December 20, 2019

CCPA Privacy Policy: The Ultimate Compliance Checklist

The privacy policy of your company’s website will need to be compliant with the California Consumer Privacy Act (CCPA).

The privacy policy of your company’s website will need to be compliant with the California Consumer Privacy Act (CCPA).

If you have already complied with the EU’s General Data Protection Regulation (GDPR), you will need less effort because some of the CCPA’s obligations are similar to the GDPR. 

Nonetheless, you will still need to make several vital improvements to make your privacy policy fully compliant with the CCPA.

The core components of a CCPA-compliant privacy policy include:

  • A visible link to the privacy policy
  • 12-month updates
  • ‘Do Not Sell My Personal Information’ link
  • Categories of information collected
  • Categories of personal information sold
  • Children’s opt-in
  • Consumer Rights

A Visible Link to the Privacy Policy

The CCPA requires your business to have a noticeable link to your privacy policy on the homepage of your website

In this case, most businesses prefer to have a link at the website’s footer since it is the customary location of a company’s legal policies. Learn how to add a Privacy Policy button on a website.

12-month Updates

Under the CCPA, you will be required to keep your privacy policy updated every 12 months. 

To guarantee your privacy policy is compliant with the CCPA, you will require a mechanism through which you can monitor the updates made to the regulation. 

Apart from updating your privacy policy every year, you will need to display the last date the policy was updated clearly for users to see. In this context, you may be required to add a short overview outlining the changes made in the most recent update.

‘Do Not Sell my Personal Information’ Link

Unlike the GDPR, to have a CCPA-compliant privacy policy, you need a clear and noticeable link labeled ‘Do Not Sell My Personal Information.’

You must display this link not only in the privacy policy but also at the footer of the website’s homepage. The aim of having this link is to allow consumers to opt-out of having their personal data sold by companies.

However, if you do not specialize in selling personal data, your business is exempted from meeting this obligation.

Categories of Information Collected

According to the CCPA, you must reveal a list of all the categories of personal information that your business has gathered in the previous 12 months from any source.

This requirement is connected to the obligation of updating your privacy policy every 12 months. Primarily, when you update your privacy policy, you are required to disclose the categories of personal information that your business collected in the previous year.

Under the CCPA, the types of personal data you must reveal include;

  • Personal identifiers; e.g IP addresses, contact number, cookies, beacons
  • Protected classified information; e.g sexuality, ethnicity, gender
  • Commercial data; e.g records of services procured
  • Data safeguarded against security breaches; e.g name, password, social security number, driver’s license number, date of birth
  • Personal information classifications contained in the California Customer Records statute
  • Geolocation data
  • Education data
  • Biometric data; i.e fingerprints, voice recording, DNA
  • Audio, electronic, thermal, and video data
  • Inferences made from profiling
  • Professional information
  • Internet activity; e.g browsing history, search history
  • Sources of Personal Data Collection

Once you provide the classes of personal information you have gathered in the past year, you must also disclose the sources of every category of data. Examples of sources of information include;

  • Consumer-provided information obtained from forms, questionnaires, participation in online communities among other types of a user’s interaction with a website
  • Public sources of personal information such as census data, credit bureaus, and real estate records
  • Cookies and web analytics

It is important to be detailed and specific when revealing the sources of the personal information you collect.

Purposes of Collecting Personal Information

For your privacy policy to be CCPA-compliant, you must let your consumers know why you collect the kind of information you collect. Here, you should provide a clear explanation of what you use this data for.

Some of the reasons why businesses collect information include;

  • Identification and verification
  • Improving service delivery
  • Customizing experiences for consumers
  • Marketing and advertising
  • Legal compliance
  • Communicating with consumers
  • Categories of Information Disclosed for Business Purposes

The CCPA requires you to list the categories of user information that have been shared of business reasons in the previous year.

Section 1798.140 of the CCPA clarifies activities that are considered ‘business purposes.’ They include;

  • Detection of security events
  • Short-term uses
  • Service delivery
  • Auditing
  • Testing or enhancing the quality or safety of a service
  •  Debugging to establish and rectify errors
  • Internal research for technological development and demonstration

If you have not shared information for a business objective, you must make a declaration to this effect on your privacy policy.

Furthermore, you must declare if you disclosed consumer information to a third-party, which is then disclosed for business purposes on your behalf. Check out Secure Privacy's Ultimate CCPA Guide.

Categories of Information Sold

The CCPA requires you to declare the classes of personal information that you have sold in the previous 12 months. You need to update this disclosure in your annual privacy policy updates.

In case your business does not sell personal information, this should also be clear on your privacy policy.

Children’s Opt-in

California’s data privacy law establishes an opt-in obligation for children between the age of 13 and 16 years old. Minors in this age group must opt-in to the sale of their personal data. 

Moreover, the CCPA requires your business to get the consent of a parent or a guardian before selling the information of a minor aged below 13 years.

If your target market involves children, this requirement is extremely, crucial although it applies to any enterprise that has actual knowledge of the minor’s age.

Consumer Rights

Your privacy policy must contain the consumer rights established under the CCPA. Essentially, consumers are entitled to;

  • Access their personal information
  • Delete their personal information
  • Not be discriminated against for exercising their privileges under the CCPA
  • The Right of Access

It is not adequate to outline the rights consumers are entitled to under the CCPA. Instead, your privacy policy must inform them how to access their personal data.

Additionally, ensure to make your users aware that you will address their request within 45 days because this is a requirement under the CCPA.

You must make available two or more designated methods for the consumer to request this information, including, at a minimum, a toll-free telephone number and a website address.

However, if your business operates online exclusively and has a direct relationship with a consumer, you are only required to provide an email address for submitting requests.

The Right to Deletion

Ensure that your policy advises users of their right to delete their personal information and explain how the user is able to make this request. 

You need to provide a way through which consumers can exercise this right.

Protection from Discrimination

The CCPA makes it clear that the consumers must not be subjected to prejudice for exercising their privileges under the law.

For this reason, you need to ensure that you inform users that they will not be discriminated against for exercising their rights under the CCPA.

The CCPA requires businesses to adopt transparency about data collection and sharing. To ensure your privacy policy is CCPA compliant, you will need to add clauses specific to the aforementioned rights.

Secure Privacy saves you the hassle of coming up with your company’s privacy policy. Our solution gives you a privacy policy generator with which you customize your privacy notice to meet the requirements of the CCPA.

Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.

Check out Secure Privacy's GDPR and CCPA Compliance features for Publishers.

Additional Resources:

Get all your questions or concerns answered with our detailed CCPA summary on how to become CCPA compliant.

Get your free CCPA e-book delivered instantly into your inbox.

Read more on the subject:

- The Ultimate Guide on How to Prepare for CCPA Compliance

- Revised CCPA Proposed Regulations 2020: The Key Changes

- Final CCPA Proposed Regulations: The Ultimate Guide

- CCPA vs. GDPR: What Businesses Need to Know

- CCPA Amendments: Key Changes You Need to Know