CCPA is Here: How to Update Your Privacy Policy

Jan 21, 2020, 08:30 AM by BBB National Programs

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. If your business is covered under CCPA, you may need to update your public privacy policy. In this post, we focus on the main changes that most businesses can expect to make to their privacy policies in order to align them with the requirements of CCPA.*

Privacy Policy Enhancements

Complying with the CCPA requires some adjustments to a business’s existing privacy notice for California consumers. The requirements largely track existing elements of any well-implemented privacy policy, though they seem to envision a higher level of detail than most companies include in their policies. 

Existing Privacy Policy ElementsCCPA Privacy Policy Requirements
Types of personal data collected/used:Specify the “categories of personal information,” each “written in a manner that provides consumers a meaningful understanding of the information being collected.” Draft reg. § 999.308(b)(1).
Purposes for processing personal data:For each category of personal information collected, specify
-          the “business or commercial purpose” for the collection. Draft reg. § 999.308(b)(1)(d)(2).
Third parties:For each category of personal information collected, specify
-          the “categories of sources” from which it is collected;
-          and the categories of third parties with whom the business shares personal information. Draft reg. § 999.308(b)(1)(d)(2).
 
Must also state whether or not the business “has disclosed or sold any personal information for a business or commercial purpose in the preceding 12 months” and whether or not “the business sells the personal information of minors under 16 years of age without affirmative authorization.” Draft reg. § 999.308(b)(1)(e).
 
If business “sells” personal data, must specify the categories of personal information that are sold. Draft reg. § 999.308(b)(1)(e).
Choices:If business “sells” personal data, must provide a link labeled “Do Not Sell My Personal Information,” directing to a notice that describes the right to opt-out of sale. Draft reg. § 999.306.
Data subject rights:Describe how California consumers can exercise their rights under CCPA, and the process the business uses to verify requests (including information the consumer will need to provide during verification), plus “how a consumer can designate an authorized agent to make a request under CCPA on the consumer’s behalf.” 
 
This includes the right to:
-          Know about personal information collected, disclosed, or sold. Draft reg. § 999.308(b)(1).
-          Request deletion of their personal information. Draft reg. § 999.308(b)(2).
-          Right to opt-out of sale, if business “sells” personal information. Draft reg. § 999.308(b)(3). 
-          Right to non-discrimination for the exercise of a consumer’s privacy rights. Draft Rule § 999.308(b)(4).
Contact information:Specify a contact for questions or concerns “using a method reflecting the manner in which the business primarily interacts with the customer.” Draft reg. § 308(b)(6). 
 
Plus at least two methods for submitting requests to know/delete, including a toll-free number and an interactive webform. Draft reg. § 999.312.
Last updated date:Specify the last updated date. Draft reg. § 999.308(b)(7).

 

As for format, the draft regulations describe a compliant privacy policy that it “designed and presented” to be “easy to read” and “understandable to an average consumer.” It should “use plain, straightforward language” rather than “technical or legal jargon” presented in any language in which the business operates. It should also be readable on smaller screens, available in a printable format, and should take disability access into account (with additional formats available as needed). Draft reg. § 999.308(a)(2).

Notice at Collection

CCPA requires more than a good privacy policy. Instead, it asks your business to provide consumers with clear and effective notice of your privacy practices “at or before the time of collection.” CCPA § 1798.100. The rules clarify that a notice must be “visible or accessible where consumers will see it before any personal information is collected.” Draft Rule § 999.305(a)(2)(e). There are thus two steps to an effective notice strategy: (1) updating your privacy policy to include required information, and (2) providing just-in-time notices at appropriate points of contact with your customer.

Just-in-time notices are a more direct means than a privacy policy of providing relevant information to consumers, thereby empowering them to make privacy choices in the marketplace. A just-in-time notice should include the clearest, most up-front language about the types of data you are about to collect, the purposes for collection, and relevant choices, as appropriate. Usually, it should also link to more information, either via a separate disclosure or to the relevant section of your privacy policy.

What should be included in the notice at collection? Essentially, a mini version of your privacy policy focused on the categories of personal information that are about to be collected and the purposes for collecting the specific personal information at hand. Although the rules envision that this can be a separate disclosure, they also allow that a business can simply provide a link to the relevant section of its privacy policy so long as it provides the required level of detail. Either way is permissible, though a business that chooses to link to its privacy policy should double check that its policy is structured in such a way to allow users to be pointed to the specific collection scenario at hand. If a separate disclosure is used, you must still link to your privacy policy.

Just how clear should this notice be? The draft regulations take great care to describe a gold standard of accessibility. A CCPA notice should be “easy to read and understandable to the average consumer” using “plain, straightforward language and avoiding technical or legal jargon,” using a format that is conspicuous and “draws the consumer’s attention to the notice,” available in any language(s) in which the business operates, and “accessible to consumers with disabilities.” Draft rule § 999.305(a)(2).

Other Notice Obligations

Note that the CCPA includes two additional substantive notice requirements that extend beyond the privacy policy: the “notice of right to opt-out” of the sale of personal information, CCPA §§ 1798.120, 135, and the “notice of financial incentive,” CCPA § 1798.125(b). These requirements deserve special attention, so we will cover them in a future blog post.

 

*References to “CCPA” refer to the law as amended. References to “Draft reg.” refer to the draft implementing regulations. Although some uncertainty remains, the California Attorney General has indicated that the draft regulations, which interpret and clarify the CCPA, are unlikely to be substantially revised.

Suggested Articles

Blog

A Beginner's Guide to Reading Privacy Policies

Privacy policies are complicated and can be frustrating to read, especially when you are trying to learn about your child's data privacy online. The Children’s Advertising Review Unit (CARU) reviews child-directed online environments to ensure that children’s data is collected and handled responsibly. As a parent, follow these steps to take a proactive role in your child’s data privacy, using privacy policies as your guide to better understand an online service’s data collection practices.
Read more
Blog

Q&A: What is an SRO? A Beginner’s Guide to International Advertising Self-Regulation

Advertising is a cutting-edge industry, so it is no surprise that the ad business has been at the forefront of a global trend building for almost 60 years – independent industry self-regulation. In the U.S., the National Advertising Division is the industry’s widely recognized “truth-in-advertising” body, an independent third party that enables competitors to resolve disputes outside the courtroom. It is the self-regulatory organization (SRO) of the U.S. In this Q&A with Mary Engle, Executive Vice President, Policy, here at BBB National Programs, we dig into what industry self-regulation looks like in other parts of the world.
Read more
Blog

Substantiating Advertising Claims in Three Steps: A How-To Checklist for Advertisers

Substantiating advertising claims is important, both to comply with the law and to avoid regulatory scrutiny or a potential challenge from a competitor in court or in a proceeding before the National Advertising Division (NAD). NAD examines the fit between challenged claims and the substantiation provided. What follows is not legal advice but a basic one-two-three checklist for advertisers concerned about substantiating their advertising claims.
Read more
Blog

Six Tips to Properly Advertise Your Health and Wellness Claims

Although businesses can advertise the benefits of their products, all messages conveyed by the advertising must be supported by a reasonable basis. Failure to adequately support a health or wellness claim can quickly get a business into trouble. Recently, NAD and Faegre Drinker Biddle & Reath LLP presented a webinar event providing guidance on how to stay out of trouble when making health and wellness claims. We share six of the key takeaways discussed.
Read more