In Part I, we explained the basics of the California Consumer Privacy Act (“CCPA” or “the Act”). For those businesses which are subject to the Act, the first step towards compliance is confronting the reason the legislation was passed in the first place: disclosure! In order for a business to avoid legal trouble with their California clients, or the Office of the Attorney General (“OAG”), it needs to implement a privacy policy that gives consumers effective notice about the information that is being collected. The purpose of a privacy policy under the CCPA is to inform the consumer about the online and offline collection of their personal information, and to inform them of their data privacy rights. Below are some basic approaches that will help get your business on track towards compliance with the CCPA.
I. Contents of the Privacy Policy
Under the Act, OAG was asked to “solicit broad public participation and adopt regulations to further the purposes of [the CCPA].” Listed as one of the Office’s mandates was to establish rules and procedures to ensure that notices required under the Act would be accessible and understandable to as many consumers as possible. According to the office’s CCPA Regulations, which became effective on July 1, 2020, a business’s privacy policy must inform the consumer on the following information:
- a consumer’s rights to know about the personal information collected;
- their right to request the deletion of their personal information
- their right to opt-out of the sale of their personal information;
- their right to non-discrimination for the exercise of any of their privacy rights;
- instructions about how an authorized agent can make a request on the consumer’s behalf;
- the business’s contact information where consumers can get more information if needed;
- the date of the policy’s last update;
- the process for record-keeping and training staff members to comply with the Act; and
- descriptions of the processes used for collecting information from minors under the age of 16 years of age
The first consideration for a business is to determine why it is collecting information in the first place. What makes the CCPA such a unique regulation is that consumers are now in charge of their data; to that end, a consumer must first know what is being collected, and why, in order to have an opportunity to make informed decisions about how their information may be used. Pursuant to the Act, every business must disclose, “at or before the point of collection,” the categories of personal information that the business plans to collect, the sources of that information, and the business purposes for which it will be collected. If a business is found to be collecting additional categories of information, or using it for another purpose, they may fall out of compliance with the Act.
The next consideration should focus on the methods that the business would like to implement for receiving requests to know, delete or opt-out, which will appear in the designated section of the policy itself. As guidance, the OAG has suggested that these determinations be based on how the business primarily interacts with consumers generally, and has provided examples in their regulations. For instance, if all transactions are consummated over the internet via a direct relationship with the consumer, that business need only provide an email address where requests can be sent to. All other businesses must have in place at least two methods available to consumers, one of which must be a toll-free telephone number. Other acceptable methods include, but are not limited to, email addresses, a form submitted in person, through the mail, or online through a tablet or computer portal.
II. Location and Format of the Privacy Policy
In the interest of compliance, it might be advantageous to provide the privacy policy at the same time as the notice of collection, given that a business can include the notice within the provisions of their privacy policy itself. Therefore, the location where the privacy policy appears should be based on the time that collection of personal information occurs. The OAG’s regulations state that these notices must be made readily available where the consumer is likely to actually encounter it prior to their information being collected.
All policies must appear in a format that is easily understood by consumers, using plain, straightforward language and avoids technical or legal jargon. In line with the OAG’s goal of providing consumers with as much knowledge about their data privacy rights as possible, its regulations have been modified to include guidance on how to make a business’s privacy policy both accessible and readable. Not only should the words be easily understood, the design and format must support that goal as well.
According to the OAG, for those with an online presence, the privacy policy must appear through a “conspicuous link using the word ‘privacy’ on the business’s website homepage or on the download or landing page of a mobile application.” In this context, the CCPA defines “homepage” as “the introductory page of an internet website and any internet web page where personal information is collected.” The policy must also be reasonably accessible to those consumers with disabilities. The OAG has prescribed generally recognized standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, but in any event, the regulations mandate that the business include information on how a consumer with disabilities may access the policy in an alternative format.
III. Conclusion
Compliance under the CCPA stems primarily from the notice provided to consumers and how effective it is at conveying their privacy rights. A business that operates in a more impersonal setting may comply with the Act by making their privacy policy available via one link on their website, but one where the consumer must appear in-person may require more avenues of accessibility. Therefore, every business subject to the CCPA will first need to decide which method of disclosure will make the most sense for them.