California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
A business’s privacy policy is the most conspicuous expression of its compliance with the California Consumer Privacy Act (CCPA). This leads to a common misconception among executives and managers, commonly stated in this way: “My company has a privacy policy posted online, so we are already CCPA compliant.” While the privacy policy is certainly important, it is far from being the only component of CCPA compliance.
What the CCPA aims to do, along with other data privacy laws like the European Union’s General Data Protection Regulation (GDPR), is change how businesses think about personal data and give Californians more control over their information. A privacy policy is just one part of this effort. We’ll discuss what it takes to create a compliant privacy policy and what might be missing from your business’s CCPA strategy if it focuses exclusively on this aspect.
A business’s first responsibility to California residents under the privacy law is to disclose what kind of personal information the business collects, how and why it uses that information, and what privacy rights the consumer has. This is the essence of what a privacy policy, also called a privacy notice, does for the business if it follows all of the requirements. It is tempting to take the company’s existing privacy policy, make a few tweaks, and call that CCPA compliance. However, it is very likely that such a policy would be missing key information and therefore not be CCPA compliant.
The CCPA addendum to a privacy policy should be in plain, non-technical language and be reasonably accessible to consumers with disabilities, following recognized industry standards such as the Web Content Accessibility Guidelines version 2.1. It must cover each of the following points:
Once the CCPA addendum is completed, it must be posted at or before any point of collection. For example, if a business collects a consumer’s email address to send them promotions, it must include a link to its privacy policy near this point of data collection.
There are a number of other notices a business may be required to include in their privacy policy, depending on their practices.
Many businesses don’t realize that the CCPA even covers internal data collection from employees and job applicants. While these consumers don’t have the right to submit privacy requests, such as a request to delete, businesses still must inform them as to what personal information is being collected and why. Employers must give this notice at or before the point of collection, generally in the job application or employment agreement.
If a business sells consumers’ personal information to third parties, it must provide an additional notice to consumers either in the main privacy policy or as its own page. This notice must tell consumers:
They must also post a clear and conspicuous “Do Not Sell My Personal Information” link on their homepage that sends consumers to this notice.
There are special rules for the sale of personal information from consumers who are under the age of 16. If your business has knowledge that it sells the personal information of minors, it must provide a way to obtain their (or their guardian’s) affirmative consent before doing so. The process for obtaining this consent must be described in the privacy policy.
While businesses cannot discriminate against consumers for exercising their CCPA rights, they can offer financial incentives to consumers for opting in to the use and sale of their personal information. They can also charge a different price to consumers who opt out, if the difference in price is related to the value provided to the business by that consumer’s personal information. If businesses engage in either of these practices, they must explain it in their privacy policy.
If a business buys, receives, sells, or shares for commercial purposes the personal information of 10 million or more California residents per year, it must compile and disclose additional information in its privacy policy. They must report how many privacy requests they received in the previous year, as well as how many of those requests were denied, complied with in part, and complied with in whole. These businesses must also disclose the median number of days they took to respond to requests.
When it comes to CCPA compliance, changing the company privacy policy is just what’s visible to the consumer. There is a lot of work and preparation that goes into compliance beyond the privacy policy.
Here are the most important tasks that businesses must take care of to become CCPA compliant.
Before a business can craft an accurate privacy policy, it should first create a detailed data map. A data map identifies personal-information collection points, where the data is stored, and any disclosures of personal information to outside parties (including credit card payment processors, email marketing vendors, etc.). This is where most of the work for CCPA compliance is done. The privacy policy itself is more like a report card that follows this in-depth analysis.
Part of the reason the data map takes so much effort to create is that most businesses significantly underestimate how much “personal information” they collect, as defined by the CCPA. It’s not just the obvious categories like names, email addresses, social security numbers, and other identifiers; it’s any information reasonably capable of being associated with a particular consumer. Personal information includes IP addresses, geolocation data, interactions with the business’s web pages, and much more.
When new data collection points are identified, you must trace where this information goes, categorize its purpose, and determine whether any of it is transferred outside of the business. If the information does go to an outside party, this requires another level of scrutiny as to whether the transfer qualifies as a sale or not.
Under the CCPA, if a business sells consumers’ personal information, it has additional responsibilities. It must disclose this fact in its privacy policy, provide methods for submitting requests to opt out, and include a “Do Not Sell My Personal Information” link on its homepage. It’s common for business leaders to see these requirements, then quickly determine that they do not sell anyone’s personal information without first investigating what the CCPA means by “selling.”
The CCPA’s definition of selling personal information goes well beyond trading consumer data for money; it is also the disclosure of personal information for any kind of “valuable consideration.” Most importantly, this includes the use of interest-based advertising services, a.ka. retargeting, from platforms like Facebook and Google. For example, if a consumer places an item in their online shopping cart but then leaves your site, using a third-party service to target the consumer with personalized ads for that product is considered a sale of personal information, and the CCPA applies.
This is a very common and effective marketing tool for online businesses, but it doesn’t fit into most people’s understanding of what a sale is, so it is easily overlooked. If your company uses interest-based advertising, it will have to comply with the CCPA’s rules regarding consumers’ right to opt out, or else stop using those services.
One of the most complicated tasks in becoming CCPA compliant is classifying vendors, i.e., deciding whether or not they qualify as “service providers.” It is a critically important step—disclosing consumers’ personal information to a service provider is not considered a sale of personal information, and therefore not covered by the right to opt out.
The classification is complicated because the CCPA’s definition of service providers includes specific contract requirements. Unless the vendor contract expressly prohibits the vendor from using, maintaining, or disclosing consumers’ personal information except as needed to provide their service, that vendor is not a service provider. This means businesses must go over each vendor contract with a fine-tooth comb to see if it meets the CCPA’s requirements.
If the vendor does not qualify as a service provider, the business then has to make a determination as to whether any transfer of personal information needs to be considered a sale.
Making the necessary disclosures to consumers is only one half of CCPA compliance; businesses must also respond to privacy requests, and do so in a timely manner. To respond to these consumer requests, businesses must have a comprehensive understanding of their own data privacy practices.
There are currently four types of requests in the CCPA:
The California Privacy Rights Act (CPRA) adds two more:
All of these requests have their own rules and exceptions that businesses should understand and have policies for before receiving an actual request. For example, opt-out requests don’t apply to disclosures of personal information to service providers, and requests to delete can be fulfilled by deidentifying or aggregating the data. Furthermore, different types of requests have different verification requirements that must be met.
Because of these complexities, privacy requests should not be handled on an ad hoc basis. Preparing in advance by creating an accurate data map and clear policies for staff to follow makes it easier for businesses to fully comply with their obligations without making mistakes such as deleting information unnecessarily.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.