.

Creating a CCPA Compliant Privacy Policy

Creating a CCPA Compliant Privacy Policy

The CCPA applies to any business that:

  • Has an annual gross revenue of $25 million or more,
  • Collects or receives the personal data of 50,000 people or more, or
  • Makes more than half of its gross annual revenue from selling personal data

The CCPA requires the following in regard to your Privacy Policy.

12 Month Updates

The CCPA requires companies to update their Privacy Policy on an annual basis. To meet this requirement simply ensure that your policy includes the date it was last updated. You will also need a way of keeping track of when the policy is due to be updated.

Microsoft displays the date its Privacy Statement was last updated and provides a link to what's new in the update:

Microsoft Privacy Statement: Last Updated data and update link

It's common practice to list the date of the last update at the beginning of the Privacy Policy, but it isn't required to place it there. As long as it's somewhere in your statement you will be compliant.

'Do Not Sell My Personal Information'

'Do Not Sell My Personal Information'

The CCPA requires companies to display a 'clear and conspicuous' link, both on their homepage and in their Privacy Policy, with the title of "Do Not Sell My Personal Information."

However, companies that do not sell personal information are exempt from this requirement. Therefore, if your company does not sell personal information you do not need to include this link, although many companies choose to include a section explaining that they do not sell personal information to ensure clarity.

Companies that do sell personal information must provide this page and tell consumers how to opt out of the sale of the information. Therefore, If your company sells personal information you need to add the "Do Not Sell My Personal Information" link to your website's homepage and create a section in your Privacy Policy which is titled the same.

StarKist has added a "Do Not Sell My Personal Information" link on the website's homepage:

StarKist website footer with links

Its Privacy Policy also includes information about a user's right to withdraw consent to the sale of personal information:

StarKist Privacy Policy: Excerpt of How to review, edit or delete PII clause

Companies must post a conspicuous link to their Privacy Policy on their website's main page. To meet this requirement simply ensure that you have linked your Privacy Policy on your website in a clear and easily accessible place.

Costco links to its policy on its homepage:

Costco website footer with links: Your Privacy Rights link highlighted

Standard placement for the link is in a website footer. Your site visitors will know to look here, so it's a sure way to be conspicuous.

Children's Opt-In

Children's Opt-In

The CCPA creates an opt in requirement for children which states that companies can only sell the personal data of a child aged 13-16 if the child has opted in to the sale.

If the child is younger than 13 the company must obtain the parent or guardian's consent prior to selling the data. This applies to any business with "actual knowledge" of the child's age and will be especially relevant to websites and apps targeting children.

If your site is used by children under 16 you must include a clause in your Privacy Policy which explains the opt in requirement for minors.

NVA advises that its website is not intended for children under 16 and states that no data from children under 16 is knowingly collected:

NVA Privacy Policy: Children Under the Age of 16 clause

Consumer Rights

The CCPA creates several consumer rights which are relevant to your Privacy Policy.

Consumers have the right:

  • To know whether their personal information is being collected
  • To access their personal data
  • To delete their personal data
  • To opt out of their information being shared with third parties
  • Not to be discriminated against for exercising their rights under the CCPA

In light of these rights, your Privacy Policy should:

  • Inform users if you collect their personal information and if so, advise what categories of personal data are collected and why
  • Advise users how to access their personal data and inform them that you will respond to their request within 45 days
  • Advise users of their right to delete their personal information and explain how the user is able to make this request
  • Advise consumers of their right to opt out of information being shared and explain how to do this. You should also tell consumers who their data is shared with and inform users what categories of personal data have been disclosed for business purposes over the last year.
  • Inform consumers that they will not be discriminated against for exercising their rights under the CCPA. For example, your Privacy Policy should state that consumers will not be denied goods or services for exercising their consumer rights.

NVA's Privacy Policy contains a clause regarding the rights and choices of residents of California granted under the CCPA:

NVA Privacy Policy: Your Rights and Choices clause

The policy goes on to explain the rights and how to use them. For example, this is how the website explains deletion request rights, including exceptions for when the requests may be denied:

NVA Privacy Policy: Deletion Request Rights clause

Cellbrite advises of the above rights in one succinct paragraph and explains how to exercise the rights. The company provides a link consumers can use for the same:

Cellebrite Privacy Statement: Excerpt of Your Rights Under the EU Laws and Under the CCPA clause

Providing a link to a pre-created form for exercising rights is a nice touch, but isn't necessary so long as you clearly inform users what they need to do and what steps to take to exert the rights.

Creating a CalOPPA Compliant Privacy Policy

Creating a CalOPPA Compliant Privacy Policy

Virtually every website that collects personal data must comply with CalOPPA because it is impossible to restrict the website's availablity to prevent citizens of California from accessing it, therefore it is likely that Californians will access the website.

CalOPPA requires the following in regard to your Privacy Policy.

Privacy Policy Must be "Conspicuously Posted"

To comply with CalOPPA you need to make sure that your company's Privacy Policy is displayed prominently on the homepage of your website to ensure that it is easily accessible to users.

Walmart achieves this requirement by displaying the link to its Privacy Policy on the website's homepage along with other important and informative links:

Walmart website footer links: Privacy and Security and California Privacy Rights links highlighted

Make sure you don't hide the link or make it a smaller font than other links. It needs to at minimum stand out as much as any other link, and needs to include the word "Privacy" in the link name.

'Do Not Track' (DNT) Clause

'Do Not Track' (DNT) Clause

CalOPPA requires businesses to state how they will respond to DNT requests.

The law does not require companies to comply with the request. It simply requires companies to state how they will respond to requests.

To meet this requirement you need to include a 'DNT Clause' in your Privacy Policy which advises users whether or not your company responds to DNT requests.

Acquire includes a DNT clause in its Privacy Policy which advises users that the company does not respond to DNT requests:

Acquire Privacy Policy: DNT Signals clause

Meeting this requirement is as simple as that.

Effective Date of the Privacy Policy

This is a simple enough requirement to comply with. You just need to ensure that your Privacy Policy states the date it came into effect or has last been updated. This is typically listed at the top of the Privacy Policy, like this from Walmart:

Walmart Privacy Policy: Updated date

Communication of Policy Updates

CalOPPA requires companies to explain how they will inform users of any updates to the policy.

For example, does your company send emails about material changes? Or is a pop-up notice displayed on your website?

PetSuites of America includes this clause in its Privacy Policy:

PetSuites of America Privacy Policy: Changes to Our Privacy Policy clause

Note how it lets users know that if any changes are made, there will be an update notice added to the website home page. Material changes will come with a notice as well. Users are also encouraged to periodically check the policy page for the most up-to-date information.

Disclose Consumer Rights

Disclose Consumer Rights

CalOPPA gives consumers the right to know what types of 'personally identifiable information' is collected about them and what information is shared with third parties.

Additionally, the Act gives users the right to make requests to review and delete personally identifiable information.

You must ensure that your Privacy Policy contains clauses that explain the above rights.

Here's how Walmart does this in a clause dedicated to California customers:

Walmart Privacy Policy: What Are Your California Privacy Rights clause

The clause refers readers to two other informative clauses with more detailed information. It also provides a method of contact in case a reader has questions regarding the handling of personal information or about the Privacy Policy in general.

Creating a COPPA Compliant Privacy Policy

Creating a COPPA Compliant Privacy Policy

COPPA applies to all websites and apps with 'actual knowledge' that the company is collecting personal data from children under 13.

If your website or app is targeted towards children, or if you think any of your users are likely to be under the age of 13, it is advisable to ensure that your Privacy Policy meets the requirements of COPPA.

COPPA requires the following in regard to your Privacy Policy.

Privacy Policies Must be Displayed Prominently

Similarly to California's other privacy laws, COPPA requires Privacy Policies to be displayed prominently on websites.

However, unlike other laws, it does not satisfy the requirements of COPPA to include a small link in a website's footer. Instead, the link must be distinguishable from other links.

This can be as simple as making the link bolder or larger than other links.

Additionally, the link must appear on any page that collects children's personal data, as well as being displayed on your website's home page.

The Walt Disney Company ensures the company complies with COPPA by displaying a separate Children's Privacy Policy link in the website's footer, which also provides links to the company's other privacy resources:

Walt Disney Company website footer with links: Children's Online Privacy Policy highlighted

This might not seem like a very distinguishable way to share the link, but by including the word "Children's" in the title, the link stands out from a standard Privacy Policy, which is linked further down in the list.

Privacy Policies Must be Easy to Understand

Privacy Policies Must be Easy to Understand

COPPA states that Privacy Policies must be easy to understand. To meet this requirement ensure that your Privacy Policy is written in clear and simple language so that a child can understand it.

Hasbro has written a clause in its Privacy Notice that's directed specifically towards children:

Hasbro Privacy Notice: Children's rights clause

The clause is easier to read because it uses simple language, and encourages kids to "ask your mom and dad to help you and explain all this" if needed.

Parental Rights

COPPA gives parents certain rights, including the right:

  • To request access to personal information
  • To refuse further data collection or use
  • To delete the child's personal data

To ensure you meet these requirements you must include a clause about parental rights in your Privacy Policy. Your clause must state that parents have the above rights and explain the procedures involved in exercising these rights.

Everfi includes a clause which explains the parent's right to review, delete and control the use of their child's personal data. The company provides an email address which parents can use to exercise their rights:

Everfi COPPA Privacy Policy: Parental rights to review, delete and control the use of children's PI clause

Walt Disney advises parents on how to request access to and delete their child's personal information:

Walt Disney Company Children's Online Privacy Policy: Parental Choices and Controls clause

Parental Consent and Verification

Websites and apps that collect personal data from children under 13 must obtain 'verifiable parental consent' prior to the data collection.

Verifying parental consent can be tricky for businesses, and COPPA does not state exactly how parental consent should be verified.

However, the Federal Trade Commission (FTC) advises utilizing downloadable consent forms and requiring parents to use their credit card to verify their identity.

Alternatively, the FTC suggests providing a toll-free phone number or accepting digital signatures via email.

Once you have decided how you will gain verifiable consent from parents, it's a good idea to disclose your method in your Privacy Policy.

Here's how Walt Disney lets parents know that it will ask for parental email addresses to seek consent and other methods it may use:

Walt Disney Company Children's Online Privacy Policy: About Verifiable Parental Consent clause

Sharing Data with Third Parties

COPPA states that companies should not share children's data with third parties unless it is necessary for the website or app to function. If the disclosure is necessary, parents must be told that their child's data is being disclosed to third parties.

To meet this requirement, include a clause in your Privacy Policy that advises whether or not you share children's data with third parties. If data is shared with third parties, your policy should advise who the third parties are and how parents can opt out of their children's data being shared.

Here's how Disney does this:

Walt Disney Company Children's Online Privacy Policy: Sharing of children's information clause

Notifying Parents of Major Changes to Your Privacy Policy

COPPA states that parents must be directly notified of any material changes to your Privacy Policy. This is particularly important if you make a change to the type of information that can be collected on your website or app.

To ensure you comply with COPPA, you must Include a clause in your Privacy Policy which advises that you will notify parents of material changes to the policy and how you will do this.

This can be accomplished through a general update clause as discussed above.

Other Clauses Every Privacy Policy Should Include

Other Clauses Every Privacy Policy Should Include

In addition to clauses specific to California laws, there are certain clauses every Privacy Policy should include, such as:

What Data We Collect

All Privacy Policies should include a clause informing individuals what personal data is collected.

Target explains the types of data the store collects and advises that if consumers decide not to provide information, the retailer may not be able to provide certain services:

Target Privacy Policy: Excerpt of information we may collect clause

Try to be as all-inclusive and specific as possible in this clause, and remember to update it if you start to collect additional information.

How We Use Personal Data

How We Use Personal Data

This clause explains why your company collects personal data i.e. what it is used for.

McAfee advises that the company uses personal data as part of its security strategy and to run its business effectively:

McAfee Privacy Notice: Excerpt of How Do We Use the Information We Collect clause

Note that this is just an excerpt of the clause that also addresses advertising purposes. Again, be as thorough as possible.

How We Keep Data Secure

It's essential to include a clause that details how you protect personal data.

Target advises that it uses industry standard methods, and also adds in that no system is completely secure or "hacker proof":

Target Privacy Policy: How is Your Personal Information Protected - Security clause

You don't have to be overly specific in this clause and go into detail about what your exact methods are. In fact, being too specific can actually be bad for security.

How Long is Data Stored For

How Long is Data Stored For

This clause explains how long data is retained for.

Legal and General advises that personal data is kept for the minimum retention period required by law and that information will only be retained after this time is there's a legitimate reason to do so:

Legal and General Privacy Policy: Data retention clause

It's advisable (and in some cases legally required) to not retain personal information for longer than the information is necessary to keep. Consider doing regular purges of data to make sure you're only keeping the minimum data required for your purposes.

Changes to the Privacy Policy

This clause advises users that your Privacy Policy is subject to change. It also informs users how you will tell them about any significant updates.

The Guardian explains that changes to the newspaper's Privacy Policy will be posted on the website, however significant changes may also be emailed to users.

Additionally, The Guardian provides an overview of the changes made to the policy to date:

The Guardian Privacy Policy: Changes to this Privacy Policy clause excerpt

Your Changes clause doesn't have to be as detailed and informative, but something like this is a really great way to convey a lot of helpful information to your readers. You should also always encourage users to check your Privacy Policy for the most updated information at any time.

How to Contact Us

How to Contact Us

All Privacy Policies should include a clause which informs consumers how they can contact the company.

Publisher Atex advises how individuals can contact the company via post, email and contact form:

Atex Privacy and Cookies Policy: Contact clause

Summary

There are three main California laws which impact the content of companies Privacy Policies, as well as the way in which they are displayed. These laws are: the CCPA, CalOPPA and COPPA.

Although the laws have different requirements, they share the following traits:

  • They seek to protect the privacy and personal data of residents of California
  • They state that Privacy Policies must be clear and prominently displayed
  • They state that residents of California must be informed if their personal data is being collected

Ensure your Privacy Policy complies with California's laws by addressing the specific requirements of each law, as noted above. You should also make sure to include all the standard Privacy Policy clauses such as how you collect data, how you protect data and how your users can contact your company.