How to Update Your CCPA Privacy Policy for the CPRA

How to Update Your CCPA Privacy Policy for the CPRA

If you have a large business or a lot of customers in California, you may already need a Privacy Policy to comply with the California Consumer Privacy Act of 2018 (the CCPA).

The CCPA's requirements are enhanced and updated in a new law, the California Privacy Rights Act (the CPRA).

Here's how you need to update your CCPA Privacy Policy to comply with the law.


Who is Affected by the CPRA?

The existing CCPA's measures have been enforced since 1 July 2020. The law applies in any of three cases:

  • Your business has an annual revenue exceeding $25 million
  • In any one-year period, your business buys, sells or shares personal data relating to more than 50,000 consumers, devices or households in California
  • Your business makes at least half of its annual revenue from selling personal data relating to California consumers

The CPRA passed as a ballot initiative in November 2020. It will take legal effect from 1 January 2023 with enforcement beginning on 1 July 2023. In effect, the CPRA will replace the CCPA. It will continue all of its requirements and add new ones, but will reduce the scope of businesses that come under the law.

If you are not currently covered by the CCPA, you will not have to follow the CPRA.

You may be covered by the CCPA but excluded from the CPRA. This is because the threshold for buying, selling or sharing data increases to 100,000 consumers or households, with devices no longer counting.

Existing CCPA Privacy Policy Requirements

Existing CCPA Privacy Policy Requirements

Let's recap what your Privacy Policy should include to comply with the CCPA. You'll need to continue doing this under the CPRA.

The CCPA is based around five consumer rights:

  • Knowing what data you collect about them
  • Knowing if you sell or disclose the data
  • Stopping you from selling the data
  • Accessing the data you have collected
  • Exercising these rights without discrimination on price or service

You must comply with the "rights to know" by giving clear information about 11 categories of data. For each category you must separately say whether you collect data, how you use data and whether you share data.

In your Privacy Policy, this information must cover your data collection, use and sharing in the past 12 months.

The categories are as follows:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80. (This effectively covers any information that identifies an individual, unless that information is public knowledge.)

(C) Characteristics of protected classifications under California or federal law.

The California protected characteristics are as follows:

  • Age
  • Ancestry and national origin
  • Gender identity or expression
  • Genetic information
  • Marital status
  • Medical conditions
  • Mental or physical disability
  • Military or veteran status
  • Pregnancy, childbirth, breastfeeding or related medical conditions
  • Race
  • Religion
  • Sex and gender
  • Sexual orientation

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.

(G) Geolocation data

(H) Audio, electronic, visual, thermal, olfactory, or similar information

(I) Professional or employment-related information

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99). (This includes the name or address of a student or their family members; personal identifiers of the student such as a student number; and any information that indirectly identifies a student.)

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

VMWare gives a clear breakdown of which categories of data it shares and the types of recipient:

VMWare California Privacy Rights: Category of Personal Information chart excerpt

The CCPA also says you must allow people aged over 16 to opt out of you selling their personal data. For those aged 13 to 16, it's an opt-in system meaning you can't sell the data until you have consent. For under-13s you must get parental or guardian consent before selling data.

You must have a dedicated web page for exercising this opt-out. Your home page must link to this dedicated page using link text reading "Do Not Sell My Personal Information."

The LA Times goes a step beyond the minimum requirement by including the link on every page through its navigation menu:

LA Times website footer with Do Not Sell My Personal Information link highlighted

Now let's take a look at what changes are coming that will affect all of this.

Changes in the CPRA that Affect Your Privacy Policy

Changes in the CPRA that Affect Your Privacy Policy

The CPRA's main changes are a new category for data, an additional notification requirement and several extra rights for consumers. You'll need to address all of these in your Privacy Policy, so let's break them down.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.


Sensitive Personal Information

This is a new 12th category that you must use when running down how you collect, use and share data. It covers the following:

  • Any communications the consumer has with a third party (ie, somebody outside your business)
  • Biometric data processed to identify an individual
  • Data about sexual orientation or sex life
  • Financial account details in a combination (for example card number and password) that gives access to an account
  • Genetic data
  • Government-issued numbers (such as a social security number or a number on a passport, or driver's license)
  • Health data
  • Philosophical or religious beliefs
  • Precise geolocation
  • Racial or ethnic origin
  • Union membership

Note that any information that is already publicly available does not count as either personal or sensitive personal information.

As well as being a category for notification purposes, sensitive personal information enjoys an extra level of protection. Consumers can tell you to only use this information to provide requested goods or services. If they do so, you can't use the information for other purposes such as marketing, even if you tell the consumer you are doing so.

As with the right to opt out of data sales, the CPRA says you must have a dedicated web page where customers can exercise this right. In this case, you must link to it from your home page using the wording "Limit the Use of My Sensitive Personal Information."

However, you can combine both opt outs into a single page and use a single home page link. In this case you can use any appropriate wording for the link.

Data Retention Notification

The CPRA adds a new notification requirement (alongside data you collect, use of data and sharing of data). This fourth notification must say either how long you will keep the data or how you will decide when to dispose of it.

As with the other three notifications, you must list this data retention detail for each and any of the 12 categories (including the new "sensitive personal information") in which you hold data.

The Rotary Club of Anaheim's Privacy Policy already covers data retention, though not yet on a category-by-category basis:

Rotary Club of Anaheim Privacy Policy: Retention of Your Personal Data clause

Clauses like this will need to be updated to be more specific if they're to comply with the CPRA.

New Consumer Rights

The CPRA gives the consumer two new rights and enhances an existing right. You should note these rights in your Privacy Policy, along with details of how to exercise the rights.

Data Sharing

While the CCPA only gave consumers the right to opt out of you selling their data, the CPRA expands this right so they can opt out of you sharing or disclosing it to a third party in any way, even without payment.

Data Correction

The CPRA gives consumers the right to ask that you correct any inaccuracies in their personal information.

If you only operate online and you deal with the consumer directly, you can give them an email address for making correction requests.

If you have an offline presence, you must offer two ways to exercise this right. One must be a toll-free phone number.

House of Air already provides a way to request a correction by email. It will need to add the toll-free number when the CPRA takes effect:

House of Air Privacy Policy: Controlling Your Personal Information clause excerpt

Automated Decision Making

Under the CPRA, you must tell consumers if you use their data for automated decision making (also called data profiling). This is a simple yes or no covering all types of data. You don't have to break it down by category.

Consumers don't have the blanket right to stop you using their data for any form of automated decision making but can tell you not to use it for profiling any of the following:

  • Behavior
  • Economic situation
  • Health
  • Interests
  • Location or movements
  • Performance at work
  • Personal preferences
  • Reliability

Displaying Your CPRA-Compliant Privacy Policy

Displaying Your CPRA-Compliant Privacy Policy

The full text of the CPRA makes clear that a notice such as a Privacy Policy is necessary to comply with both the spirit and the letter of the law.

The law's stated purpose is to enable consumer rights including having "the information necessary to exercise meaningful control over businesses' use of their personal information..." Hiding or downplaying this information would restrict this right.

The law also specifically states that some of the information must appear in your online Privacy Policy if you have one. If you don't, the information must still appear on your website. In both cases, you must update the information at least once every 12 months.

The information you must publish is as follows:

  • The consumer's rights under the CPRA including how they can make data access requests.
  • A category-by-category breakdown of whether you have collected data, where you got it, why you use it, and who (or what type of organization) you've disclosed it to in the past 12 months.

Some organizations choose to have a separate section or page covering privacy rights for California consumers. The CPRA says this is an acceptable alternative to including the information in a main Privacy Policy, as long as you clearly signpost its existence and availability.

Aramark has a dedicated California page, organized around the CCPA consumer rights:

Aramark California Privacy Rights page excerpt

While the CPRA does not specifically require it, it's good practice to link your Privacy Policy to your website footer, in your navigation menus, and from any point where you are about to collect personal data, such as a sign-up form. This will also help if you come under other privacy laws, for example those which require advance consent to use personal data.

The San Diego Union-Tribune has a dedicated link that appears at the bottom of every page of its website:

San Diego Union Tribune website footer with Privacy Policy link highlighted

Summary

Let's recap what you need to know about the CPRA and your Privacy Policy.

  • The CPRA takes effect in 2023 and builds upon the existing CCPA. It incorporates most of the CCPA's measures.
  • The CPRA will apply to your business if:

    • Your annual revenue is more than $25 million,
    • You buy, sell or share personal data about more than 100,000 California residents or households in a year, OR
    • You make at least half your annual revenue by selling California consumers' personal data
  • The CCPA says you must tell consumers about your data practices in 11 defined categories. For each category you must say whether you collect data, how you use it, and whether you share it.
  • People can opt out of you selling their personal data. You must have a dedicated page for exercising this opt out and link to it from your home page.
  • The CPRA adds a new category of "sensitive personal information." You must use this alongside the original 11 categories when giving details of your data practices.
  • Under the CPRA, consumers can opt out of you using sensitive personal information for anything other than supplying requested goods or services. Again, you must have a dedicated page for exercising this opt out and link to it from your home page. (You can combine this with the page for exercising the opt out from data sales.)
  • Under the CPRA, you must give a category-by-category breakdown of how long you will keep personal data.
  • The consumer right to opt out of data sales expands under the CPRA to cover any form of data sharing.
  • The CPRA gives consumers the right to correct their personal data.
  • Under the CPRA, you must tell consumers if you use personal data for automated decision making (profiling). Consumers can stop you using their data for some, but not all, types of profiling.
  • The CPRA specifically says some information must appear in your online Privacy Policy (or elsewhere on your web site if you don't have a Privacy Policy). This information is:

    • The consumer's rights and how to make data access requests
    • The category-by-category breakdown of what data you collect, where you got it, the purpose for using it, and who you've disclosed it to