July 24, 2024
CCPA Checklist: Privacy Policy and Notices

Creating a CCPA-compliant privacy policy and other required notices will take advantage of all the work you’ve done in the previous steps, effectively translating your data map into a public document. Use the following checklist to make sure your privacy notices meet the CCPA’s requirements.

  • Update current privacy policy
    Most businesses already have a privacy policy; this is a good time to make any necessary updates based on your CCPA preparations.
  • Create a CCPA addendum
    This will be an addition to your business’s current policy, with everything needed to meet the CCPA’s notice requirements. some text
    • Inform consumers of their CCPA privacy rights
      Consumers have a right to know, right to delete, right to opt out, and right to non-discrimination.
    • Instructions on how to make a verifiable request
      Different requests must be verified to different degrees based on the personal information involved. The CCPA addendum should cover these verification procedures.
    • Inform consumers they can make requests through an agent
      Consumers may make privacy requests through an authorized agent, though the business may also need to verify their permission to act on the consumer’s behalf.
    • What personal information is collected, from what source, and for what purposes
      Refer to your business's data map.
    • What sensitive personal information is collected, for what purposes, and whether it sold or shared
      Refer to your business's data map.
    • What personal information is disclosed to third parties, contractors, and service providers, as well as the categories of those parties
      Refer to your business's data map.
    • How long your business intends to retain each category of personal information
      Your business will need to create a data retention policy.
    • What personal information is sold to or shared with third parties, and the categories of such third parties
      Refer to your business's data map.
    • At least two methods for contacting the business and making privacy requests
      These contact methods should reflect the means by which a business normally interacts with consumers. For example, a business that mostly interacts with consumers online must provide at least one online contact method.
  •  
  • Additional privacy notices
    • Employees and job applicants
      Employees and job applicants have the same rights as anyone else, so you'll need to include privacy disclosures in application and employment paperwork.
    • "Do Not Sell or Share My Personal Information" page
      Businesses that sell or share consumers’ personal information must provide a “Do Not Sell or Share My Personal Link” on their homepage which goes to either a separate web page or section of the privacy policy which informs consumers of the selling/sharing practices and their opt-out rights.
    • Financial incentives
      Though businesses may not discriminate against consumers who exercise their CCPA rights, in some circumstances they may offer financial incentives to consumers for opting in to the sale or sharing of their personal information. If they do so, they must provide an additional notice that covers the details of those incentives.
    • High volumes of personal information
      Businesses that annually buy, sell, share, or receive the personal information of 10 million or more consumers must compile and disclose additional data in their privacy policy.
    • Notices regarding minors under 18
      If your business has knowledge that it sells or shares the personal information of consumers under the age of 16, it must make additional disclosures regarding the special rules for obtaining their consent.
    • Brick-and-mortar store requirements
      If a business collects and uses personal information at its physical store locations, it must disclose this in its online privacy policy, provide a notice at the point of collection, and designate a toll-free number for making CCPA privacy requests.
  •  
  • Placement at points of collection
    Links to the privacy policy should be placed at every point where personal information is collected.
  • General principles
    • Plain, straightforward language
    • Format draws reader's attention to the notice
    • Readable on small screens
    • Available in languages normally used by business
    • Reasonable accessible to users with disabilities
  •  

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.