Updated November 30, 2020.
California Consumer Privacy Act (CCPA) carves out specific requirements for how businesses around the world are allowed to handle the personal information of California residents.
Some of these requirements have to do specifically with a website’s privacy policy (also known as the CCPA privacy notice).
In this blogpost, we take a look at what constitutes a CCPA compliant privacy policy.
What is CCPA?
California Consumer Privacy Act (CCPA) is a state-wide law that took effect on January 1, 2020 and governs the collection, processing and selling of California residents’ personal information (PI).
The CCPA empowers California residents (known as consumers in the law) with the:
- right to opt-out of having their PI sold to third parties
- right to disclosure of the PI collected by a business in the last 12 months
- right to deletion of this PI
- right to equal service and price
- right to be informed
If a company or organization meets the CCPA definition of business, it is obligated to operate in compliance with the law when handling the PI of California residents – no matter where in the world the business itself is located.
Enforcement of the CCPA has begun!
On August 14, 2020, the final CCPA regulations took effect and form the basis for the Attorney General’s enforcement, which has already begun.
The CCPA regulations specify the practical and technical aspects of how to become compliant with the law.
Learn more about the enforcement and the CCPA regulations here
California Privacy Rights Act (CPRA) passed into law
On November 3, 2020, the California Privacy Rights Act (CPRA) was passed into law in the General Election.
The California Privacy Rights Act (CPRA) is a new state-wide data law that amends the existing CCPA-setup – expanding rights for California residents, creating additional business regulations and establishing the new CPPA government enforcement authority.
The California Privacy Rights Act (CPRA) took full effect on January 1, 2023 and will be enforced from July 1, 2023 – but will have a so-called “look-back period” to data collected and shared from January 2022.
Learn more about the new California Privacy Rights Act (CPRA)
Try Cookiebot consent management platform (CMP) for free today
CCPA compliance with Cookiebot CMP
Cookiebot CMP is a consent management platform (CMP) that enables compliance with the CCPA, the EU’s GDPR and other data privacy laws through technology that deep-scans your website to uncover all cookies and trackers present.
This way, you can know exactly what personal information your website collects, for what purposes, which third parties it shares it with – and take control for compliance.
Try Cookiebot CMP for free today for CCPA compliance.
CCPA privacy policy – overview
A cornerstone of CCPA compliance for a business is its privacy policy – or CCPA privacy notice, as it is often called.
Your website may already have a privacy policy, as this is also a requirement of data protection laws like the European General Data Protection Regulation (GDPR) that preceded the CCPA.
However, the CCPA has specific requirements for what your privacy policy must include, so in order to ensure compliance, you will need to amend and update it to reflect Californian law as well.
In broad terms, a CCPA privacy policy is about transparency.
It’s the way you tell your users from California what happens to their data when they visit your website, and the way you let them know what rights they have in this online exchange, including how they can exercise their rights when it comes to your business.
It’s very important that your CCPA privacy notice includes all the required content, otherwise you are not in compliance with the law.
Later in the blogpost, we provide you with some examples of CCPA privacy policy templates (links to different company CCPA privacy notices found online).
But first, let’s break down the CCPA privacy policy requirements. We’ll do this by looking at the overall must-haves in this CCPA privacy policy checklist.
Become CCPA compliant with Cookiebot CMP for free.
CCPA privacy policy checklist
Here is a CCPA privacy policy checklist of what you must include in order to be compliant with California’s data law. Your CCPA privacy policy must –
- Inform consumers of their CCPA rights
- Inform consumers of how they can exercise their rights with your business
- Provide a list of all categories of PI your business has collected in the last 12 months
- Provide a list of all sources for each category of PI that your business collects
- Disclose the specific purposes of collection for each PI category
- Provide a list of all categories of PI that your business has sold to third parties in the last 12 months
- Provide a list of all PI categories that your business has disclosed for business purposes in the last 12 months
Your CCPA privacy policy must also be updated every 12 months, so make sure it features a last updated or similar time stamp for your consumers to see.
A CCPA privacy notice requirement is also that your users have easy access to it from your website’s front page. This can be a link in the footer of your front page. More on this below.
Okay, let’s take a more detailed look at these requirements.
CCPA privacy policy requirements
First off, even though the CCPA demands that businesses provide a privacy policy on their website, most websites probably have one already, since data protection laws like the European General Data Protection Regulation also demands this.
However, the CCPA makes specific demands to a business’ privacy policy that are different from those in the GDPR.
Let’s break down the checklist from above to look at the individual CCPA privacy policy requirements that your business and website must adhere to.
Conspicuous link to CCPA privacy notice
First off, your privacy policy must be accessible from your website’s front page.
One of the clear CCPA privacy notice requirements is that it has to be available for consumers through a conspicuous link on your website’s front page, i.e. clearly visible and accessible for your users.
This can be done in several ways – really it is up to you and your website’s layout, so long as you make sure that a CCPA privacy policy link is featured in a way that is easy to find and click on by your visitors on the front page.
Updated CCPA privacy policy
Another requirement of the California law is that your CCPA privacy notice is updated at least once every twelve months.
Most CCPA privacy policies therefore have a last updated header or footer to inform the consumers that the content they are reading is correct and up to date.
One of the reasons that a CCPA privacy notice needs to be updated is because it is a requirement of the law that consumers are made aware if your business starts collecting new categories of personal information, or if it starts collecting PI with a different purpose than before.
Make sure to always keep your CCPA compliant privacy policy updated, and let your users know when it was updated last.
Inform users on their CCPA rights
When it comes to the CCPA privacy policy requirements, the right to be informed of rights is of particular concern to a business with a website seeking CCPA compliance.
List of CCPA rights that you must inform your users of in your CCPA privacy policy:
- right to opt-out of having their PI sold to third parties
- right to disclosure of the PI collected by a business in the last 12 months
- right to deletion of this PI
- right to equal service and price
- right to be informed
You must also tell your user how to exercise the disclosure, deletion and opt out rights. This is another important CCPA privacy notice requirement.
Consumers must send a verifiable consumer request, commonly through a link on your website, by calling your business or sending you an e-mail.
Let your users know clearly what their rights are and how they can exercise them in relation to your business.
What PI do you collect and from where?
The CCPA specifies that California residents must get a notice at collection, i.e. your users must be informed at or before the point of collection about the categories of PI that you collect and the purposes for which you collect them.
It is central to the CCPA privacy notice that a business list exhaustively all categories of personal information that they have collected in the last 12 months.
A common way of categorizing personal information in CCPA privacy policies is between –
- Direct identifiers (names, addresses, IP addressed, email, social security numbers etc.)
- Sensitive information (age, ethnicity, religion, political conviction, health, gender, sexual orientation etc.)
- Commercial information (credit card history, transaction details, payment info etc.)
- Geolocation data
- Professional, employment or education information
- Inferences from any of above for the purpose of profiling
Another CCPA privacy policy requirement is for a business to list its sources, i.e. wherefrom it obtains the different categories of personal information, as listed above.
This means that you must, in your CCPA privacy notice, tell your users where you collect the different categories of PI from.
A common list of sources would include third party implementations (such as Google Analytics), affiliates, customers, publicly available sources, resellers, partners, vendors, suppliers, data brokers, service providers and so on.
You must of course list specifically who these sources are, not just say that “you collect PI”.
How do you use PI?
The purpose for your PI collection is another important CCPA privacy policy requirement for you to disclose to your consumers. For which purposes do you collect personal information from California residents? What are the specific business purposes for which you collect and use PI?
Tell your Californian users why you collect their personal information, and what you intend to use it for.
Common purposes for PI collection include:
- To operate, manage and maintain your business,
- To provide the consumer with a service or product,
- For product development,
- Personalize your business’ marketing,
- Website analytics.
Additionally, consumers have the right to be informed every time a business begins collecting new forms of personal information, or if they start collecting personal information for new purposes.
Try Cookiebot CMP for free today to uncover how your website collects and shares PI
Who do you share PI with?
A very important CCPA privacy policy requirement is to disclose to your consumers which third parties you share or sell their PI with.
Do you share personal information with Google or Facebook or other third parties through plugins and cookies on your website? You need to tell your Californian users about this.
If you don’t know what third party cookies and trackers your website harbors, try Cookiebot CMP for free today.
Not only do you have to disclose all third parties with whom you share or sell personal information in your CCPA privacy notice, you must also feature a Do Not Sell My Personal Information link on your website.
This CCPA mandatory link will enable consumers to exercise their perhaps most famous CCPA right: the right to opt out of having their personal information sold to third parties.
What PI have you sold in the last 12 months?
Additionally, you have to disclose to consumers what categories of PI your business has sold to third parties in the last 12 months.
Selling has a broad definition in the CCPA that includes disclosure and sharing in exchange for money or things of other values.
To be on the safe side, a list of the PI you have sold in the last 12 months should include the categories of PI that you have disclosed to third parties, e.g. through third party cookies on your website.
You will need to deep-scan your website in order to know all third-party cookies and trackers that are embedded on your website.
A 2020 study on website tracking shows the unsettling reality of third-party tracking:
- 72% of cookies are set by fourth parties that are secretly loaded by third party cookies, i.e. trojan horses.
- 18% of cookies are from fifth or further parties, i.e. deeper trojan horses.
- 50% of trojan horses secretly loaded by third party cookies will change between repeated visits.
Try Cookiebot CMP deep-scanning technology today to uncover all cookies and similar trackers on your website.
CCPA privacy policy template
After a long breakdown of all the requirements, you might be wondering how your CCPA privacy policy is going to look like on your website. You might be tempted to go search for CCPA privacy notice templates. But before you do, here is a word of caution.
Relying on a CCPA privacy policy template for your website’s notice is not without problems. A simple copy-paste would be disastrous for your level of compliance, since you must inform Californian consumers of your particular PI collection scheme.
If you have a privacy policy on your website already, it’s important that you take the time to update this with all the mandatory stuff you’ve read about in this article, in order to ensure CCPA compliance.
If you don’t have a privacy policy on your website yet, then this is an excellent time to write one out and to make sure that you do it in a CCPA compliant way.
If you feel like you need help with how to set the whole thing up, then take a look at IAPP’s sample CCPA privacy notice templates. They include CCPA privacy policy templates from companies like Horne, Indio and Termsfeed.
But remember, don’t copy-paste.
FAQ
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a data privacy law that governs the personal information of California residents and how businesses are allowed to collect, share and sell these. The CCPA empowers California residents with a set of rights over their own personal information, such as the right to opt out of third-party data sales and the right to have collected PI deleted. The CCPA also sets out specific rules for how businesses are allowed to handle the personal information of California residents.
What are the CCPA privacy policy requirements?
A CCPA compliant privacy policy must inform consumers of what kinds of personal information the business collects, including the specific purposes of collection and sources for each category of personal information. A CCPA privacy policy must also inform consumers of what kinds of personal information the business has sold to third parties in the last 12 months. A CCPA privacy policy must be updated annually and be easily accessible from the website’s front page.
Who needs to comply with the CCPA?
The CCPA defines a business as a company that meets at least one of the three following thresholds: 1) have an annual gross revenue exceeding $25 million, 2) derive 50% or more of its annual revenues from selling the personal information of California residents, or 3) buys, receives, sells or shares the personal information of 50.000 or more California residents annually. A company doesn’t have to be based in California to be liable under the CCPA – if a company in Texas or Europe meets any of the three thresholds above, it must live up to the CCPA requirements for compliance.
What rights do California residents have under the CCPA?
The CCPA empowers California residents with the following rights: the right to opt out of having their personal information sold to third-parties, the right to be informed of data collection, sharing and selling, the right to disclosure of what kind of personal information has been collected on them, the right to have already collected data deleted, and the right to equal services and prices regardless of whether they choose to exercise any of these rights.
Resources
Try Cookiebot CMP for free today for CCPA & GDPR compliance
California Consumer Privacy Act (CCPA)
CCPA compliance with Cookiebot CMP