Californians spent January 1, 2020 like most other Americans:  making (and breaking) New Year’s resolutions, watching college football bowl games and saying farewell to 2019.

But Californians also woke up that day to new privacy rights granted to them as a result of the California Consumer Privacy Act, a first-in-the-United States privacy law that gives individuals the right to know, access and delete personal information that businesses collect about them.

For businesses subject to the CCPA, the Act imposes a number of compliance obligations starting on January 1, 2020 (think of them as mandatory New Year’s resolutions). These obligations are so unique that California Attorney General Xavier Becerra recently invoked Star Trek to describe them, saying that California’s new privacy law is going “where no one has gone before.”

The CCPA Privacy Policy requirements are a perfect example of this: they are complicated, numerous, and in some instances never have been seen before. In this blog, we explore the required elements of a CCPA-compliant Privacy Policy and discuss how businesses can navigate this new frontier.

Privacy Policy Goals

According to the CCPA, the purpose of a Privacy Policy is to provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure and sale of personal information, and of the rights of consumers regarding their personal information. (The reference to “offline practices” means that the Privacy Policy also must describe the personal information that the business collects offline, such as in connection with the use of security cameras and closed circuit television.)

Data Privacy eBook

Easy to Read,” “Understandable” and Accessible to All

The Privacy Policy also should be “easy to read” and “understandable” to an average consumer.  (Given the amount of information that must be in the Privacy Policy, that is a task that is easier said than done.)

The Privacy Policy should use plain, straightforward language. It must be in a format that draws the consumer’s attention and makes the policy readable and it must be available in the language(s) in which the business ordinarily provides contracts and announcements to consumers.

The Privacy Policy also must be must be accessible to consumers with disabilities and must be available so that consumers can print it as a separate document.

Pro Tip #1:

The Privacy Policy required by the CCPA is in addition to the privacy policies required by other California laws, such as the California Online Privacy Protection Act (“CalOPPA”).

Sure, But What Must the CCPA Privacy Policy Say?

Get ready.  It’s a long list.  The Privacy Policy must:

1 • Explain that a consumer has the right to request that the business disclose what personal information that the business collects, uses, discloses and sells. To do this, the Privacy Policy must:

  • Provide instructions for submitting a verifiable consumer request to know and provide links to an online request form or portal for making the request, if offered by the business;
  • Describe the process the business will use to verify the consumer’s request, including any information the consumer must provide. If there is no reasonable method by which a business can verify the identity of the consumer to the degree of certainty required by the CCPA and this is the case for all consumers whose personal information the business holds, the Privacy Policy shall state this;
  • Describe the business’s practices regarding the collection of personal information. The Privacy Policy must:
    • Describe the categories of personal information that the business has collected about consumers in the preceding 12 months; and
    • For each category of personal information collected, provide the categories of sources from which that information was collected (meaning from the consumer or some other third-party source), the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information.
  • Describe the business’s practices regarding the disclosure or sale of personal information. The Privacy Policy must:
    • State whether or not the business has disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months;
    • List the categories of personal information, if any, that it disclosed or sold to third parties for a business or commercial purpose in the preceding 12 months; and
    • State whether or not the business sells the personal information of minors under 16 years of age without affirmative authorization.

2 • Explain that a consumer has a right to request the deletion of their personal information collected or maintained by the business.  The Privacy Policy must:  

A. Provide instructions for submitting a verifiable consumer request to delete and provide links to an online request form or portal for making the request, if offered by the business; and

B. Describe the process the business will use to verify the consumer request, including any information that the consumer must provide.

Pro Tip #2:

The CCPA Privacy Policy must be updated at least once every 12 months.

3 • Describe the consumer’s right to opt out of the sale of personal information. To do this, the Privacy Policy must:

A. Provide instructions for submitting a verifiable consumer request to delete and provide links to an online request form or portal for making the request, if offered by the business; and

B. Describe the process the business will use to verify the consumer request, including any information that the consumer must provide.

4 • Explain that the consumer has a right not to be treated differently because the consumer has exercised privacy rights conferred by the CCPA;

5 • Explain how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf;

6 • Provide consumers with a contact to whom they may direct questions or concerns about the business’s privacy policies and practices;

7 • State the date the privacy policy was last updated.

8 • If a business alone or in combination annually buys, receives, sells or shares the personal information of 4 million or more consumers, the Privacy Policy also must report the following metrics for the previous calendar year:

A. The number of requests to know, delete and opt-out that the business received, complied with in whole or in part, and denied; and

B. The median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt out.

Posting the Privacy Policy

Businesses are required to post their CCPA Privacy Policy on their website homepage (or on the landing page of a mobile application) using a conspicuous link using the word “privacy.” A business that does not operate a website shall make the privacy policy conspicuously available to consumers (such as by posting it conspicuously at the business’s location).

Don’t Have a CCPA Privacy Policy Yet?  

The CCPA Privacy Policy list of “must-haves” is daunting, to say the least. But don’t throw in the towel if your business was not able to post a CCPA-compliant Privacy Policy by January 1, 2020.

Attorney General Becerra has stated that his office will “look kindly” on companies that demonstrate a good-faith effort to comply with the law, whereas his office will “make an example of” companies who are not operating properly. So keep at it. And live long and prosper.