The California Consumer Privacy Act (CCPA/CPRA) requires affected businesses to take several actions, including publishing particular information in particular forms.
This includes a narrow list of information when collecting personal data and a wider list of information commonly known as a Privacy Policy.
In principle, and in short, there's no reason why a Privacy Policy can't satisfy this requirement, though you'll need to be clear about how you display and highlight it.
This article will discuss whether a Privacy Policy will satisfy the CCPA/CPRA's notice at collection requirement and what you need to know about the topic.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. Who's Covered by the CCPA (CPRA)
- 2. The CCPA/CPRA's Principles and Broad Requirements
- 3. Categories of Personal Information Under the CCPA (CPRA)
- 4. Notice at Collection
- 5. Notice at Collection via a Privacy Policy?
- 6. Privacy Policy Compliance with the CCPA (CPRA)
- 7. Other Required Notifications Under the CCPA (CPRA)
- 8. Combining Required Notifications Under the CCPA (CPRA)
- 9. Summary
Who's Covered by the CCPA (CPRA)
The CCPA has been fully enforced since 1 July 2020, with the CPRA amendments taking effect on January 1, 2023. The CCPA (CPRA) affects the way you handle personal data about California residents if you are a business and meet any of three criteria:
- Your annual revenue is more than $25 million
- The number of California consumers whose personal data you buy, share or sell within any one-year period exceeds 100,000.
- At least half of your annual revenue comes from sharing or selling personal data about California consumers
The CCPA/CPRA's Principles and Broad Requirements
The CCPA (CPRA) upholds a number of consumer rights. It's important to know and understand these as they could affect any legal or regulatory dispute about your CCPA (CPRA) compliance and how to interpret the law:
- To know what data you collect about them
- To know if you sell or disclose their data
- To stop you from selling the data
- To request you delete their data
- To access the data you hold about them
- To limit the use of "sensitive persona information"
- To data portability
- To exercise these rights without you discriminating against them on price or service
Categories of Personal Information Under the CCPA (CPRA)
Naturally, the information you collect about each consumer (both the specific detail and the type of information) will vary immensely from case to case.
To make the notification requirements practical, the CCPA (CPRA) groups personal information into different categories. You'll refer to these categories when making the mandatory privacy notifications:
The categories are defined in full in section 1798.140.(o) of the CCPA's legislative text, but broadly they are as follows:
- Identifiers such as names, addresses and numbers, particularly government-issued numbers
- Personal information covered by subdivision (e) of Section 1798.80 of the California Code. In simple terms, this means anything that identifies an individual and isn't already public knowledge.
- Information about protected classifications. This means details of characteristics that you are not allowed to use for discrimination under California or federal law. Examples include age, marital status, race, religion and sexual orientation.
- Any commercial information such as past purchases
- Biometric information
- Information about online activity such as search and browsing history and whether the person viewed or clicked on a particular site, app or ad
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information. This is mainly about covering images, audio and video content that involves personal information.
- Professional and employment information.
- Educational information, specifically anything that's not publicly available but does directly or indirectly relate to or identify a student
- Inferences drawn from any information in the other categories to profile somebody. This could include trying to build up a picture of their preferences, personalities, beliefs or purchasing habits.
The CPRA amendment introduced a new category covering sensitive personal information. You need to include this whenever you list information about the existing categories.
The sensitive data category covers any of the following that isn't already public knowledge:
- A combination of financial details that could get access to an account, for example card number and online password
- Biometric data that you process to identify someone
- Communications between the consumer and a third party (in other words, not your business)
- Ethnic or racial origin
- Genetic data
- Geolocation (but only where it is "precise")
- Health data
- Membership of a union
- Numbers issued by the government such as Social Security or driver license number
- Religious or philosophical detail
- Sexual orientation or data about sex life
Consumers have the right to limit the way you use data in this category. If they exercise this right, you must only use this information to provide goods or services the customer requested. You can't use it for marketing.
The CPRA amendment says you must do one of two things to allow people to exercise this new right:
- Have a dedicated webpage and link to it from your homepage with the wording "Limit the Use of My Sensitive Personal Information"
- Combine it with the dedicated page for opting out of data sales. In this case you must still link from the homepage, but you can use any appropriate wording. (For example "Exercise my CCPA/CPRA rights" would likely be suitable.)
Notice at Collection
The first requirement for telling consumers about your data practices is a specific one. You must make this notification at the time of collection, before you collect the data.
The notification must say which category or categories the data falls into. You must then give a category-by-category breakdown of:
- How you will use the data
- Why you will use the data
- Whether you intend to pass on the data to a third party (whether sold or shared)
- If you will pass on the data, who will receive it
This advance notification covers your intentions when you collect the data.
If you later want to do anything not covered in the notification, such as using it for a new purpose or sharing it with somebody, you do not need new consent, but you must notify the person the data relates to.
As we'll detail later, consumers can demand that you stop selling their personal data.
Notice at Collection via a Privacy Policy?
In principle, you could combine the notification before collection and the Privacy Policy. You can do this where the data you are about to collect, for example through an account sign-up, falls into the same categories in which you've collected data in the past 12 months. If you intend to sell the data, it would need to be in a category in which you've sold the data in the past 12 months.
Indeed, the CCPA (CPRA) specifically says this is acceptable: "...the notice at collection may be given to the consumer by providing a link to the section of the business's privacy policy that contains the information required."
The logic behind this approach is that if the consumer knows that you have used/sold/disclosed data from a particular category before, they can reasonably conclude you will do so with the data you are about to collect
Just remember that:
- The details of the data you are collecting now (including the category and your intended use) must match what you have listed for the past 12 months. If you're doing something new (including collecting data in a different category), you will need to cover this in a standalone advance notification.
- If you work with a lot of data in different categories, simply pointing somebody to your Privacy Policy could be overwhelming and deter them from providing the data. A standalone advance notification may work better in cases where you are only collecting limited data or plan to use it in limited ways.
Some businesses, particularly those serving national audiences, produce a standalone section or separate page detailing the privacy rights of consumers in California.
This is allowed under the CCPA (CPRA), but you must make sure that:
-
You conspicuously highlight it so California consumers know to read the section
Rutan clearly signposts such a dedicated page next to the link to its main Privacy Policy:
- You are confident that California consumers can see all relevant information about their rights and your practices before you collect data
Privacy Policy Compliance with the CCPA (CPRA)
As well as advanced notification for collecting specific data, the CCPA (CPRA) also says you must have a document detailing particular information about your overall privacy practices. This is normally known as your Privacy Policy.
You must list the consumers rights under CCPA (CPRA) (which we covered earlier) and give at least one way a consumer can exercise these rights, for example a mailing address, email address or online form.
BusinessOL does this clearly:
You also need to list a category-by-category breakdown of whether you have collected, sold or disclosed (shared without payment) any personal information in the past 12 months. This covers all consumer data rather than that of a specific customer.
For each of the three activities (collect, sell, disclose) you need to list all the categories which the data falls into, or state that you have not collected/sold/disclosed any data.
Different businesses take different approaches to this requirement.
Some simply produce a list of relevant categories for each activity. Others find it easier to produce a single chart that shows each category and then whether the business has collected/sold/disclosed data in that category.
Which is best may depend on how much data you have used in this way and how many categories it involves.
Here's an example of how you can use separate charts for each type of use (collect/sell/disclose). It goes beyond the minimum compliance by listing in detail what each category covers:
Refinitiv opts for a list of the relevant categories:
Now let's take a look at what else the CCPA (CPRA) requires that you need to be aware of.
Other Required Notifications Under the CCPA (CPRA)
As noted, the CCPA (CPRA) gives people the right to stop you from selling their personal information. Once they do so, you must comply within 10 days and cannot resume sales until the person gives permission. You cannot ask for permission for at least one year.
As well as your pre-collection notification and your Privacy Policy, the CCPA (CPRA) says you must have a specific page on your website that lets people exercise this right. For example, this could be an online form or a direct email address link.
You must include a link from your home page to this dedicated page, and the link must use the text "Do Not Sell My Personal Information."
The Los Angeles Times does this in its home page footer:
Note that this opt-out principle doesn't apply where the person the data is about is under 16 (whether you know their age for sure, or you should have known). In these cases, you need advance consent to sell the data and simply notifying in advance isn't enough.
If the child is aged 13 to 16 you need their consent. If they are under 13, you need a parent or guardian's consent.
Combining Required Notifications Under the CCPA (CPRA)
You may feel it would be easier for you and consumers if you combined the various pieces of information the CCPA (CPRA) requires you to provide.
The first thing to understand on this point is that you cannot do this with the "Do Not Sell" page. The CCPA (CPRA) specifically says you need a dedicated page for exercising the opt-out right.
Summary
Let's recap what you need to know about notifications under the CCPA (CPRA):
- The CCPA (CPRA) applies if you handle data about California residents and meet criteria on revenue, the number of Californians whose data you collect, or the proportion of your revenue that comes from selling California consumers' data.
- You do need to tell people about your data practices, using 12 categories of data to organize the details.
- When collecting data you must say which categories you are collecting. For each category, you must say how and why you are using it and whether you plan to disclose it (and who will get it). You must also note how long you plan to retain it.
- You must have a Privacy Policy that lists the CCPA (CPRA) rights and how to exercise them.
-
Your Privacy Policy must give a category-by-category breakdown of your data practices in the past 12 months. For each category you must say whether or not you have collected data, whether or not you sold it, and whether or not you disclosed it.
- This breakdown could be a list or a table depending on the amount of detail involved.
- People have the right to opt out of your data sales. You must make this right available through a dedicated web page. Your home page must link to this using the words "Do Not Sell My Personal Information."
-
You can combine the advance notification and Privacy Policy in a single document. (The opt-out page must always be separate.)
- Combining the documents is only appropriate where your plans for the data you are collecting now match the way you used it in the previous 12 months.