Is Your Privacy Policy Compliant with the CCPA?

Teresa Rothaar
Jan 20, 2020 · 4 min read

Use this checklist to make sure you’re on the right side of California’s data privacy law

Businesswoman lounging on a couch with her laptop
Businesswoman lounging on a couch with her laptop
Photo courtesy of Matthew Henry on Burst

The California Consumer Privacy Act (CCPA) became law on January 1, 2020. While it’s not accurate to call the CCPA the “American GDPR,” it did grant California consumers significant new data privacy rights, including the right to know what information companies are collecting on them and why, the right to prohibit the sale of their information, and the right to sue companies that violate their data privacy rights — even absent a data breach.

Does your company have to comply with the CCPA?

Before looking at what goes into a CCPA-compliant privacy policy, let’s review who is subject to the CCPA. Whether your company needs to comply is dependent on where your customers live, not where your company is located. If your firm does business in the state of California and meets at least one of the following criteria, you must comply with the CCPA, even if you have no physical offices in the state:

The International Association of Privacy Professionals estimates that over 500,000 U.S. businesses must comply with the CCPA, about 80% of them located outside of California. Companies located outside the U.S. must comply as well, so long as they do business with California residents and meet at least one of the three criteria specified above.

Make sure your privacy policy complies with the CCPA

One of the most visible requirements of the CCPA is that all commercial websites must have a privacy policy that advises consumers of their rights under the law. That’s why you’ve been receiving emails since the New Year from companies you’ve done business with, notifying you that they’ve updated their privacy policies. If your company must comply, you’ll probably have to make some changes, too, even if you’re already compliant with the GDPR.

The details will vary greatly depending on your company’s business model and protocols, so for best results, consult with a compliance professional. However, at a bare minimum, a CCPA-compliant website privacy policy should include the following.

A description of consumers’ rights and instructions for exercising them

That’s right. You need to inform your customers about the rights they have under the CCPA, such as the right to opt out of having their information sold or shared, the right to obtain a copy of all information your company has collected on them, and the “right to be forgotten.” You also must provide them with “one or more designated methods” by which they can contact your company to exercise those rights.

A detailed description of your data collection and sharing practices

This includes:

A description of your data collection policies regarding minors 16 and under

The CCPA defines minors as being under the age of 16. Organizations cannot collect data from minors unless they opt in. If the minor is at least 13 years of age, they can opt in themselves; if the minor is under 13, their parent or guardian must opt them in.

If your company sells only to consumers aged 16 and over, include a statement that your company does not intentionally collect or solicit personally identifiable information from minors under the age of 16. If your company does sell to minors, you need to establish a “reasonable process” for them or their parents to opt in and describe it in your privacy policy.

A non-discrimination statement

The CCPA prohibits companies from discriminating against consumers who choose to exercise their rights under the law; for example, by charging them higher prices. Your privacy policy should include a statement of non-discrimination.

The policy’s effective date

The CCPA requires that organizations review their privacy policies every 12 months. Note your policy’s effective date, and change it after you complete your annual review, even if no changes were necessary.

The CCPA also mandates that you place a link to your privacy policy in a “conspicuous” location on the front page of your website — no more hiding it in tiny print within your TOS!

Other states are following California’s lead

One of the reasons why the CCPA is not the “American GDPR” is that it applies only to California residents. However, that doesn’t mean businesses that aren’t covered by the CCPA are off the hook. As California goes, so does the nation; numerous other states, tired of waiting for the federal government to address the issue, are using the CCPA as a model to craft their own data privacy laws. Even if your company doesn’t need to comply with the CCPA, it will probably face similar legislation soon.

It’s a good time to take a hard look at your data collection and governance procedures. States are passing CCPA-like laws because their constituents are demanding them. As more consumers insist that companies not only secure their data but also protect their privacy, organizations with solid data security and transparent privacy policies that put the consumer in control will have a distinct edge over the competition.

The Startup

Medium's largest active publication, followed by +771K people. Follow to join our community.

Teresa Rothaar

Written by

Professional freelance copywriter specializing in cybersecurity and cloud. MBA, marathon runner, breast cancer survivor, and X Phile. wildowldigital.com

The Startup

Medium's largest active publication, followed by +771K people. Follow to join our community.

Teresa Rothaar

Written by

Professional freelance copywriter specializing in cybersecurity and cloud. MBA, marathon runner, breast cancer survivor, and X Phile. wildowldigital.com

The Startup

Medium's largest active publication, followed by +771K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store