This article focuses on the following content requirements under the
Regulations.
- Privacy policy
- Notice at collection
- Notice of right to opt-out
- Notice of financial incentive
Please see my previous article, "The
California Consumer Privacy Act of 2018, as Amended" (October 2019),
regarding the CCPA, including the definitions of business, consumer, personal
information, sell, selling, sale, or sold and third-party thereunder.
Privacy Policy
Every business that must comply with the CCPA and the Regulations must
provide a privacy policy—the statement that a business must make available to
consumers describing the business's online and offline practices regarding
the collection, use, disclosure, and sale of personal information and of the
rights of consumers regarding their personal information. 11 CCR § 999.304(a)
and 11 CCR § 999.301(p).
The privacy policy must include the following information.
- Right to know about personal information collected, disclosed, or sold
- Explanation that a consumer has the right to request that the
business disclose what personal information it collects, uses, discloses,
and sells
- Instructions for submitting a verifiable consumer request to know and
providing links to an online request form or portal for making the
request, if offered by the business
- General description of the process the business will use to verify
the consumer request, including any information the consumer must
provide
- Identification of the categories of personal information the business
has collected about consumers in the preceding 12 months
- Identification of the categories of sources from which the personal
information is collected
- Identification of the business or commercial purpose for collecting
or selling personal information
- Disclosure or sale of personal information
- Identification of the categories of personal information, if any,
that the business has disclosed for a business purpose or sold to
third parties in the preceding 12 months
- For each category of personal information identified, the
categories of third parties to which the information was disclosed or
sold
- Statement regarding whether the business has actual knowledge
that it sells the personal information of consumers under 16 years of
age
- Right to request deletion of personal information
- Explanation that the consumer has a right to request the deletion of
their personal information collected by the business
- Instructions for submitting a verifiable consumer request to delete
and providing links to an online request form or portal for making the
request, if offered by the business
- General description of the process the business will use to verify
the consumer request, including any information the consumer must
provide
- Right to opt-out of the sale of personal information
- Explanation that the consumer has a right to opt-out of the sale of
their personal information by a business
- Statement regarding whether or not the business sells personal
information. If the business sells personal information, including either
the contents of the notice of right to opt-out (as more particularly
described below) or a link to it.
- Explanation that the consumer has a right not to receive discriminatory
treatment by the business for the exercise of the privacy rights conferred by
the CCPA
- Instructions on how an authorized agent can make a request under the CCPA
on the consumer's behalf
- A contact for questions or concerns about the business's privacy
policies and practices using a method reflecting the manner in which the
business primarily interacts with the consumer
- Date the privacy policy was last updated
- If subject to the requirements set forth in 11 CCR § 999.317(g) regarding
a business that knows or reasonably should know that it, alone or in
combination, buys, receives for the business's commercial purposes,
sells, or shares for commercial purposes, the personal information of
10,000,000 or more consumers in a calendar year, the information compiled in
11 CCR §§ 999.317(g)(1), or a link to it
- If the business has actual knowledge that it sells the personal
information of consumers under 16 years of age, a description of the
processes required by 11 CCR §§ 999.330 and 999.331. 11 CCR §
999.308(c).
Notice at Collection
A business that collects personal information from a consumer must provide a
notice at collection—the notice given by a business to a consumer at or before
the point at which a business collects personal information from the consumer.
11 CCR § 999.304(b) and 11 CCR § 999.301(l).
The notice at collection must include the following.
- A list of the categories of personal information about consumers to be
collected
- The business or commercial purpose(s) for which the categories of
personal information will be used
- If the business sells personal information, the link titled "Do Not
Sell My Personal Information," or in the case of offline notices, where
the Web page can be found online
- A link to the business's privacy policy, or in the case of offline
notices, where the privacy policy can be found online. 11 CCR §
999.305(b).
Notice of Right To Opt-Out
A business that sells personal information must provide a notice of right to
opt-out—the notice given by a business informing consumers of their right to
opt-out of the sale of their personal information. 11 CCR § 999.304(c) and 11
CCR § 999.301(m).
The notice of right to opt-out must include the following.
- A description of the consumer's right to opt-out of the sale of their
personal information by the business
- The interactive form by which the consumer can submit their request to
opt-out online or, if the business does not operate a website, the offline
method by which the consumer can submit their request to opt-out
- Instructions for any other method by which the consumer may submit their
request to opt-out. 11 CCR § 999.306(c).
Notice of Financial Incentive
A business that offers a financial incentive or price or service difference
must provide a notice of financial incentive—the notice given by a business
explaining each financial incentive or price or service difference. 11 CCR §
999.304(d) and 11 CCR § 999.301(n).
The notice of financial incentive must include the following.
- A succinct summary of the financial incentive or price or service
difference offered
- A description of the material terms of the financial incentive or price
or service difference, including the categories of personal information that
are implicated by the financial incentive or price or service difference and
the value of the consumer's data
- How the consumer can opt-in to the financial incentive or price or
service difference
- A statement of the consumer's right to withdraw from the financial
incentive at any time and how the consumer may exercise that right
- An explanation of how the financial incentive or price or service
difference is reasonably related to the value of the consumer's data,
including the following
- A good-faith estimate of the value of the consumer's data that
forms the basis for offering the financial incentive or price or service
difference
- A description of the method the business used to calculate the value
of the consumer's data. 11 CCR § 999.307(b).