CCPA RESOURCES CENTER › CCPA COMPLIANCE CHECKLIST
CCPA Compliance: Privacy Policy and Notices Checklist
Privacy Policy and Notices
Creating a CCPA-compliant privacy policy and other required notices will take advantage of all the work you’ve done in the previous steps, effectively translating your data map into a public document. Use the following checklist to make sure your privacy notices meet the CCPA’s requirements.
- Update current privacy policy
Most businesses already have a privacy policy; this is a good time to make any necessary updates based on your CCPA preparations.
- Create a CCPA addendum
This will be an addition to your business’s current policy, with everything needed to meet the CCPA’s notice requirements.
- Inform consumers of their CCPA privacy rights
Consumers have a right to know, right to delete, right to opt out, and right to non-discrimination.
- Instructions on how to make a verifiable request
Different requests must be verified to different degrees based on the personal information involved. The CCPA addendum should cover these verification procedures.
- Inform consumers they can make requests through an agent
Consumers may make privacy requests through an authorized agent, though the business may also need to verify their permission to act on the consumer’s behalf.
- What personal information is collected, from what source, and for what purposes
Refer to your business's data map.
- What sensitive personal information is collected, for what purposes, and whether it sold or shared
Refer to your business's data map.
- What personal information is disclosed to third parties, contractors, and service providers, as well as the categories of those parties
Refer to your business's data map.
- How long your business intends to retain each category of personal information
Your business will need to create a data retention policy.
- What personal information is sold to or shared with third parties, and the categories of such third parties
Refer to your business's data map.
- At least two methods for contacting the business and making privacy requests
These contact methods should reflect the means by which a business normally interacts with consumers. For example, a business that mostly interacts with consumers online must provide at least one online contact method.
- Additional privacy notices
- Employees and job applicants
Employees and job applicants have the same rights as anyone else, so you'll need to include privacy disclosures in application and employment paperwork.
- "Do Not Sell or Share My Personal Information" page
Businesses that sell or share consumers’ personal information must provide a “Do Not Sell or Share My Personal Link” on their homepage which goes to either a separate web page or section of the privacy policy which informs consumers of the selling/sharing practices and their opt-out rights.
- Financial incentives
Though businesses may not discriminate against consumers who exercise their CCPA rights, in some circumstances they may offer financial incentives to consumers for opting in to the sale or sharing of their personal information. If they do so, they must provide an additional notice that covers the details of those incentives.
- High volumes of personal information
Businesses that annually buy, sell, share, or receive the personal information of 10 million or more consumers must compile and disclose additional data in their privacy policy.
- Notices regarding minors under 18
If your business has knowledge that it sells or shares the personal information of consumers under the age of 16, it must make additional disclosures regarding the special rules for obtaining their consent.
- Brick-and-mortar store requirements
If a business collects and uses personal information at its physical store locations, it must disclose this in its online privacy policy, provide a notice at the point of collection, and designate a toll-free number for making CCPA privacy requests.
- Placement at points of collection
Links to the privacy policy should be placed at every point where personal information is collected.
- General principles
- Plain, straightforward language
- Format draws reader's attention to the notice
- Readable on small screens
- Available in languages normally used by business
- Reasonable accessible to users with disabilities
Generate Your Privacy Notices Automatically
Your business’s privacy policy is the most conspicuous expression of CCPA compliance, so it’s important to get it right. TrueVault takes all the necessary information from your business’s data map and instantly generates all the required CCPA privacy notices.
Contact our team to learn how TrueVault can streamline your CCPA compliance.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.