California Consumer Privacy Act Regulations: Privacy Policy and Notice
Melissa Krasnow | September 4, 2020
On August 14, 2020, the California Consumer Privacy Act (CCPA) Regulations (Regulations) went into effect.
This article focuses on the following content requirements under the Regulations.
- Privacy policy
- Notice at collection
- Notice of right to opt-out
- Notice of financial incentive
Please see my previous article, "The California Consumer Privacy Act of 2018, as Amended" (October 2019), regarding the CCPA, including the definitions of business, consumer, personal information, sell, selling, sale, or sold and third-party thereunder.
Privacy Policy
Every business that must comply with the CCPA and the Regulations must provide a privacy policy—the statement that a business must make available to consumers describing the business's online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. 11 CCR § 999.304(a) and 11 CCR § 999.301(p).
The privacy policy must include the following information.
- Right to know about personal information collected, disclosed, or sold
- Explanation that a consumer has the right to request that the business disclose what personal information it collects, uses, discloses, and sells
- Instructions for submitting a verifiable consumer request to know and providing links to an online request form or portal for making the request, if offered by the business
- General description of the process the business will use to verify the consumer request, including any information the consumer must provide
- Identification of the categories of personal information the business has collected about consumers in the preceding 12 months
- Identification of the categories of sources from which the personal information is collected
- Identification of the business or commercial purpose for collecting or selling personal information
- Disclosure or sale of personal information
- Identification of the categories of personal information, if any, that the business has disclosed for a business purpose or sold to third parties in the preceding 12 months
- For each category of personal information identified, the categories of third parties to which the information was disclosed or sold
- Statement regarding whether the business has actual knowledge that it sells the personal information of consumers under 16 years of age
- Right to request deletion of personal information
- Explanation that the consumer has a right to request the deletion of their personal information collected by the business
- Instructions for submitting a verifiable consumer request to delete and providing links to an online request form or portal for making the request, if offered by the business
- General description of the process the business will use to verify the consumer request, including any information the consumer must provide
- Right to opt-out of the sale of personal information
- Explanation that the consumer has a right to opt-out of the sale of their personal information by a business
- Statement regarding whether or not the business sells personal information. If the business sells personal information, including either the contents of the notice of right to opt-out (as more particularly described below) or a link to it.
- Explanation that the consumer has a right not to receive discriminatory treatment by the business for the exercise of the privacy rights conferred by the CCPA
- Instructions on how an authorized agent can make a request under the CCPA on the consumer's behalf
- A contact for questions or concerns about the business's privacy policies and practices using a method reflecting the manner in which the business primarily interacts with the consumer
- Date the privacy policy was last updated
- If subject to the requirements set forth in 11 CCR § 999.317(g) regarding a business that knows or reasonably should know that it, alone or in combination, buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, the personal information of 10,000,000 or more consumers in a calendar year, the information compiled in 11 CCR §§ 999.317(g)(1), or a link to it
- If the business has actual knowledge that it sells the personal information of consumers under 16 years of age, a description of the processes required by 11 CCR §§ 999.330 and 999.331. 11 CCR § 999.308(c).
Notice at Collection
A business that collects personal information from a consumer must provide a notice at collection—the notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer. 11 CCR § 999.304(b) and 11 CCR § 999.301(l).
The notice at collection must include the following.
- A list of the categories of personal information about consumers to be collected
- The business or commercial purpose(s) for which the categories of personal information will be used
- If the business sells personal information, the link titled "Do Not Sell My Personal Information," or in the case of offline notices, where the Web page can be found online
- A link to the business's privacy policy, or in the case of offline notices, where the privacy policy can be found online. 11 CCR § 999.305(b).
Notice of Right to Opt-Out
A business that sells personal information must provide a notice of right to opt-out—the notice given by a business informing consumers of their right to opt-out of the sale of their personal information. 11 CCR § 999.304(c) and 11 CCR § 999.301(m).
The notice of right to opt-out must include the following.
- A description of the consumer's right to opt-out of the sale of their personal information by the business
- The interactive form by which the consumer can submit their request to opt-out online or, if the business does not operate a website, the offline method by which the consumer can submit their request to opt-out
- Instructions for any other method by which the consumer may submit their request to opt-out. 11 CCR § 999.306(c).
Notice of Financial Incentive
A business that offers a financial incentive or price or service difference must provide a notice of financial incentive—the notice given by a business explaining each financial incentive or price or service difference. 11 CCR § 999.304(d) and 11 CCR § 999.301(n).
The notice of financial incentive must include the following.
- A succinct summary of the financial incentive or price or service difference offered
- A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer's data
- How the consumer can opt-in to the financial incentive or price or service difference
- A statement of the consumer's right to withdraw from the financial incentive at any time and how the consumer may exercise that right
- An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer's data, including the following
- A good-faith estimate of the value of the consumer's data that forms the basis for offering the financial incentive or price or service difference
- A description of the method the business used to calculate the value of the consumer's data. 11 CCR § 999.307(b).
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
