The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020 and you'll need to ensure that your Privacy Policy is compliant with the Act.

If your company is already compliant with the EU's General Data Protection Regulation (GDPR) you should have less work to do since some the CCPA's rules mirror those found in the GDPR.

However, there are still several important updates you will need to make.

Before we consider how the CCPA with affect your Privacy Policy, let's take a quick look at what the CCPA is.


What is the CCPA?

The CCPA creates strict privacy rules for businesses to comply with.

The Act gives consumers additional rights, for example, it enables consumers to demand companies disclose what personal information they have collected. The CCPA also enables consumers to request companies delete their data and to stop companies from sharing their data with third parties.

Overall, the Act forces businesses to be more transparent with regard to how they collect, use and share consumer's personal data.

Finally, the CCPA allows consumers to sue businesses that fail to comply with the privacy rules.

Who Does the CCPA Apply to?

Notably, companies do not need to have any physical presence in California for this law to apply.

The CCPA applies to any business that:

  • Has an annual gross revenue of $25 million or more,
  • Collects or receives the personal data of 50,000 people or more, or
  • Makes more than half of its gross annual revenue from selling personal data

How Does the CCPA Affect Your Privacy Policy?

How Does the CCPA Affect Your Privacy Policy?

There are a few ways in which the CCPA affects both the content of your Privacy Policy and the way it's displayed.

Let's break down each of these requirements.

The CCPA states that company websites must contain a conspicuous link to their Privacy Policy on the website homepage.

Many companies choose to place a link in the website's footer since this is often where consumers check for legal policies.

Retailer Bloomingdales provides links to the store's Privacy Policy and privacy notices on the website's homepage:

Bloomingdales website footer with CA Privacy Rights and Privacy Policy links highlighted

12 Month Updates

The CCPA requires companies to update their Privacy Policy every 12 months.

To ensure your Privacy Policy is CCPA-compliant you will need to implement a way of keeping track of the updates made to your policy.

In addition, the policy needs to clearly display the date it was last updated. You may also wish to include a short summary of information advising what was changed in the most recent update.

Microsoft's Privacy Policy displays the date it was last updated at the top of the policy. The company also provides a link named 'what's new?' which enables consumers to easily locate any updates:

Microsoft Privacy Statement: Last Updated data and update link

In addition to the above requirements affecting the placement of your Privacy Policy and when it was last updated, there are several requirements regarding the content of your policy. These are as follows.

"Do Not Sell My Personal Information"

"Do Not Sell My Personal Information"

The CCPA requires companies that sell personal data to display a 'clear and conspicuous' link titled "Do Not Sell My Personal Information."

This link must be displayed in the Privacy Policy, as well as the footer of the website's homepage. The purpose of the link is to enable consumers to opt out of having their personal data sold.

Companies that do not sell personal information are exempt from this requirement, therefore if your business does not sell personal data you are not required to include this link. Note that the Act defines the sale of personal data as a company who shares data with a third party "for monetary of other valuable consideration."

On the other hand, companies that do sell personal information are required to display the link to a page that informs consumers how to stop the sale of their information. Therefore, if your company does sell consumer's personal information you must add the "Do Not Sell My Personal Information" link to both your Privacy Policy and your website's homepage in order to be compliant with the CCPA.

For the sake of clarity, some companies choose to include the link even though they do not sell personal information.

Deluxe has written a Privacy Notice for residents of California that includes a clause for how a user can opt out of the sale of personal information:

Deluxe Privacy Notice: California-Specific Addendum - Do Not Sell My Personal Information clause

The notice also includes a link to an opt out request form:

Deluxe Privacy Notice: California-Specific Addendum - Right to Opt Out clause

Semasio includes a link to the company's 'Opt-Out - Do Not Sell My Information' page in the website's footer:

Semasio website footer with links

The footer link takes the user to a page where they are able to click a button enabling them to opt out of the collection, use or sale of their information:

Semasio: Screenshot of Opt-Out page

Wilmington Endocrinology has gone as far as to include a 'Do Not Sell My Personal Information' link in its cookie consent notice, which pops up as soon as a user arrives on the website for the first time:

Wilmington Endocrinology cookies notice

However, it doesn't include a link to this page or the Privacy statement in the website footer. Including it in the footer versus the cookie notice - which only shows up once - would be a better move here.

When users click on the link in the cookie notice, they're taken to a page where they are able to object to their personal data being sold by entering their name and email address:

Wilmington Endocrinology: Form to object to selling of personal data to third parties

It's better to link this page in a few locations than just once. Adding it to a cookie notice is nice, but it needs to be elsewhere on the website, and somewhere where a user would know to look.

Categories of Information Collected

Categories of Information Collected

The CCPA states that companies must disclose a list of all the categories of personal data that the business has collected in the previous 12 months from any source.

This ties in with the requirement to update Privacy Policies annually. When you update your Privacy Policy you will need to list all of the categories of personal data that your company collected in the previous 12 months (up to the point of the annual update).

The CCPA has defined the categories of information that must be disclosed, and these include:

  • Personal identifiers (e.g. IP address, telephone number, cookies, beacons)
  • Information protected against security breaches (e.g. name, password, social security number)
  • Categories of personal information listed in the California Customer Records statute
  • Protected classification information (e.g. sexuality, ethnicity, sex)
  • Commercial Information (e.g. records of services purchased)
  • Internet activity (e.g. browsing history, search history)
  • Geolocation
  • Audio, electronic, thermal and video data
  • Professional or employment related information
  • Education information
  • Biometric data (e.g. fingerprints, voice recording, DNA)
  • Inferences drawn from profiling

Pharmaceutical company NeilMed has included a table which states what each category of personal data is and whether or not the company has collected that category of data within the last 12 months:

NeilMed CCPA Privacy Notice: Excerpt of chart - Information We Collect

NVA's Privacy Policy has a section specifically for California users. It lists the categories of information collected that mirror the CCPA itself, gives examples and states whether or not the company collects that category of information:

NVA Privacy Notice for California Residents: Excerpt of Information We Collect clause

Fico states that the company collects information drawn from inferences and provides a good explanation of what inferences are:

Fico Privacy Policy: Inferences clause

Blackthorn also states what types of information the company collects, as well as clarifying what categories of personal information the company does not collect:

Blackthorn Privacy Notice: Section about special categories of personal data

Sources of Information Collection

After your Privacy Policy has divulged the categories of information collected in the last year, it must also state what source(s) each category of data was collected from.

NVA advises that the company obtains personal information from both direct and indirect sources:

NVA Privacy Notice for California Residents: Information We Collect clause - Categories of Sources excerpt

Fico offers a detailed explanation of where the company obtains each category of information:

Fico Privacy Policy: Excerpt of Sources of Personal Data clause

Be as detailed and specific as possible here, and don't leave anything out.

Why You Collect Personal Information

Your Privacy Policy must inform consumers why you collect the categories of personal data that you do. It should clearly explain what you use the information for.

If you already have a Privacy Policy it is likely it contains a clause advising users why you collect data. However, you still need to ensure that your current explanation covers all of the categories of personal data your company collects in order to comply with the CCPA.

Vimeo includes a clause which explains how the company uses personal data, for example, for marketing and advertising:

Vimeo Privacy Policy: How We Use Your Data clause

Crescent Cove Advisors complies with the CCPA by including a clause that explains how the company uses the personal data it collects:

Crescent Cove Privacy Policy: Purposes For Which Your Information is Used clause

Categories of Personal Information Disclosed for Business Purposes

As well as listing the categories of personal data your business has collected in the past 12 months, your Privacy Policy must also list the categories of personal data that have been "disclosed for business purposes" in the past 12 months.

If you're wondering what actions are classed as"business purposes" the CCPA has clarified this in section 1798.140 (note that the screenshot is just an excerpt):

Excerpt of CCPA Section 1798 40 - Excerpt of definition of Business Purpose

The section goes on to state that the following activities count as 'business purposes':

  • Auditing
  • Detecting security incidents
  • Debugging to identify and repair errors
  • Short-term uses
  • Performing services
  • Internal research for technological development and demonstration
  • Testing or improving the quality or safety of a service

It's important to note that if your business has not disclosed any categories of data for business purposes in the last year, this must also be stated.

Additionally, you must state if you have shared information with a third party which is then disclosed for business purposes on your behalf.

NeilMed advises which third parties personal data is shared with and includes a list of categories of information that the company has disclosed for business purposes in the last 12 months. The clause also advises of the categories of data that have not been disclosed for business purposes in the preceding 12 months:

NeilMed CCPA Privacy Notice: Excerpt Sharing Personal Information clause

NVA states that the company has not disclosed any information for business purposes in the preceding 12 months:

NVA Privacy Notice for California Residents: Disclosures of Personal Information for a Business Purpose clause

As always, be as descriptive and informative as possible here for transparency and clarity purposes.

Categories of Personal Information Sold

Categories of Personal Information Sold

To be CCPA-compliant, your Privacy Policy must also state what categories of information have been sold within the last 12 months. This is something that needs updating when your company does its annual policy update (also a CCPA requirement).

If you do not sell any categories of information, this should be stated in your policy.

For example, NVA states that the company has not sold any categories of information in the preceding 12 months:

NVA Privacy Notice for California Residents: Sales of Personal Information clause

If this changes at any time, you need to update your policy with accurate information to reflect your current practices. Don't wait until the 12-month update mark, but rather update it in real time.

Children's Opt-In

Children's Opt-In

The CCPA creates an opt-in requirement for children aged between 13 and 16 years old. Children in this age range must opt in to the sale of their personal data in order for the company to be able to sell the data.

Additionally, the CCPA requires companies to obtain the consent of a parent or guardian prior to selling a child's data if the child is below the age of 13.

This opt-in requirement is especially relevant to any business that markets towards children, however it affects any business with "actual knowledge" of the child's age.

It is essential to include a clause in your Privacy Policy which explains the opt in requirement for minors if children under 16 use your website or app.

If your company does not sell the personal data of children under 16 this is also the ideal place to state this fact.

NVA includes a clause which clearly explains the opt-in rights of children aged 13-16, as well as the opt in rights of children below 13:

NVA Privacy Notice for California Residents: Personal Information Sales Opt-Out and Opt-In Rights clause

Instructions are provided for how the child or an authorized representative can opt out of having their personal information sold.

Consumer Rights

Consumer Rights

The CCPA creates several consumer rights which are relevant to your Privacy Policy.

Consumers have the right:

  • To access their personal data
  • To delete their personal data
  • Not to be discriminated against for exercising their rights under the CCPA

Let's breakdown the individual clauses your policy will need to include to comply with these rights.

Access to Personal Data

Consumers have a right to access their personal data. It is not enough to simply advise users of their access rights, you must also inform them how to access their personal data.

In addition, make sure that you inform consumers that you will respond to their request within 45 days, as this is a requirement of the CCPA.

Squared Up informs users of their right of access and briefly explains what the right entails:

Squared Up Privacy Policy: Your Legal Rights - Request access clause

NeilMed also informs users of their right to access certain information and confirm what the company is able to disclose:

NeilMed CCPA Privacy Notice: Access to Specific Information and Data Portability Rights clause

The company also advises how to exercise consumer rights:

NeilMed CCPA Privacy Notice: Exercising Access, Data Portability and Deletion Rights clause

Deletion of Personal Data

Your Privacy Policy must contain a clause advising of the consumer's right to have their personal data deleted. Once again, it is not enough to simply tell users about the right, you must also inform them how to exercise this right.

Make sure that your policy advises users of their right to delete their personal information and explain how the user is able to make this request.

NVA advises consumers of their deletion rights and explain that the data will be deleted once the company has verified a request:

NVA Privacy Notice for California Residents: Deletion Request Rights clause

NeilMed explains the right to deletion granted under the CCPA and also advises of the exemptions to this right:

NeilMed CCPA Privacy Notice: Deletion Request Rights clause

Cellebrite advises of the consumers rights to access and deletion in one succinct clause. The company also explains how to exercise the rights and provides a link consumers can use for the same:

Cellebrite Privacy Notice: Your Rights Under the EU Laws and Under the CCPA clause

In some cases, you may be required to provide a toll-free phone number for your users to contact you through as part of their CCPA rights.

Protection from Discrimination

The CCPA states that consumers must not be discriminated against for exercising their rights.

In light of this, your Privacy Policy should inform consumers that they will not be discriminated against for exercising their rights under the CCPA.

For example, your policy should state that consumers will not be denied goods or services for exercising their consumer rights.

Deluxe informs consumers about their non-discirmination rights in the company's Privacy Policy:

Deluxe Privacy Notice: California-Specific Addendum - Verify identity to exercise rights clause

NVA also informs consumers about non-discrimination:

NVA Privacy Notice for California Residents: Non-Discrimination clause

Summary

The CCPA requires companies to be transparent about data collection and sharing.

The Act gives consumers certain rights over their personal data, such as the right to access and delete data. Consumers are also able to opt out of their data being shared with third parties.

Additionally, companies are required to inform users of these rights and explain how to exercise them.

To ensure your Privacy Policy is CCPA-compliant, you will need to add clauses specific to the above rights and update your Privacy Policy every 12 months, displaying the date of the last update.

To update your Privacy Policy, you must know what categories of data you collect and why, what you disclose for business purposes and what information you sell to third parties.

Finally, the Act states that consumers must not be discriminated against for exercising their rights and enables consumers to sue businesses who fail to comply with the Act.