Is Your Privacy Policy Compliant with the CCPA?
Use this checklist to make sure you’re on the right side of California’s data privacy law
The California Consumer Privacy Act (CCPA) became law on January 1, 2020. While it’s not accurate to call the CCPA the “American GDPR,” it did grant California consumers significant new data privacy rights, including the right to know what information companies are collecting on them and why, the right to prohibit the sale of their information, and the right to sue companies that violate their data privacy rights — even absent a data breach.
Does your company have to comply with the CCPA?
Before looking at what goes into a CCPA-compliant privacy policy, let’s review who is subject to the CCPA. Whether your company needs to comply is dependent on where your customers live, not where your company is located. If your firm does business in the state of California and meets at least one of the following criteria, you must comply with the CCPA, even if you have no physical offices in the state:
- Your company’s annual gross revenue is at least $25 million
- At least 50% of your company’s annual revenue is derived from selling personal data
- Your company buys, sells, or shares personal information belonging to at least 50,000 California consumers, households, or devices
The International Association of Privacy Professionals estimates that over 500,000 U.S. businesses must comply with the CCPA, about 80% of them located outside of California. Companies located outside the U.S. must comply as well, so long as they do business with California residents and meet at least one of the three criteria specified above.
Make sure your privacy policy complies with the CCPA
One of the most visible requirements of the CCPA is that all commercial websites must have a privacy policy that advises consumers of their rights under the law. That’s why you’ve been receiving emails since the New Year from companies you’ve done business with, notifying you that they’ve updated their privacy policies. If your company must comply, you’ll probably have to make some changes, too, even if you’re already compliant with the GDPR.
The details will vary greatly depending on your company’s business model and protocols, so for best results, consult with a compliance professional. However, at a bare minimum, a CCPA-compliant website privacy policy should include the following.
A description of consumers’ rights and instructions for exercising them
That’s right. You need to inform your customers about the rights they have under the CCPA, such as the right to opt out of having their information sold or shared, the right to obtain a copy of all information your company has collected on them, and the “right to be forgotten.” You also must provide them with “one or more designated methods” by which they can contact your company to exercise those rights.
A detailed description of your data collection and sharing practices
This includes:
- What categories of personal information your company is collecting and why
- How your company collects this information
- Who your company may share this information with, and why it’s being shared with those parties
- A list of all the categories of personal information your company has sold or shared over the past 12 months, or a statement that you don’t sell or share personal information
- If your company sells consumer information, a link to a page specifically titled “Do Not Sell My Personal Information.” It’s important to note that this link is in addition to, not a replacement for, the one that the CCPA requires you to put on the front page of your website.
A description of your data collection policies regarding minors 16 and under
The CCPA defines minors as being under the age of 16. Organizations cannot collect data from minors unless they opt in. If the minor is at least 13 years of age, they can opt in themselves; if the minor is under 13, their parent or guardian must opt them in.
If your company sells only to consumers aged 16 and over, include a statement that your company does not intentionally collect or solicit personally identifiable information from minors under the age of 16. If your company does sell to minors, you need to establish a “reasonable process” for them or their parents to opt in and describe it in your privacy policy.
A non-discrimination statement
The CCPA prohibits companies from discriminating against consumers who choose to exercise their rights under the law; for example, by charging them higher prices. Your privacy policy should include a statement of non-discrimination.
The policy’s effective date
The CCPA requires that organizations review their privacy policies every 12 months. Note your policy’s effective date, and change it after you complete your annual review, even if no changes were necessary.
The CCPA also mandates that you place a link to your privacy policy in a “conspicuous” location on the front page of your website — no more hiding it in tiny print within your TOS!
Other states are following California’s lead
One of the reasons why the CCPA is not the “American GDPR” is that it applies only to California residents. However, that doesn’t mean businesses that aren’t covered by the CCPA are off the hook. As California goes, so does the nation; numerous other states, tired of waiting for the federal government to address the issue, are using the CCPA as a model to craft their own data privacy laws. Even if your company doesn’t need to comply with the CCPA, it will probably face similar legislation soon.
It’s a good time to take a hard look at your data collection and governance procedures. States are passing CCPA-like laws because their constituents are demanding them. As more consumers insist that companies not only secure their data but also protect their privacy, organizations with solid data security and transparent privacy policies that put the consumer in control will have a distinct edge over the competition.
