CCPA is Here: How to Update Your Privacy Policy

Jan 21, 2020, 08:30 AM by BBB National Programs

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. If your business is covered under CCPA, you may need to update your public privacy policy. In this post, we focus on the main changes that most businesses can expect to make to their privacy policies in order to align them with the requirements of CCPA.*

Privacy Policy Enhancements

Complying with the CCPA requires some adjustments to a business’s existing privacy notice for California consumers. The requirements largely track existing elements of any well-implemented privacy policy, though they seem to envision a higher level of detail than most companies include in their policies. 

Existing Privacy Policy ElementsCCPA Privacy Policy Requirements
Types of personal data collected/used:Specify the “categories of personal information,” each “written in a manner that provides consumers a meaningful understanding of the information being collected.” Draft reg. § 999.308(b)(1).
Purposes for processing personal data:For each category of personal information collected, specify
-          the “business or commercial purpose” for the collection. Draft reg. § 999.308(b)(1)(d)(2).
Third parties:For each category of personal information collected, specify
-          the “categories of sources” from which it is collected;
-          and the categories of third parties with whom the business shares personal information. Draft reg. § 999.308(b)(1)(d)(2).
 
Must also state whether or not the business “has disclosed or sold any personal information for a business or commercial purpose in the preceding 12 months” and whether or not “the business sells the personal information of minors under 16 years of age without affirmative authorization.” Draft reg. § 999.308(b)(1)(e).
 
If business “sells” personal data, must specify the categories of personal information that are sold. Draft reg. § 999.308(b)(1)(e).
Choices:If business “sells” personal data, must provide a link labeled “Do Not Sell My Personal Information,” directing to a notice that describes the right to opt-out of sale. Draft reg. § 999.306.
Data subject rights:Describe how California consumers can exercise their rights under CCPA, and the process the business uses to verify requests (including information the consumer will need to provide during verification), plus “how a consumer can designate an authorized agent to make a request under CCPA on the consumer’s behalf.” 
 
This includes the right to:
-          Know about personal information collected, disclosed, or sold. Draft reg. § 999.308(b)(1).
-          Request deletion of their personal information. Draft reg. § 999.308(b)(2).
-          Right to opt-out of sale, if business “sells” personal information. Draft reg. § 999.308(b)(3). 
-          Right to non-discrimination for the exercise of a consumer’s privacy rights. Draft Rule § 999.308(b)(4).
Contact information:Specify a contact for questions or concerns “using a method reflecting the manner in which the business primarily interacts with the customer.” Draft reg. § 308(b)(6). 
 
Plus at least two methods for submitting requests to know/delete, including a toll-free number and an interactive webform. Draft reg. § 999.312.
Last updated date:Specify the last updated date. Draft reg. § 999.308(b)(7).

 

As for format, the draft regulations describe a compliant privacy policy that it “designed and presented” to be “easy to read” and “understandable to an average consumer.” It should “use plain, straightforward language” rather than “technical or legal jargon” presented in any language in which the business operates. It should also be readable on smaller screens, available in a printable format, and should take disability access into account (with additional formats available as needed). Draft reg. § 999.308(a)(2).

Notice at Collection

CCPA requires more than a good privacy policy. Instead, it asks your business to provide consumers with clear and effective notice of your privacy practices “at or before the time of collection.” CCPA § 1798.100. The rules clarify that a notice must be “visible or accessible where consumers will see it before any personal information is collected.” Draft Rule § 999.305(a)(2)(e). There are thus two steps to an effective notice strategy: (1) updating your privacy policy to include required information, and (2) providing just-in-time notices at appropriate points of contact with your customer.

Just-in-time notices are a more direct means than a privacy policy of providing relevant information to consumers, thereby empowering them to make privacy choices in the marketplace. A just-in-time notice should include the clearest, most up-front language about the types of data you are about to collect, the purposes for collection, and relevant choices, as appropriate. Usually, it should also link to more information, either via a separate disclosure or to the relevant section of your privacy policy.

What should be included in the notice at collection? Essentially, a mini version of your privacy policy focused on the categories of personal information that are about to be collected and the purposes for collecting the specific personal information at hand. Although the rules envision that this can be a separate disclosure, they also allow that a business can simply provide a link to the relevant section of its privacy policy so long as it provides the required level of detail. Either way is permissible, though a business that chooses to link to its privacy policy should double check that its policy is structured in such a way to allow users to be pointed to the specific collection scenario at hand. If a separate disclosure is used, you must still link to your privacy policy.

Just how clear should this notice be? The draft regulations take great care to describe a gold standard of accessibility. A CCPA notice should be “easy to read and understandable to the average consumer” using “plain, straightforward language and avoiding technical or legal jargon,” using a format that is conspicuous and “draws the consumer’s attention to the notice,” available in any language(s) in which the business operates, and “accessible to consumers with disabilities.” Draft rule § 999.305(a)(2).

Other Notice Obligations

Note that the CCPA includes two additional substantive notice requirements that extend beyond the privacy policy: the “notice of right to opt-out” of the sale of personal information, CCPA §§ 1798.120, 135, and the “notice of financial incentive,” CCPA § 1798.125(b). These requirements deserve special attention, so we will cover them in a future blog post.

 

*References to “CCPA” refer to the law as amended. References to “Draft reg.” refer to the draft implementing regulations. Although some uncertainty remains, the California Attorney General has indicated that the draft regulations, which interpret and clarify the CCPA, are unlikely to be substantially revised.

Suggested Articles

Blog

Avoid Misleading Messages When Advertising Medical Devices

Advertisers of medical devices face complex tasks when marketing their products. In addition to complying with FDA regulations, medical device advertising is subject to the same truth-in-advertising principles set by the FTC. In addition to express claims, marketers are responsible for all the messages reasonably conveyed to consumers in their advertising and should ask some important questions to ensure consumers are not misled. Ask yourself these questions when advertising medical devices to avoid conveying misleading messages.
Read more
Blog

The Do’s and Don’ts of Buying Smart for Baby: A Primer from Privacy Experts

Researching a new product and finding the critical or in-depth information you are looking for to build confidence in your purchasing decision often requires sifting through superficial lists of “best products.” These lists are often sponsored by the products they feature, which means instead of a focus on being helpful they are full of incentivized endorsements and affiliate links. In this blog, we provide a list – not a sponsored list – of some do’s and don’ts for how to confidently research smart devices.
Read more
Blog

When Web Designs Turn Into Dark Patterns And What To Do About It

Recently I wrote about the proliferation of dark patterns and tried to give readers a sense of just how widespread these practices are. But it is not just the pervasiveness of dark patterns that has lawmakers and regulators concerned, it is the intent behind them and their impact on consumers. Nonprofit leaders, in particular, should be aware of this and how to guard against it given that they are well-positioned to garner and enhance consumer trust.
Read more
Blog

Politics Aside, Advertising Gains Guidance on Deception and Substantiation in the 1980s

As we continue to celebrate the 50th anniversary of the National Advertising Division (NAD) we are looking forward while taking stock of past decades, with a special focus on decisions and developments that continue to impact advertising law and NAD cases today. This month we highlight two pivotal moments from the 1980’s that helped shape NAD’s jurisprudence.
Read more