Tuesday, December 31, 2019

CCPA Compliant Privacy Policy


The California Consumer Privacy Act (CCPA) becomes effective tomorrow. It obliges businesses to fully disclose how they treat consumers’ personal information. In particular, the CCPA-compliant Privacy Policy shall contain:

  • Information about the CCPA consumer rights.
  • A link to your “Do Not Sell My Personal Information” page (if you sell the info).
  • A list of the categories, sources and purposes of personal information collected and/or sold over the past 12 months.
  • Your contact information.
Below, I will elaborate on what businesses and types of information are covered, what exemptions are available and how to comply.

Which businesses must comply?

The CCPA applies to a business that:

  • has annual gross revenues in excess of $25 million, adjusted for inflation;
  • annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices; or
  • derives 50 percent or more of its annual revenues from selling consumers’ personal information.

What personal information is covered?
The CCPA defines “personal information” broader than the GDPR. “Personal information” under the CCPA means "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The following list is not exhaustive and, if you collect even one item from that list, then you're dealing with the personal information as far as the CCPA is concerned:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • Characteristics of protected classifications under California or federal law.
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Biometric information.
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information.
  • Education information.

What information is exempt?
Certain types of information are not considered personal:

  • Publicly available information.
  • Deidentified. Information that cannot reasonably identify, relate to, describe, be capable of being associated with or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information (i) has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, (ii) has implemented business processes that specifically prohibit reidentification of the information, (iii) has implemented business processes to prevent inadvertent release of deidentified information, and (iv) makes no attempt to reidentify the information.
  • Aggregate consumer information. It is data that relates to a group or category of consumers, from which individual consumer identities have been removed, and that is not linked or reasonably linkable to any consumer or household.

How to comply?
If your business falls under the CCPA, you must have a conspicuous link to the Privacy Policy that is updated not less than once every 12 months. It also must inform California users of their rights to:

  • request disclosure of information collected and sold. A business must provide the requested information, its sources and purposes of use, in a portable and easily accessible format within 45 days of the request.
  • nondiscrimination relating to users who exercise CCPA rights. You must inform the consumers they have the right not to be discriminated against for having exercised their rights under the CCPA. Meaning you can't deny goods or services, charge different prices, or provide different quality of goods/services to consumers who invoke the CCPA.
  • opt out, along with a separate link to the “Do Not Sell My Personal Information” opt-out page. If you sell consumer info, you must have a web page where consumers can opt out of having their personal information sold. A link to that page must appear on your website front page and the Privacy Policy.

Additionally, the Privacy Policy must include a list of the categories (by reference to the CCPA enumerated category) of personal information the business has collected about users in the preceding 12 months; and two separate lists of categories (by reference to the CCPA enumerated category) of information the Business has (i) sold or (ii) disclosed for a business purpose, each within the preceding 12 months or, if the Business has not done so, disclosing that fact.