The CCPA Privacy Policy Checklist

Last updated on 10 December 2019 by Jennifer L.
The CCPA Privacy Policy Checklist

If you plan on collecting personal data from Californians who visit your website or register for your services online, then you need to abide by the terms of the California Consumer Privacy Act (CCPA). The CCPA becomes law on January 1st 2020, meaning that if you haven't already prepared your business for the effects of the Act, then it's time to start now.

The CCPA provides that every website should have a Privacy Policy. This Privacy Policy must advise consumers of the various rights that the CCPA gives them. Although the CCPA contains various other obligations, the Privacy Policy is the most significant requirement.

So, what does the CCPA mean for existing Privacy Policies? It's simple. If you already have a Privacy Policy in place, then you'll probably have to make some amendments, which is why it's handy to have a checklist of everything your CCPA Privacy Policy should contain.

On the other hand, if you haven't drafted a Privacy Policy before, then don't worry - it's simpler than it seems. If you adhere to the terms of the CCPA from the outset, then you're moving forward with a CCPA-compliant Privacy Policy.

First, let's consider what the CCPA is, and what its objectives are.

The CCPA is a new piece of data protection legislation. It is designed to put Californians back in charge of what happens to their personal and identifiable information. Consumers spend so much time shopping and doing business online now that it's important for them to know their personal data is safe and secure.

In other words, the CCPA achieves two things. Firstly, it makes it easier for businesses to reassure consumers that their data is safe. Secondly, it encourages consumers to put their trust in online businesses. Although complying with new data protection laws can seem onerous, it's worth remembering that these laws are making life easier for you in the long run.

When it's broken down, you can see that the CCPA controls:

  • The data collected by businesses
  • How businesses justify the information they collect and store
  • The consent consumers must provide before their data is harvested, processed, shared, or stored

The CCPA attempts to balance commercial realities against the individual's right to privacy. Before considering the CCPA in more detail, it's worth highlighting a few key points.

For some businesses, there's no need to provide a CCPA-compliant Privacy Policy. This is because, in some cases, compliance is too expensive and disproportionate to the company's needs.

The CCPA doesn't apply to charities or other non-profits.

The CCPA doesn't just apply to businesses located in California. Since the CCPA sets out its own criteria for who must comply with its terms, it's worth familiarizing yourself with the Act to see if the Privacy Policy requirements apply to you. However, to help you out, here's a brief overview of who the CCPA applies to.

Who the CCPA Applies to

If you run a for-profit business, you must provide a CCPA-compliant Privacy Policy if you meet at least one of the following criteria:

  • Your gross annual takings exceed $25 million
  • You receive 50% or more of your annual revenue from selling data that belongs to Californians
  • You distribute, process, or receive data from 50,000 or more Californians annually

Section 1798.140 sets out the details:

CCPA Section 1798 140: Definition of Business

That all said, who does the CCPA protect? What constitutes a "Californian" for the CCPA's purposes?

California Residency and the CCPA

The CCPA only applies to people who actually reside in California. A resident for the Act's purposes is someone who is domiciled in California. This can be someone who:

  • Typically resides in California but they're on vacation somewhere else
  • Someone temporarily domiciled in California - for example, for work or another purpose that's more than a holiday

The CCPA defines this in subsection G of section 1798.140:

CCPA Section 1798 140: Definition of Consumer

For example, if someone spends a few weeks visiting relatives in California, but they usually live in New York, the CCPA doesn't cover them. On the other hand, if someone travels to New York for a medical procedure or work meeting, but they normally live in California, the CCPA covers them.

So, to recap, the CCPA protects Californians, and for-profit companies, subject to a few exceptions, should comply with its rules. What protections, though, does the CCPA offer?

Before we build a Privacy Policy checklist, it'll all make more sense if you understand what is protected under the CCPA

Personal Data and the CCPA

Personal Data and the CCPA

"Personal data" is helpfully defined in subsection O of - you guessed it - section 1798.140 of the CCPA. It's defined as data which can identify a person or their household. Although this list isn't exhaustive, examples of personal data include:

  • Names
  • Residential addresses
  • Browsing history and IP addresses
  • Employment information
  • Biometric data
  • Passport numbers
  • Social security numbers

Here's the clause in full:

CCPA Section 1798 140: Definition of Personal Information

This lengthy section then goes on to explain that "publicly available" information isn't covered by the CCPA. So, information lawfully made publicly available, like census records, aren't covered:

CCPA Section 1798 140: Definition of what is not Personal Information

Now, let's consider what Privacy Policy obligations the CCPA places upon businesses, and how you can ensure your Privacy Policy ticks all the compliance boxes.

The CCPA and Your Privacy Policy

The CCPA and Your Privacy Policy

Helpfully, the CCPA is very clear on how to ensure your Privacy Policy complies with its terms. A CCPA-compliant Privacy Policy must set out:

  • What information a business collects
  • Why it collects this personal data at all
  • Who the business may share this data with, and why
  • How the business collected the data
  • Who the consumer can contact if they wish to know more about how their data is used or stored
  • The consumer's various rights

You must also update your Privacy Policy at least every 12 months to keep it current.

Essentially, what we can take from the guidelines is that businesses must:

  • Grant consumers control over their personal data and what happens to it online
  • Comply with a consumer's wishes when exercising their rights
  • Never discriminate against a consumer who doesn't want their data used for, for example, marketing purposes and third-party sales

Think of these requirements as the beginning of your Privacy Policy checklist. Whatever else you include in your Privacy Policy, you must include these elements.

Whether you're drafting your Privacy Policy for the first time, or you're amending your Policy in line with the CCPA, here's what you should include.

Anti-discrimination

A business may not discriminate against a consumer just because they don't want to share personal data with that company. As defined by section 1798.125 of the CCPA, discrimination includes refusing to serve a customer or charging them different prices because they won't give you permission to sell on their data.

The VANS Privacy Policy sets this out a clause explaining that refusing to give them permission to use personal data for marketing purposes doesn't affect the customer's right to use the website:

VANS Privacy Policy: Am I obliged to provide my personal data and what are consequences if I refuse to clause for anti-discrimination

Summary: Include an anti-discrimination clause like this in your Privacy Policy to ensure CCPA compliance.

The Right to be Forgotten

Consumers have the right to request that you delete their personal data. This right is so important that it's at the very beginning start of the Act itself:

CCPA Section 1 Stating that various consumer rights are granted

It's also included more specifically in section 1798.105 where it states that a consumer has the right to request that a business delete any personal information it may have collected from the consumer:

CCPA Section 1798 105: Excerpt about consumer right to request information be deleted

Medium dedicates an entire section of its Privacy Policy to laying out a consumer's rights under the CCPA. It makes clear that consumers can request that their personal data is deleted at any time, although it may take a short while before the request is actioned:

Medium Privacy Policy: Rights of Data Subjects clause excerpt

Medium also explains the consumer is responsible for ensuring that their personal data is deleted from all sources. For example, it's on the consumer to contact their payment provider to delete billing information. They have explained why this is necessary on the consumer's part, which complies with the CCPA's principles of honesty and transparency:

Medium Privacy Policy: Payment Processors clause - Delete information excerpt

Summary: Check that you have a clause explaining fully how consumers can delete their personal data or request that you do it for them.

The Right to Access Data Collected

You should clearly set out what data you plan on collecting from the consumer, and why it's necessary to collect this data at all. Section 1798.110 of the CCPA makes this clear.

It states that consumers have the right to request that a business that collects personal information about the consumer disclose:

  • The categories of personal information that have been collected
  • The categories of sources from which the personal information is collected
  • What the business or commercial purpose is for the collecting or selling of personal information
  • The categories of third parties that the business shares personal information with
  • The specific pieces of personal information that have been collected about that consumer

CCPA Section 1798 110: Excerpt about consumer right to request information be disclosed

Nike has a comprehensive Privacy Policy in this respect. The company explains, firstly, that it collects various types of data from the customer:

Nike Privacy Policy: What Personal Data Do We Collect and When clause

The company then explains that the customer has a right to access the data held on them. The customer has the right to ask for a copy of this data and to request that it's amended. They can also insist that the company deletes their data entirely:

Nike Privacy Policy: Managing your personal data and content clauses

Finally, Nike provides details on how to contact its privacy team to exercise these rights. Customers can contact this team for a copy of the data held on them, and for more information about the Privacy Policy. There are three ways to contact the team: a webform, a mailing address, and an email address:

Nike Privacy Policy: Questions and Feedback clause

You'll note that Nike makes it easy for customers to contact the team because it provides simple instructions on how to do so.

Summary: Check that your Privacy Policy explains that a) the customer has a right to access data held on them and b) how to access this data.

Marketing

It should be emphasized that if you do transfer data to third parties, and these companies collect this data for their own marketing purposes, you must be explicit about this in your Privacy Policy. Here is an example from Amazon:

Amazon UK Privacy Notice: Third-party advertisers and links to other websites clause

Although you can't control precisely what happens to personal data when it is transferred to these third parties, it's still important that consumers know how they got access to their data in the first place.

Summary: Be open about your marketing policies in your Privacy Policy.

Data Shared with Third Parties

Businesses that collect personal data should always specify the types of third parties that they share personal information with, and why.

Here is an example from Hollister. After explaining that it doesn't sell personal data for marketing purposes, it lays out the circumstances in which it does share data with third parties. For example, the company may share data with third parties to fulfill orders, engage in advertising campaigns and communicate better with customers:

Hollister Privacy Policy: How We Share Information with Our Brands and Third Parties clause

Summary: Be transparent about who you share data with.

Contact Information

Make sure that customers know how to contact you to either discuss your Privacy Policy or to view the data you store on them. A simple contact clause is all you need to fulfil this obligation.

This example from Twitter is more robust than you may need if your business isn't global, but the more methods of contact you provide, the better:

Twitter Privacy Policy: Additional Information or Assistance - Contact clause

Summary: Make it easy for your customers to contact you in a variety of methods.

Displaying Your Privacy Policy

Displaying Your Privacy Policy

After you have your Privacy Policy completed or updated, you must publish it on your website. Website owners typically place links to their Privacy Policy within the header and/or footer.

You should place a link to your Privacy Policy at the bottom or top of every web page. Here's how Twitter does this with a simple "Privacy" link at the bottom of every page:

Twitter website footer with links

You can and should include your Privacy Policy link in other relevant places as well, such as:

  • On an account sign-up/log-in screen
  • On the checkout page if you do ecommerce
  • Within your Cookie Consent Notice
  • On an email newsletter sign-up form

Basically anywhere where you collect personal information, consider adding a link to your Privacy Policy.

Conclusion

The CCPA sets out new obligations for business owners who plan to collect, store, process, or use personal information from their consumers. First and foremost is the requirement for a Privacy Policy. It should be easy to read, and customers should be able to access the Policy before they share data with you and at any time afterwards.

Your CCPA Privacy Policy should contain clauses explaining, at a minimum:

  • Your collection and storage of personal data
  • Why it's necessary to collect this data
  • Who you share this data with, and what happens to the data once you have it
  • If any third parties ever have access to the data
  • What rights consumers have under the CCPA
  • How customers will never be discriminated against for opting out of personal data marketing
  • Who customers should contact for more information or to have their personal data deleted from records
Article categories
Jennifer L.

Legal writer.