BBB National Programs Insights

CCPA is Here: How to Update Your Privacy Policy

Jan 21, 2020, 08:30 AM by BBB National Programs
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. If your business is covered under CCPA, you may need to update your public privacy policy. In this post, we focus on the main changes that most businesses can expect to make to their privacy policies in order to align them with the requirements of CCPA.*

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. If your business is covered under CCPA, you may need to update your public privacy policy. In this post, we focus on the main changes that most businesses can expect to make to their privacy policies in order to align them with the requirements of CCPA.*

Privacy Policy Enhancements

Complying with the CCPA requires some adjustments to a business’s existing privacy notice for California consumers. The requirements largely track existing elements of any well-implemented privacy policy, though they seem to envision a higher level of detail than most companies include in their policies. 

Existing Privacy Policy ElementsCCPA Privacy Policy Requirements
Types of personal data collected/used:Specify the “categories of personal information,” each “written in a manner that provides consumers a meaningful understanding of the information being collected.” Draft reg. § 999.308(b)(1).
Purposes for processing personal data:For each category of personal information collected, specify
-          the “business or commercial purpose” for the collection. Draft reg. § 999.308(b)(1)(d)(2).
Third parties:For each category of personal information collected, specify
-          the “categories of sources” from which it is collected;
-          and the categories of third parties with whom the business shares personal information. Draft reg. § 999.308(b)(1)(d)(2).
 
Must also state whether or not the business “has disclosed or sold any personal information for a business or commercial purpose in the preceding 12 months” and whether or not “the business sells the personal information of minors under 16 years of age without affirmative authorization.” Draft reg. § 999.308(b)(1)(e).
 
If business “sells” personal data, must specify the categories of personal information that are sold. Draft reg. § 999.308(b)(1)(e).
Choices:If business “sells” personal data, must provide a link labeled “Do Not Sell My Personal Information,” directing to a notice that describes the right to opt-out of sale. Draft reg. § 999.306.
Data subject rights:Describe how California consumers can exercise their rights under CCPA, and the process the business uses to verify requests (including information the consumer will need to provide during verification), plus “how a consumer can designate an authorized agent to make a request under CCPA on the consumer’s behalf.” 
 
This includes the right to:
-          Know about personal information collected, disclosed, or sold. Draft reg. § 999.308(b)(1).
-          Request deletion of their personal information. Draft reg. § 999.308(b)(2).
-          Right to opt-out of sale, if business “sells” personal information. Draft reg. § 999.308(b)(3). 
-          Right to non-discrimination for the exercise of a consumer’s privacy rights. Draft Rule § 999.308(b)(4).
Contact information:Specify a contact for questions or concerns “using a method reflecting the manner in which the business primarily interacts with the customer.” Draft reg. § 308(b)(6). 
 
Plus at least two methods for submitting requests to know/delete, including a toll-free number and an interactive webform. Draft reg. § 999.312.
Last updated date:Specify the last updated date. Draft reg. § 999.308(b)(7).

 

As for format, the draft regulations describe a compliant privacy policy that it “designed and presented” to be “easy to read” and “understandable to an average consumer.” It should “use plain, straightforward language” rather than “technical or legal jargon” presented in any language in which the business operates. It should also be readable on smaller screens, available in a printable format, and should take disability access into account (with additional formats available as needed). Draft reg. § 999.308(a)(2).

Notice at Collection

CCPA requires more than a good privacy policy. Instead, it asks your business to provide consumers with clear and effective notice of your privacy practices “at or before the time of collection.” CCPA § 1798.100. The rules clarify that a notice must be “visible or accessible where consumers will see it before any personal information is collected.” Draft Rule § 999.305(a)(2)(e). There are thus two steps to an effective notice strategy: (1) updating your privacy policy to include required information, and (2) providing just-in-time notices at appropriate points of contact with your customer.

Just-in-time notices are a more direct means than a privacy policy of providing relevant information to consumers, thereby empowering them to make privacy choices in the marketplace. A just-in-time notice should include the clearest, most up-front language about the types of data you are about to collect, the purposes for collection, and relevant choices, as appropriate. Usually, it should also link to more information, either via a separate disclosure or to the relevant section of your privacy policy.

What should be included in the notice at collection? Essentially, a mini version of your privacy policy focused on the categories of personal information that are about to be collected and the purposes for collecting the specific personal information at hand. Although the rules envision that this can be a separate disclosure, they also allow that a business can simply provide a link to the relevant section of its privacy policy so long as it provides the required level of detail. Either way is permissible, though a business that chooses to link to its privacy policy should double check that its policy is structured in such a way to allow users to be pointed to the specific collection scenario at hand. If a separate disclosure is used, you must still link to your privacy policy.

Just how clear should this notice be? The draft regulations take great care to describe a gold standard of accessibility. A CCPA notice should be “easy to read and understandable to the average consumer” using “plain, straightforward language and avoiding technical or legal jargon,” using a format that is conspicuous and “draws the consumer’s attention to the notice,” available in any language(s) in which the business operates, and “accessible to consumers with disabilities.” Draft rule § 999.305(a)(2).

Other Notice Obligations

Note that the CCPA includes two additional substantive notice requirements that extend beyond the privacy policy: the “notice of right to opt-out” of the sale of personal information, CCPA §§ 1798.120, 135, and the “notice of financial incentive,” CCPA § 1798.125(b). These requirements deserve special attention, so we will cover them in a future blog post.

 

*References to “CCPA” refer to the law as amended. References to “Draft reg.” refer to the draft implementing regulations. Although some uncertainty remains, the California Attorney General has indicated that the draft regulations, which interpret and clarify the CCPA, are unlikely to be substantially revised.

 

The BBB EU Privacy Shield program provides compliance assistance for U.S. businesses preparing for self-certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as well as ongoing review of the Privacy Shield notices and certifications of participating businesses and up-to-date guidance on privacy compliance. At its core, BBB EU Privacy Shield operates an independent third-party dispute resolution mechanism enabling European Union and Swiss individuals to resolve Privacy Shield complaints against participating businesses.