Menu Cookie Consent Start here

CCPA (CPRA) Notices For Your Business: Internal and External

Last updated on 15 March 2023 by Nicole Olsen (PrivacyPolicies.com Legal writer)
CCPA (CPRA) Notices For Your Business: Internal and External

On January 1, 2020, the California Consumer Privacy Act (CCPA) was officially enacted in California. And on January 1, 2023, the CPRA became effective, thus expanding and enhancing the CCPA.

If you have a significant customer base in the state, or you have an office and hire in California, then you need to pay attention to this.

Do you fall under the scope of the CCPA (CPRA)? You'll need to update two groups of documents (or CCPA (CPRA) Notices): internal documents and external documents. This article will address this topic.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.

    3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  3. Add information about your business: your website and/or app.

    4. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  4. Select the country:

    5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  5. Answer the questions from our wizard relating to what type of information you collect from your users.

    6. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  6. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.



What is the CCPA (CPRA)?

The California Consumer Privacy Act outlines a set of privacy initiatives that aim to:

  1. Protect Californians' privacy and personal information, and
  2. Hold businesses accountable for data collection and sharing practices

You must comply with the CCPA (CPRA) if you fall under the umbrella of "doing business" in the state of California (i.e., selling goods or services to residents), even if you don't have an office or another physical presence in California.

But not everyone must comply. You also need to meet one of three criteria:

  1. Earn >$25 million in annual revenue,
  2. Collect personal data from 100,000 or more consumers or households, or
  3. Earn half your annual revenue from selling or sharing data

In other words, the CCPA (CPRA) targets the biggest data processors that pose the most privacy risk to California residents.

The law can also apply to businesses located outside of the United States if they serve California and meet the requirements listed above.

What are the CCPA (CPRA) Notice Requirements?

What are the CCPA Notice Requirements?

The CCPA's focus on transparency and accountability means that documentation makes up a core component of compliance. The CCPA requires two different categories of notification: internal and external notices.

Internal notices outline your CCPA/CPRA-compliant internal processes (like HR) for processing employee data. These documents outline employee rights and prepare relevant HR employees to uphold the law.

You will likely already be familiar with external notices. External notices are customer-facing documents that share your data practices and show customers covered by the CCPA (CPRA) how to exercise their statutory rights.

These include a Privacy Policy. In the case of the CCPA (CPRA), it also includes the development of a new web page titled "Do Not Sell My Personal Information."

CCPA (CPRA) Internal Notices

CCPA Internal Notices

A significant focus has so far landed on the customer-facing facets of the law, but businesses also need to know that the CCPA (CPRA) likely applies to HR data, too.

One of the reasons this part of the law enjoys less notoriety is that it wasn't fully settled until recently. The California legislature fought about these issues when the bill when through the amendment process, which removed some of the initial regulation. Some do survive, but what's left won't go into effect until 2021.

When you read the CCPA (CPRA), it seems that there will be some internal notices required that you must apply if you fall under the scope of the law and you hire California residents as employees.

Internal/Employee Privacy Policies

It is routine practice to hold the personal data of employees and prospective employees. The CCPA (CPRA) doesn't change that. However, it may consider the data to be within the purview of the law. That means you need a Privacy Policy that's geared specifically towards the HR data you collect and store.

First, you need to provide what is akin to an internal Employee Privacy Policy that lets both California job candidates and employees know:

  • What data you collect
  • Why you collect the data
  • Who you share the data with (third parties)
  • The rights of California consumers established by the CCPA (CPRA)
  • What data you disclose (and have disclosed in the last 12 months)
  • If you have sold any data in the last 12 months

The final point - the sales of data - probably won't affect you, as employers rarely make a habit of selling employee data. If for some reason you do sell data or you intend to (through a merger/acquisition), then you must list it.

You must also provide this information before you collect the data. For example, you'll add the Employee Privacy Policy to the front matter of your job application programs. It should also go into:

  • Job offer letters
  • Employee handbooks
  • New hire agreements
  • Employment agreements

Remember, these policies also need to be updated annually to reflect your most current practices.

What Else Do I Need to Do to Keep My HR Team Compliant with the CCPA (CPRA)?

Further documentation is required, but it mostly falls in the context of employee training for upholding the CCPA (CPRA).

For example, you need to develop mechanisms that allow employees to exercise their rights under the law (right to access, erasure, etc.).

You can expect that you'll also need to:

  • Develop written policies that reflect the mechanisms for responding to rights requests
  • Amend any service agreements that impact HR data to reflect the CCPA (CPRA)
  • Update training documents given to those with access to HR data
  • Provide new/updated content in employee handbooks

CCPA (CPRA) External Notices

CCPA External Notices

Your need for a Privacy Policy isn't new. CalOPPA began requiring the posting of public Privacy Policies years ago. Then, the GDPR required it back in 2018.

There's basically no way around having a Privacy Policy at this point.

However, if you fall under the scope of the CCPA (CPRA), then you likely need to update your Privacy Policy to reflect the new law, which cites it as the mandatory "initial notice" provided to consumers before you collect their information.

Your current Privacy Policy should already include information about things like:

  • What types and categories of data you process
  • How you collect the data
  • Why and how you process the data
  • If and how you share data with third parties
  • How consumers can access the data you have collected
  • How you deal with Do Not Track settings

Additionally, your Privacy Policy already needs to be:

  1. Easy to read (under CalOPPA)
  2. Simple to find on the page (CalOPPA)
  3. Updated every 12 months to reflect your most recent practices (under the CCPA (CPRA))

Your CCPA/CPRA-compliant Privacy Policy needs to include all of the information listed above plus information about the new rights granted by the CCPA (CPRA).

To comply, you need to provide:

  • Descriptions of the new rights given to all California residents (access, deletion, opt-out, nondiscrimination)
  • Explanation of how California residents can exercise their rights (for accessing information or requesting erasure)
  • A complete "Do Not Sell My Personal Information" link for opting-out of third party sales
  • An updated list of data categories collected in the past 12 months in any format (including offline)
  • A description of all the purposes for each category
  • A list of the categories of data sold in the past 12 months
  • A list of the categories of data "disclosed" in the past 12 months (for business purposes)

PetSuites of America offers a full pre-CCPA (CPRA) Privacy Policy and a complete CCPA/CPRA-compliant one as an addendum to the original.

PetSuites of America: Privacy Notice for California Residents - Introduction section

You'll notice in the excerpt above that it includes the date the company last updated the policy. This is important for letting regulators know that you updated within the last 12 months and that your practices are current.

One of the first things that stand out in this policy is the granular nature of the "Information We Collect" section. It lists all the categories of data named in the law, describes them, and then identifies whether it collects them. Here's an excerpt of the chart-like clause:

PetSuites of America: Privacy Notice for California Residents - Excerpt of Information We Collect clause

This is an important update to your existing Privacy Policy that you need to acknowledge.

In its descriptions of personal information, the PetSuites Policy offers a full explanation of its uses of California consumer data:

PetSuites of America: Privacy Notice for California Residents - Use of Personal Information clause

It then goes on to describe the CCPA (CPRA) consumer rights in detail:

PetSuites of America: Privacy Notice for California Residents - Your Rights and Choices clause

It also includes times when the statute says it does not have to comply with a request. However, it also describes the non-discrimination clause in clear detail. The CCPA (CPRA) says that businesses can't discriminate against any consumers who choose to exercise their rights:

PetSuites of America Terms of Use and Privacy Policy: Non-Discrimination clause excerpt

Finally, it combines two other clauses: the right to opt-out of data sales and the extra protections made for children aged 13 to 16 (not covered by COPPA, the children's privacy law):

PetSuites of America: Privacy Notice for California Residents - Personal Information Sales Opt-Out and Opt-In Rights clause

However, there is an issue. While the "Do Not Sell" clause is essential, it also needs to link to the "Do Not Sell" notice page. While a company only needs to accommodate Do Not Sell requests if it sells data, the clause still needs to be there and it still needs a "Do Not Sell" page.

PetSuites of America will need to update its Privacy Policy again once the page goes live to link to the page. A link should be added to the website footer as well.

Let's look at that issue a bit more.

"Do Not Sell" Notice

In addition to your Privacy Policy, you must also include a "Do Not Sell" notice or page on your site.

This is not only a rule, but it's likely something California consumers well-versed in the CCPA (CPRA) will look for. A recent survey found that 90 percent of consumers would opt-out of sales if they get the chance.

Your "Do Not Sell" clause needs to go into your Privacy Policy and you need to include a standalone web page labeled "Do Not Sell My Personal Information" on your home page.

Newmeyer and Dillion website footer

The Do Not Sell My Personal Information page must include:

  • What data you sell to third parties, and
  • How the consumer can opt-out of the sale

You must provide the option to make the request without requiring an account, and you need to respect the request for 12 months after you receive it.

What does this look like in the wild?

Elite Sports NY already has its "Do Not Sell" page up and running. However, the site doesn't sell data, so it doesn't need to provide a way for consumers to opt-out. Even still, the law says you must have the page:

Elite Sports NY Do Not Sell My Personal Information page: Selling data to third parties clause

California law firm Newmeyer & Dillion LLP also launched its "Do Not Sell" page:

Newmeyer and Dillion Do Not Sell My Personal Information page: Intro section

Same as above, the law firm doesn't sell personal information, but it does allow users to proceed with a request not to sell if the consumer chooses to and provides a form for a user to do so:

Newmeyer and Dillion Do Not Sell My Personal Information page: Request form

Nicole Olsen
PrivacyPolicies.com Legal writer

Last updated on 15 March 2023

Legal information, legal templates and legal policies are not legal advice. Please read the disclaimer.

Article categories

Start here

Related articles

CCPA/CPRA-Compliant Consent

CCPA/CPRA-Compliant Consent

The California Consumer Privacy Act (CCPA/CPRA) has wide implications for how businesses may collect, process, and share personal data. Specifically, there are occasions where you'll need someone's express consent before you...

WPA vs CCPA (CPRA)

WPA vs CCPA (CPRA)

If your company operates in or targets consumers in the United States, there's a good chance you'll need to comply with California and Washington state's privacy laws. These laws are...

California Privacy Policy Template

California Privacy Policy Template

Do you do business in the state of California? If so, you need to keep up with the state's ever-evolving privacy laws. The Golden State is a national leader in...