The CCPA (CPRA) Privacy Policy Checklist
If you plan on collecting personal data from Californians who visit your website or register for your services online, then you need to abide by the terms of the California Consumer Privacy Act (CCPA). The CCPA became law on January 1st 2020, and it was expanded by the California Privacy Rights Act (CPRA), effective January 1st 2023.
The CCPA (CPRA) provides that every website should have a Privacy Policy. This Privacy Policy must advise consumers of the various rights that the CCPA (CPRA) gives them. Although the CCPA (CPRA) contains various other obligations, the Privacy Policy is the most significant requirement.
So, what does the CCPA (CPRA) mean for existing Privacy Policies? It's simple, and this article will explain it. If you already have a Privacy Policy in place, then you'll probably have to make some amendments, which is why it's handy to have a checklist of everything your CCPA (CPRA) Privacy Policy should contain.
On the other hand, if you haven't drafted a Privacy Policy before, then don't worry - we can help.
- 1. Who the CCPA (CPRA) Applies to
- 2. California Residency and the CCPA (CPRA)
- 3. Personal Data and the CCPA (CPRA)
- 4. The CCPA (CPRA) and Your Privacy Policy
- 4.1. Anti-discrimination
- 4.2. The Right to be Forgotten
- 4.3. The Right to Access Data Collected
- 4.4. Marketing
- 4.5. Data Shared with Third Parties
- 4.6. Contact Information
- 5. Displaying Your Privacy Policy
- 6. Conclusion
First, let's consider what the CCPA (CPRA) is, and what its objectives are.
The CCPA (CPRA) is a piece of data protection legislation. It is designed to put Californians back in charge of what happens to their personal and identifiable information. Consumers spend so much time shopping and doing business online now that it's important for them to know their personal data is safe and secure.
In other words, the CCPA (CPRA) achieves two things. Firstly, it makes it easier for businesses to reassure consumers that their data is safe. Secondly, it encourages consumers to put their trust in online businesses. Although complying with new data protection laws can seem onerous, it's worth remembering that these laws are making life easier for you in the long run.
When it's broken down, you can see that the CCPA (CPRA) controls:
- The data collected by businesses
- How businesses justify the information they collect and store
- The consent consumers must provide before their data is harvested, processed, shared, or stored
The CCPA (CPRA) attempts to balance commercial realities against the individual's right to privacy. Before considering the CCPA (CPRA) in more detail, it's worth highlighting a few key points.
For some businesses, there's no need to provide a CCPA/CPRA-compliant Privacy Policy. This is because, in some cases, compliance is too expensive and disproportionate to the company's needs.
The CCPA (CPRA) doesn't apply to charities or other non-profits.
The CCPA (CPRA) doesn't just apply to businesses located in California. Since the CCPA (CPRA) sets out its own criteria for who must comply with its terms, it's worth familiarizing yourself with the Act to see if the Privacy Policy requirements apply to you. However, to help you out, here's a brief overview of who the CCPA (CPRA) applies to.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. Who the CCPA (CPRA) Applies to
- 2. California Residency and the CCPA (CPRA)
- 3. Personal Data and the CCPA (CPRA)
- 4. The CCPA (CPRA) and Your Privacy Policy
- 4.1. Anti-discrimination
- 4.2. The Right to be Forgotten
- 4.3. The Right to Access Data Collected
- 4.4. Marketing
- 4.5. Data Shared with Third Parties
- 4.6. Contact Information
- 5. Displaying Your Privacy Policy
- 6. Conclusion
Who the CCPA (CPRA) Applies to
If you run a for-profit business, you must provide a CCPA/CPRA-compliant Privacy Policy if you meet at least one of the following criteria:
- Your gross annual takings exceed $25 million
- You receive 50% or more of your annual revenue from selling or sharing data that belongs to Californians
- You distribute, process, or receive data from 100,000 or more Californians annually
Section 1798.140 sets out the details:
That all said, who does the CCPA (CPRA) protect? What constitutes a "Californian" for the CCPA/CPRA's purposes?
California Residency and the CCPA (CPRA)
The CCPA (CPRA) only applies to people who actually reside in California. A resident for the Act's purposes is someone who is domiciled in California. This can be someone who:
- Typically resides in California but they're on vacation somewhere else
- Someone temporarily domiciled in California - for example, for work or another purpose that's more than a holiday
The CCPA (CPRA) defines this in subsection G of section 1798.140:
For example, if someone spends a few weeks visiting relatives in California, but they usually live in New York, the CCPA (CPRA) doesn't cover them. On the other hand, if someone travels to New York for a medical procedure or work meeting, but they normally live in California, the CCPA (CPRA) covers them.
So, to recap, the CCPA (CPRA) protects Californians, and for-profit companies, subject to a few exceptions, should comply with its rules. What protections, though, does the CCPA (CPRA) offer?
Before we build a Privacy Policy checklist, it'll all make more sense if you understand what is protected under the CCPA (CPRA).
Personal Data and the CCPA (CPRA)
"Personal data" is helpfully defined in subsection O of - you guessed it - section 1798.140 of the CCPA (CPRA). It's defined as data which can identify a person or their household. Although this list isn't exhaustive, examples of personal data include:
- Names
- Residential addresses
- Browsing history and IP addresses
- Employment information
- Biometric data
- Passport numbers
- Social security numbers
Now, let's consider what Privacy Policy obligations the CCPA (CPRA) places upon businesses, and how you can ensure your Privacy Policy ticks all the compliance boxes.
The CCPA (CPRA) and Your Privacy Policy
Helpfully, the CCPA (CPRA) is very clear on how to ensure your Privacy Policy complies with its terms. A CCPA/CPRA-compliant Privacy Policy must set out:
- What information a business collects
- Why it collects this personal data at all
- Who the business may share this data with, and why
- How the business collected the data
- Who the consumer can contact if they wish to know more about how their data is used or stored
- The consumer's various rights
You must also update your Privacy Policy at least every 12 months to keep it current.
If you make any material changes, you'll need to send out or provide an Update Notice of the changes as well.
Essentially, what we can take from the guidelines is that businesses must:
- Grant consumers control over their personal data and what happens to it online
- Comply with a consumer's wishes when exercising their rights
- Never discriminate against a consumer who doesn't want their data used for, for example, marketing purposes and third-party sales
Think of these requirements as the beginning of your Privacy Policy checklist. Whatever else you include in your Privacy Policy, you must include these elements.
Conduct a privacy law self-audit so you know exactly what privacy practices your business engages in and what information you need to disclose to your users.
Whether you're drafting your Privacy Policy for the first time, or you're amending your Policy in line with the CCPA (CPRA), here's what you should include.
Anti-discrimination
A business may not discriminate against a consumer just because they don't want to share personal data with that company. As defined by section 1798.125 of the CCPA (CPRA), discrimination includes refusing to serve a customer or charging them different prices because they won't give you permission to sell on their data.
The VANS Privacy Policy sets this out a clause explaining that refusing to give them permission to use personal data for marketing purposes doesn't affect the customer's right to use the website:
Summary: Include an anti-discrimination clause like this in your Privacy Policy to ensure CCPA (CPRA) compliance.
The Right to be Forgotten
Consumers have the right to request that you delete their personal data. This right is so important that it's at the very beginning start of the Act itself:
It's also included more specifically in section 1798.105 where it states that a consumer has the right to request that a business delete any personal information it may have collected from the consumer:
Medium dedicates an entire section of its Privacy Policy to laying out a consumer's rights under the CCPA (CPRA). It makes clear that consumers can request that their personal data is deleted at any time, although it may take a short while before the request is actioned:
Medium also explains the consumer is responsible for ensuring that their personal data is deleted from all sources. For example, it's on the consumer to contact their payment provider to delete billing information. They have explained why this is necessary on the consumer's part, which complies with the CCPA/CPRA's principles of honesty and transparency:
Summary: Check that you have a clause explaining fully how consumers can delete their personal data or request that you do it for them.
The Right to Access Data Collected
You should clearly set out what data you plan on collecting from the consumer, and why it's necessary to collect this data at all. Section 1798.110 of the CCPA (CPRA) makes this clear.
It states that consumers have the right to request that a business that collects personal information about the consumer disclose:
- The categories of personal information that have been collected
- The categories of sources from which the personal information is collected
- What the business or commercial purpose is for the collecting or selling of personal information
- The categories of third parties that the business shares personal information with
- The specific pieces of personal information that have been collected about that consumer
Nike has a comprehensive Privacy Policy in this respect. The company explains, firstly, that it collects various types of data from the customer:
The company then explains that the customer has a right to access the data held on them. The customer has the right to ask for a copy of this data and to request that it's amended. They can also insist that the company deletes their data entirely:
Finally, Nike provides details on how to contact its privacy team to exercise these rights. Customers can contact this team for a copy of the data held on them, and for more information about the Privacy Policy. There are three ways to contact the team: a webform, a mailing address, and an email address:
You'll note that Nike makes it easy for customers to contact the team because it provides simple instructions on how to do so.
Summary: Check that your Privacy Policy explains that a) the customer has a right to access data held on them and b) how to access this data.
Marketing
It should be emphasized that if you do transfer data to third parties, and these companies collect this data for their own marketing purposes, you must be explicit about this in your Privacy Policy. Here is an example from Amazon:
Although you can't control precisely what happens to personal data when it is transferred to these third parties, it's still important that consumers know how they got access to their data in the first place.
Summary: Be open about your marketing policies in your Privacy Policy.
Data Shared with Third Parties
Businesses that collect personal data should always specify the types of third parties that they share personal information with, and why.
Here is an example from Hollister. After explaining that it doesn't sell personal data for marketing purposes, it lays out the circumstances in which it does share data with third parties. For example, the company may share data with third parties to fulfill orders, engage in advertising campaigns and communicate better with customers:
Summary: Be transparent about who you share data with.
Contact Information
Make sure that customers know how to contact you to either discuss your Privacy Policy or to view the data you store on them. A simple contact clause is all you need to fulfil this obligation.
This example from Twitter is more robust than you may need if your business isn't global, but the more methods of contact you provide, the better:
Summary: Make it easy for your customers to contact you in a variety of methods.
Displaying Your Privacy Policy
After you have your Privacy Policy completed or updated, you must publish it on your website. Website owners typically place links to their Privacy Policy within the header and/or footer.
You should place a link to your Privacy Policy at the bottom or top of every web page. Here's how Twitter does this with a simple "Privacy" link at the bottom of every page:
You can and should include your Privacy Policy link in other relevant places as well, such as:
- On an account sign-up/log-in screen
- On the checkout page if you do ecommerce
- Within your Cookie Consent Notice
- On an email newsletter sign-up form
Basically anywhere where you collect personal information, consider adding a link to your Privacy Policy.
Conclusion
The CCPA (CPRA) sets out new obligations for business owners who plan to collect, store, process, or use personal information from their consumers. First and foremost is the requirement for a Privacy Policy. It should be easy to read, and customers should be able to access the Policy before they share data with you and at any time afterwards.
Your CCPA (CPRA) Privacy Policy should contain clauses explaining, at a minimum:
- Your collection and storage of personal data
- Why it's necessary to collect this data
- Who you share this data with, and what happens to the data once you have it
- If any third parties ever have access to the data
- What rights consumers have under the CCPA (CPRA)
- How customers will never be discriminated against for opting out of personal data marketing
- Who customers should contact for more information or to have their personal data deleted from records