Is a Privacy Policy Enough to be CCPA Compliant?

iStock-1138774588

A business’s privacy policy is the most conspicuous expression of its compliance with the California Consumer Privacy Act (CCPA). This leads to a common misconception among executives and managers, commonly stated in this way: “My company has a privacy policy posted online, so we are already CCPA compliant.” While the privacy policy is certainly important, it is far from being the only component of CCPA compliance.

What the CCPA aims to do, along with other data privacy laws like the European Union’s General Data Protection Regulation (GDPR), is change how businesses think about personal data and give Californians more control over their information. A privacy policy is just one part of this effort. We’ll discuss what it takes to create a compliant privacy policy and what might be missing from your business’s CCPA strategy if it focuses exclusively on this aspect.

What Goes Into a CCPA Privacy Policy

A business’s first responsibility to California residents under the privacy law is to disclose what kind of personal information the business collects, how and why it uses that information, and what privacy rights the consumer has. This is the essence of what a privacy policy, also called a privacy notice, does for the business if it follows all of the requirements. It is tempting to take the company’s existing privacy policy, make a few tweaks, and call that CCPA compliance. However, it is very likely that such a policy would be missing key information and therefore not be CCPA compliant.

The CCPA addendum to a privacy policy should be in plain, non-technical language and be reasonably accessible to consumers with disabilities, following recognized industry standards such as the Web Content Accessibility Guidelines version 2.1. It must cover each of the following points:

  • Consumers’ privacy rights under the CCPA: right to know, right to opt out, right to delete, and right to non-discrimination
  • What personal information you collect from consumers, from what sources, and for what business purpose
  • What personal information you disclose to service providers and third parties, along with the categories of outside parties you share it with
  • What personal information you sell to third parties and what categories of third parties you sell to
  • Clear instructions for submitting privacy requests
  • Provide at least two methods for consumers to submit privacy requests. Of these, at least one method must relate to the business’s normal way of interacting with consumers. For example, an online store must provide at least one online method.

Once the CCPA addendum is completed, it must be posted at or before any point of collection. For example, if a business collects a consumer’s email address to send them promotions, it must include a link to its privacy policy near this point of data collection.

Additional Notices

There are a number of other notices a business may be required to include in their privacy policy, depending on their practices.

Employee and Job Applicant Notices

Many businesses don’t realize that the CCPA even covers internal data collection from employees and job applicants. While these consumers don’t have the right to submit privacy requests, such as a request to delete, businesses still must inform them as to what personal information is being collected and why. Employers must give this notice at or before the point of collection, generally in the job application or employment agreement.

“Do Not Sell My Personal Information” Page

If a business sells consumers’ personal information to third parties, it must provide an additional notice to consumers either in the main privacy policy or as its own page. This notice must tell consumers:

  • What personal information is being sold
  • How to opt out of the sale of their personal information

They must also post a clear and conspicuous “Do Not Sell My Personal Information” link on their homepage that sends consumers to this notice.

Notices Regarding Consumers Under the Age of 16

There are special rules for the sale of personal information from consumers who are under the age of 16. If your business has knowledge that it sells the personal information of minors, it must provide a way to obtain their (or their guardian’s) affirmative consent before doing so. The process for obtaining this consent must be described in the privacy policy.

Notice of Financial Incentive

While businesses cannot discriminate against consumers for exercising their CCPA rights, they can offer financial incentives to consumers for opting in to the use and sale of their personal information. They can also charge a different price to consumers who opt out, if the difference in price is related to the value provided to the business by that consumer’s personal information. If businesses engage in either of these practices, they must explain it in their privacy policy.

High Volumes of Personal Information

If a business buys, receives, sells, or shares for commercial purposes the personal information of 10 million or more California residents per year, it must compile and disclose additional information in its privacy policy. They must report how many privacy requests they received in the previous year, as well as how many of those requests were denied, complied with in part, and complied with in whole. These businesses must also disclose the median number of days they took to respond to requests.

Beyond the Privacy Policy

When it comes to CCPA compliance, changing the company privacy policy is just what’s visible to the consumer. There is a lot of work and preparation that goes into compliance beyond the privacy policy.

Here are the most important tasks that businesses must take care of to become CCPA compliant.

Data Mapping

Before a business can craft an accurate privacy policy, it should first create a detailed data map. A data map identifies personal-information collection points, where the data is stored, and any disclosures of personal information to outside parties (including credit card payment processors, email marketing vendors, etc.). This is where most of the work for CCPA compliance is done. The privacy policy itself is more like a report card that follows this in-depth analysis.

Part of the reason the data map takes so much effort to create is that most businesses significantly underestimate how much “personal information” they collect, as defined by the CCPA. It’s not just the obvious categories like names, email addresses, social security numbers, and other identifiers; it’s any information reasonably capable of being associated with a particular consumer. Personal information includes IP addresses, geolocation data, interactions with the business’s web pages, and much more.

When new data collection points are identified, you must trace where this information goes, categorize its purpose, and determine whether any of it is transferred outside of the business. If the information does go to an outside party, this requires another level of scrutiny as to whether the transfer qualifies as a sale or not.

Allowing Consumers to Opt Out

Under the CCPA, if a business sells consumers’ personal information, it has additional responsibilities. It must disclose this fact in its privacy policy, provide methods for submitting requests to opt out, and include a “Do Not Sell My Personal Information” link on its homepage. It’s common for business leaders to see these requirements, then quickly determine that they do not sell anyone’s personal information without first investigating what the CCPA means by “selling.”

The CCPA’s definition of selling personal information goes well beyond trading consumer data for money; it is also the disclosure of personal information for any kind of “valuable consideration.” Most importantly, this includes the use of interest-based advertising services, a.ka. retargeting, from platforms like Facebook and Google. For example, if a consumer places an item in their online shopping cart but then leaves your site, using a third-party service to target the consumer with personalized ads for that product is considered a sale of personal information, and the CCPA applies.

This is a very common and effective marketing tool for online businesses, but it doesn’t fit into most people’s understanding of what a sale is, so it is easily overlooked. If your company uses interest-based advertising, it will have to comply with the CCPA’s rules regarding consumers’ right to opt out, or else stop using those services.

Classifying Vendors

One of the most complicated tasks in becoming CCPA compliant is classifying vendors, i.e., deciding whether or not they qualify as “service providers.” It is a critically important step—disclosing consumers’ personal information to a service provider is not considered a sale of personal information, and therefore not covered by the right to opt out.

The classification is complicated because the CCPA’s definition of service providers includes specific contract requirements. Unless the vendor contract expressly prohibits the vendor from using, maintaining, or disclosing consumers’ personal information except as needed to provide their service, that vendor is not a service provider. This means businesses must go over each vendor contract with a fine-tooth comb to see if it meets the CCPA’s requirements.

If the vendor does not qualify as a service provider, the business then has to make a determination as to whether any transfer of personal information needs to be considered a sale.

Responding to CCPA Requests

Making the necessary disclosures to consumers is only one half of CCPA compliance; businesses must also respond to privacy requests, and do so in a timely manner. To respond to these consumer requests, businesses must have a comprehensive understanding of their own data privacy practices.

There are currently four types of requests in the CCPA:

  • Requests to know what categories of personal information have been collected
  • Request to know what specific pieces of personal information have been collected
  • Requests to delete personal information
  • Requests to opt out of the sale of their personal information

The California Privacy Rights Act (CPRA) adds two more:

  • Requests to correct inaccurate personal information
  • Requests to limit use and disclosure of sensitive personal information

All of these requests have their own rules and exceptions that businesses should understand and have policies for before receiving an actual request. For example, opt-out requests don’t apply to disclosures of personal information to service providers, and requests to delete can be fulfilled by deidentifying or aggregating the data. Furthermore, different types of requests have different verification requirements that must be met.

Because of these complexities, privacy requests should not be handled on an ad hoc basis. Preparing in advance by creating an accurate data map and clear policies for staff to follow makes it easier for businesses to fully comply with their obligations without making mistakes such as deleting information unnecessarily.

How to Become Fully CCPA Compliant

Becoming CCPA compliant is a major project that requires more than simply posting a privacy notice. Each solution must be custom-tailored to the individual business and its data practices. Skipping over important steps like data mapping is likely to result in non-compliance, and possibly expensive penalties.

That doesn’t mean that CCPA compliance has to be a major expense. TrueVault Polaris software automates time-consuming tasks, guiding businesses step-by-step to full compliance at a fraction of the cost of hiring a law firm or consultant. Contact our team today to learn more.

Schedule Call