Making Your CCPA Privacy Policy Compliant With the CPRA

Making Your CCPA Privacy Policy Compliant With the CPRA

Under the California Consumer Privacy Act (CCPA), companies must have a Privacy Policy for their website if they wish to do business in California. If your business is obliged to comply with the CCPA, then you must also understand how the California Privacy Rights Act (CPRA) affects you.

Specifically, you must ensure that your Privacy Policy complies with the new obligations set out in the CPRA, which will likely mean making some changes to your existing Policy.

Below, we touch on CCPA compliance and explore what steps you must take to make your CCPA-compliant Privacy Policy compliant with the CPRA.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.



The California Consumer Privacy Act (CCPA)

Introduced in 2018, the CCPA is one of the United State's most significant privacy laws. Under the act, consumers now have a wide range of rights over how businesses collect, use, and process their personal information.

As per Section 1798.140(o)(1) of the CCPA, personal information is any data you can use to identify a person or household.

If your business must comply with the California Consumer Privacy Act, then you need a Privacy Policy setting out:

  • Whether you collect personal information, and how it's used
  • What rights Californians have over their personal data, and
  • How they can exercise those rights

Drafting a CCPA-compliant Privacy Policy is beyond the scope of this article. However, let's briefly consider what's required so we can better understand how the CPRA changes things.

CCPA General Privacy Policy Requirements

Every CCPA-compliant Privacy Policy should cover, at a minimum, the following:

  • What categories of personal information you collect
  • The reasons why you collect personal data
  • How this data is used
  • How the data is shared

You must also tell people about their rights to:

  • Request deletion of their personal data (subject to exceptions)
  • Opt-out of the sale of personal data

You cannot discriminate against any customer for exercising these rights.

For a Privacy Policy to be compliant with the CCPA, it must be displayed clearly on your website via e.g. a prominent link in your website header or footer. This is to ensure that all users have the chance to view the Privacy Policy before using your site.

If you're unsure how to draft a CCPA-compliant Privacy Policy, check out our CCPA Privacy Policy Checklist.

The California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA)

The CPRA came into force on December 16, 2020. However, businesses have until January 1, 2023, to learn how the CPRA affects them and comply with the changes.

Essentially, the CPRA introduces three major changes to the CCPA:

  • The CPRA gives Californians new rights over their personal information and expands some existing rights
  • The Act creates the California Privacy Protection Agency, which can enforce the CPRA alongside the Attorney General
  • The CPRA introduces a new category - contractors - which must comply with the CPRA

We're confining our focus here to Privacy Policies, but you should consider how the other changes may affect your business, as well.

To be clear, the CPRA doesn't replace the CCPA, meaning the CCPA is still in force.

CPRA Privacy Rights

Before we look at drafting a CPRA-compliant Privacy Policy, it's crucial to understand how the CPRA expands on consumer Privacy Rights. Let's consider each change in turn.

Sensitive Information

If you collect a special category of personal data known as "sensitive information", then you must declare this in your Privacy Policy as per Section 1798.100(a)(2).

Sensitive information includes, for example:

  • Private personal data e.g. passport number, driver's license numbers
  • Health information e.g. biodata
  • Racial and ethnic origins
  • Religious beliefs
  • Financial information e.g. credit card details
  • Account login data

Under the CPRA, Californians have the right to limit what sensitive data you collect, how it's used, and how it's shared.

Data Retention

You must, under the CPRA, tell customers how long you intend to retain their personal data. If you do not have a specific duration in mind, then you should explain how you will determine the appropriate time frame. For example, set out what criteria you'll use to decide how long you need a certain type of data for.

Your business should not retain data for any longer than reasonably necessary to fulfill a disclosed purpose. So, bear this in mind when you're considering how long you will retain personal information.

Automated Decision-Making

If you use data for automated decision-making, or data profiling, this should now be disclosed in your Privacy Policy.

Although there's no automatic right for people to stop you using their data for automated decision-making, they can stop you using it for certain purposes defined in Section 1798.140(z).

Under this section, people can stop you using their data for automated decision-making relating to:

  • Workplace performance
  • Economic situation
  • Health
  • Behavior and reliability
  • Personal preferences and interests
  • Location and movements

Right of Correction

Now, Californians have the right to request amendments to their personal data if it's inaccurate or outdated in any way. You must honor this right if a customer makes the request.

Moreover, you must specify this right of correction in your Privacy Policy.

Right to Opt Out of Data Sharing

The CCPA gave Californians the right to opt out of the sale of personal information. The CPRA allows Californians to stop you sharing their data with any third party, even if you're not selling it.

This change aligns the CCPA more closely with the EU's GDPR, which allows individuals to stop businesses from disclosing their data to third parties.

CPRA Privacy Policy Requirements

CPRA Privacy Policy Requirements

As we're now clear on what changes the CPRA introduces, we must consider how to draft a CPRA-compliant Privacy Policy.

Essentially, to comply with the CPRA, your Privacy Policy must cover:

  • Sensitive information
  • Data retention
  • Automated decision-making
  • Right of correction
  • Third party disclosures

Now we're clear on what should feature in a CPRA-compliant Privacy Policy, let's cover each change in more detail.

Sensitive Information Clause

If you collect any sensitive information, specify this in your Privacy Policy.

For example, the Bank of America collects a variety of sensitive data, including a customer's Social Security number and biometric data and discloses it as such:

Bank of America Consumer Privacy Act Notice: Collection and Disclosure of Personal Information clause

Although this clause is comprehensive, it would be best to highlight which data counts as "sensitive" more specifically. If you collect any sensitive data at all, list the categories clearly in your Privacy Policy.

If you're unsure what counts as sensitive data, refer to CCPA Section 1798.140(ae)(1).

Limiting Use of Sensitive Information

It's not enough just to list the type of sensitive information you collect. Under the CPRA, people can request that you only use sensitive information to fulfill a specified purpose i.e. to provide the ordered goods or services.

If a customer makes this request, you can't use the data for any other reason unless the individual gives you permission to do so. This is set out in Section 1798.121.

If you collect sensitive data, provide a clear link in your website homepage to a page titled "Limit the Use of My Sensitive Information." Alternatively, you can have one page for opting out of both the sale of personal data, and the sharing of sensitive information. This is set out in Section 1798.135.

It's good practice to also link to this page from within your Privacy Policy.

Data Retention Clause

Include a clause explaining either how long you retain data or how you'll decide the appropriate time frame for retaining data.

Etsy, for example, has a clause concerning data retention. It's a good example as there is some breakdown of different categories of data and how long information will be retained. However, the categories could be more specific to achieve CPRA compliance:

etsy-privacy-policy-data-retention-clause

Silicon Republic touches on data retention in its Privacy Policy. The clause is not specific enough to comply with the CPRA. However, it could be developed to include the different categories of personal data and a timeframe for each:

Silicon Republic Cookie and Privacy Policy: Data retention clause

Data Profiling

The CPRA lets people opt out of certain types of automated decision-making . If you use data for automated decision-making, you must state this in your Privacy Policy.

Although there's no automatic right for people to turn off all data profiling, you must confirm how they can contact you to opt out when permitted by the act as described above.

See Section 1798.140(z) for more information.

Right to Correct Inaccuracies

Under the CPRA, people can now ask you to amend inaccuracies in their personal data. So, your Privacy Policy must include:

  • A statement that people have the right to correct inaccuracies, and
  • Details for how they can exercise this right

Etsy includes a "Right to Correction" section in its "Your Rights and Choices" clause. There are also clear instructions for how to change details:

Etsy Privacy Policy: Your Rights and Choices clause - Right to Correction section highlighted

Krispy Kreme includes the right to amend account information in its "Your Choices" section:

Krispy Kreme Privacy Policy: Your Choices clause

Contact details can be found at the end of the Privacy Policy.

Third Party Data Sharing

The CPRA lets Californians stop companies from sharing their data with any third party even if there's no sale involved. So, include a clause explaining:

  • Customers have the right to restrict any sharing of their data with third parties
  • How they can exercise this right

For example, here's how Walmart lists its consumer rights:

Walmart California Privacy Rights: CCPA section

Include a link on your homepage (and within your Privacy Policy) to a page where customers can opt-out of selling or sharing their personal information. If you already have a "Do Not Sell My Personal Information" page, this should be updated to include the sharing of personal data.

Where to Display Your Privacy Policy

Where to Display Your Privacy Policy

Under the CCPA (and now the CPRA), your website must have a clear, conspicuous link to your Privacy Policy. Typically, this means linking to your Policy in the header or footer of your website. However, you can also display it in other locations e.g. the navigation menu or sign-up screen.

Here's an example from Starbucks. There's a clear link to the Privacy Policy in the website footer:

Starbucks website footer with Privacy Policy link highlighted

To stay CCPA and CPRA-compliant, always ensure it's easy for users to review your Privacy Policy by placing clear, obvious links to the document on your website.

At a minimum, this means there must be a link in the header, footer, or sidebar.

Penalties for Failing to Comply With the CPRA

Penalties for Failing to Comply With the CPRA

The financial penalties for non-compliance vary depending on the severity of the violation:

  • Accidental breach: up to $2,500 per violation
  • Deliberate breach: up to $7,500 per violation

However, businesses should only be fined if they're made aware of the breach and fail to "cure" it within 30 days.

Affected consumers can also bring a private right of action and seek statutory damages. However, again, businesses must have the opportunity to cure the breach before seeking compensation.

As businesses have until January 2023 to comply with the CPRA, it's unclear how the law will be interpreted and how fines will be administered. However, to avoid financial penalties and reputation damage, you should act now and ensure your Privacy Policy is legally compliant.

Conclusion

The California Privacy Rights Act (CPRA), which came into force in December 2020, significantly amends the California Consumer Privacy Act (CCPA).

  • Businesses, third parties, service providers and contractors doing business in California should comply with the CPRA.
  • The CPRA gives Californians new rights over their data:

    • Right to amend incorrect personal data
    • Right to opt out of data sharing
    • Right to limit the disclosure of sensitive personal information
  • You should also tell customers if you use their data for automated decision-making

In addition to the clauses required by the CCPA, every CPRA-compliant Privacy Policy should include the following:

  • Sensitive information disclosure: What counts as sensitive data, whether you collect it, and how people can restrict data processing
  • Data retention clause: How long your business keeps personal data from customers

Display your Privacy Policy link prominently e.g. in your website footer and sign-up forms.

Penalties for non-compliance include civil penalties and statutory damages.