Californian GDPR: 5 must have of Privacy Policy

Although that California Consumer Privacy Act (CCPA), or as it has been called by lawyers “the Californian GDPR”, is narrower than GDPR and does not provide such full-scope regulation of personal data protection relationships it has some certain undeniable strengths and advantages.

Thus, upon entry into force of this Act, Section 1798.130 of Part 4 of Division 3 of the Civil Code of California will be amended to establish the 5 main categories of information that must be specified in the Company’s privacy policy.

1. Tell the consumers what privacy rights they have.

The most important substantive content of a privacy policy should be a description of the rights that Californian GDPR grants to consumers. According to the requirements of the Act, the policy shall specify and describe 3 categories of consumer rights:

  • rights of consumer whose personal information is collected by the company;
  • rights of consumers whose personal information the company sells or otherwise discloses for business purposes;
  • consumers` rights to against discriminate, as well as consumers’ rights to participate in various company loyalty programs.

Such a requirement is quite similar to the GDPR requirement, which states that the controller should provide information regarding the processing of personal data of the data subject in a concise, transparent, understandable and easily accessible form, but provides more details.

The Act itself contains a list and a general description of such rights. While drafting the privacy policy, company should customize such description to its specific business conduct and, if possible, provide examples of real situations where such rights may be exercised by consumers.

2. CCPA requires to specify what consumer information is collected.

Another requirement of the Californian GDPR is the company`s obligation to provide a comprehensive list of personal information that the company collects about a particular type or about consumers as a whole.

While providing a definition of personal information, the Act specifies that, including, but not limited such types of information shall be treated as personal information:

  • identifiers such as a real name, alias, postal address, unique personal identifier/
  • online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • biometric information.
  • internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  • geolocation data.
  • audio, electronic, visual, thermal, olfactory, or similar information.
  • professional or employment-related information.
  • education information, defined as information that is not publicly available personally identifiable information.
  • inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

We would like to emphasize that the list of such information shall relate to the 12-month period preceding the consumer`s request. This requirement differentiates GDPR, where the controller is not limited by a fixed term under a similar obligation.

3. If you sell or otherwise disclose personal information of consumers, CCPA requires you to reveal this fact.

Analysis of the provisions of the CCPA clearly provides that it is going to be adopted, in majority, to govern the relations regarding the sale of personal data. Therefore, very serious attention of CCPA is given to these issues.

Though, the company is required to provide a comprehensive list of consumer information that it sells or discloses for commercial purposes in its privacy policy. The list of such information, by analogy with the prior requirement, shall relate to the 12-month period preceding the consumer`s request.

However, the Act acknowledges the possibility that certain companies will not sell information to their customers or disclose this information for commercial purposes. Such companies are required to clearly indicate in their privacy policies that they do not in any way sell or disclose personally information to their customers for commercial purposes.

4. What are the means of communication required by the CCPA?

This requirement of the CCPA reflects well the conservative nature of the US legal system as a whole. Thus, under the provisions of CCPA draft text, a company is required to make two or more communications tools available to consumers, including as minimum:

  • at least a toll-free telephone number;
  • if the business supports the Internet site, the website address.

Compared to GDPR, which generally states that a data subject should be able to obtain information in a concise, transparent, understandable and easily accessible manner, the California Consumer Privacy Act clearly details the requirements for companies and imposes a clear minimum for the means of communication that should be available.

5. CCPA needs you to update Your policy!

Another key requirement for the company’s privacy policy is the company’s obligation to update its policy every 12 months.

The policy should contain the date of the last update. Likewise, it would be a benefit for the policy if it will contain the provision regarding policy updating at least every 12 months. Such mechanism serves to constantly maintain the relevance of the company’s policy and the compliance tone.


Unlike the GDPR, which sets the requirements for the collection and processing of personal data without specifying privacy policy requirements in detail, the Californian GDPR has assigned a specific role to the content of such policy.

It is worth noting that, in accordance with CCPA requirements, a significant amount of information is not required to be included in a privacy policy (for example, the consumer’s procedure of exercising the right to delete, or opt-out request exercising, the procedure of consumer requests verification etc.).

This approach can be explained by the purpose to optimize the content of the privacy policy and make it as clear, simple and understandable to consumers as possible. Thus, including only of the above mentioned categories of information in the privacy policy will be sufficient to ensure that such policies meet the requirements of the California Consumer Privacy Act.

At the same time, companies may not be limited to the above list and have the right to amend their policies with other information they deem appropriate (for example, the consumers` requests application and reviewing procedure, the consumer’s request verification procedure etc.).

    Your question to IT lawyers