CCPA: 5 Must-Have Privacy Policy Provisions

Despite the fact that the California Consumer Privacy Act (CCPA) — already dubbed the “California GDPR” by lawyers — is smaller in volume than the GDPR and does not provide as comprehensive a regulation of personal data protection relations, it has its own undeniably strong points.

Specifically, following the entry into force of the Act, Article 1798.130 of Chapter 4 of Division 3 of the California Civil Code will be amended and will establish 5 main categories of information that must be specified in a company’s privacy policy.

1. Tell Consumers What Privacy Rights They Have

The most important substantive content of a privacy policy must be a description of the rights that the California GDPR grants to consumers. In accordance with the Act’s requirements, the policy must specify and describe 3 categories of consumer rights:

• the rights of consumers whose information is collected by the company;
• the rights of consumers whose information the company sells or otherwise discloses for commercial purposes;
• the rights of consumers regarding the inadmissibility of discrimination, as well as the rights of consumers regarding participation in various financial loyalty programs of the company.

This requirement is somewhat similar to the GDPR requirement that the controller must provide information relating to the processing of a data subject’s data in a concise, transparent, intelligible, and easily accessible form, but is more detailed.

The Act itself contains a list and general description of such rights. When drafting a privacy policy, a company should customize such a description to fit its specific business and (where possible) provide examples of practical situations in which such rights may be exercised by consumers.

2. CCPA Requires Specifying What Consumer Information Is Collected

The next requirement of the California GDPR is to specify in the company’s privacy policy an exhaustive list of personal information collected by the company about a specific type of consumer or consumers in general.

In defining the concept of personal information, the Act states that it may include, among other things, such information as:

• real name, alias, postal address, unique personal identifier;
• online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers;
• commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchase or consumption histories;
• biometric information;
• Internet or other electronic network activity information, including but not limited to browsing history, search history, and information on a consumer’s interaction with a website, application, or Internet advertisement;
• geolocation data;
• audio, electronic, visual, thermal, olfactory, or similar information;
• professional or employment-related information;
• education information, defined as information that is not publicly available or is personally identifiable information;
• inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

It is worth emphasizing that the list of such information must relate to the 12-month period preceding the drafting or review of the policy. This requirement creates a distinction from the GDPR, where the controller is not limited to a specific timeframe within a similar obligation.

3. If You Sell or Otherwise Disclose Consumers’ Personal Information — CCPA Requires You to Disclose This

From an analysis of the text of the CCPA provisions, a clear conclusion can be drawn that it is, in its overwhelming majority, directed at regulating relations specifically regarding the sale of personal data. Therefore, the Act pays very serious attention to precisely these matters.

Specifically, a company is obliged to specify in its privacy policy an exhaustive list of consumer information that it sells or discloses for commercial purposes. The list of such information, by analogy with the previous requirement, must relate to the 12-month period preceding the drafting or review of the policy.

It is worth noting that the Act provides for the possibility that certain companies will not sell their consumers’ information or disclose it for profit. Such companies must necessarily include separate provisions in their privacy policies stating that they do not in any way sell or disclose their consumers’ personal information for commercial purposes.

4. What Communication Channels Does the California GDPR Require?

This requirement of the California GDPR nicely reflects a certain conservatism of the US legal system as a whole. Specifically, in accordance with the provisions of the CCPA, a company is obliged to make available to consumers two or more means of communication, including:

• at minimum, a toll-free telephone number;
• and if the business maintains an Internet website — the website address.

Again, compared to the GDPR, which in general terms states that a data subject must be able to receive information in a concise, transparent, intelligible, and easily accessible form, the California Consumer Privacy Act clearly details the requirements for companies and establishes a mandatory minimum regarding the means of communication that must be available.

5. CCPA Reminds You: Don’t Forget to Update Your Policy!

Another key requirement for a company’s privacy policy established by the California GDPR is the company’s obligation to update its own policy every 12 months.

The policy must specify the date of the last update. It is also recommended to indicate that the company updates this policy no less than once every 12 months. This mechanism is aimed at continuously maintaining the currency of the company’s policy and continuously maintaining its compliance tone.

Conclusion

Unlike the GDPR, which establishes requirements for the collection and processing of personal data without setting specific requirements for the privacy policy itself, the California GDPR has devoted a specific role to the content of such a policy.

It is worth noting that, in accordance with the requirements of the CCPA, a significant body of information is not required to be included in the privacy policy (for example, the procedure for exercising a consumer’s right to deletion of information about them or a consumer’s right to prohibit the sale of information about them, the procedure for verifying consumer requests, and so on).

Such an approach may be explained by the desire to optimize the content of the privacy policy and make it as clear, simple, and understandable as possible for consumers. Thus, specifying only the above-mentioned categories of information in the privacy policy will be sufficient for such a policy to comply with the requirements of the California Consumer Privacy Act.

At the same time, companies are not limited to the list provided and may additionally specify in their policies other information they consider appropriate (for example, the procedure for a consumer to submit an appeal/request to the company and the procedure for reviewing such an appeal/request, the procedure for verifying consumer requests, and so on).

Legal IT Group helps companies build a data protection system in accordance with the regulation: we conduct gap assessments, form policies and agreements, and train teams to work in accordance with US legislation.