As we get closer to July 1, 2020, the date that enforcement of the California Consumer Privacy Act (CCPA) will begin, our team here at Tenrec has created a brief list of pointers to help you bring your website privacy policy in line with this new legislation.
[Click here to jump down to the list of CCPA privacy policy tips.]
Before we get to our list of tips, here’s a quick refresher on what the CCPA is and who it applies to. The California Consumer Privacy Act is intended to provide California consumers with rights regarding how their personal information is collected and used. The law gives Californians four categories of rights: the Right to Disclosure, the Right to Access, the Right to Deletion, and the Right to Opt Out.
These rights relate to the personal information that might be collected on a consumer by a business. Personal information includes data such as name, address, email address, social security number, IP address, and more.
The CCPA provides detailed requirements dictating how businesses can collect and process personal data, how they must inform customers about their rights regarding collected data, and how they must respond when a customer exercises those rights. The CCPA is the most comprehensive privacy law in the US and we strongly recommend that every business operating in California or serving Californian customers get to know its provisions.
It is worth noting that the scope of the CCPA is limited. The law only applies to businesses that:
- make over $25 million a year in gross revenues or
- that process data on more that 50,000 Californians each year or
- that earn over 50% of their revenue from selling the personal data of Californians each year
If you don’t meet one of these qualifying criteria, then your business is not impacted by the CCPA.
However, because new data privacy laws are emerging elsewhere — Washington, New York and Virginia, to name a few — we recommend that all businesses understand the CCPA and comply with it to some degree. Adhering to the law’s requirements, even if only partially, will put your business in a better position for complying with forthcoming privacy laws. Additionally, every business should take the privacy of their customers’ data seriously and adhering to the CCPA requirements is a good way to demonstrate that.
Here are our CCPA Privacy Policy Tips:
1. Even if you’re not collecting or sharing customer data, you still need a privacy policy.
Every business that is subject to the jurisdiction of the CCPA is required to have a privacy policy published somewhere on their website. Even if you are not collecting or sharing customer data, you still need to have a privacy policy.
2. You must abide by the data collection purposes you cite in your policy.
In a CCPA compliant privacy policy a business will describe the purposes or uses for any personal data that is collected. For example, you might state that you collect customer emails addresses in order to send future promotions. Once you have defined these purposes in your privacy policy, you cannot use customer data for a new purpose, without first revising and publishing a new privacy policy.
3. Don’t write your privacy policy from scratch.
There is a wide variety of resources online for creating a CCPA privacy policy. (Here’s one.) Search for resources that fit your needs and bookmark the ones you like. Then look through the websites of businesses similar to yours and review their privacy policies.
Then, when you are writing your privacy policy, use these pages as your guide. But don’t copy and paste from other policies. Instead, use their language as a guide and write the policy in your words.
And always have your policy reviewed by a qualified attorney.
4. Create a separate cookie notice.
It’s not a requirement under the CCPA to have a separate cookie notice from your privacy policy but it is a requirement under the EU’s privacy law, the GDPR. And it’s a good practice.
A cookie notice is a written policy that describes the cookies that your site creates (in the user’s browser) and the purposes for those cookies. You can learn more about creating a cookie policy here.
5. Add a Last Updated date to your privacy policy.
Under the CCPA’s stipulations, privacy policies and other privacy notices (e.g. cookie notices) must be updated at least once every 12 months. Adding this date to the page will make it easier for you to manage. You should also set a reminder in your calendar to update the policy at least once each year
6. Add a link to your privacy policy on any form on your website.
The CCPA states that customers need to be informed of their rights at or before the moment that personal data is being collected. Because of this, any web form where a user is being invited to submit personal information should be accompanied by a message such as, “Please review our privacy policy for more on how we collect and use the information submitted by our customers.” That message should be linked directly to the policy.
7. Make sure you provide users with two methods for contacting your business about their rights.
The CCPA states that businesses must provide two ways for customers to contact the business for data disclosure, access, deletion or opt out requests. One of those methods should be a toll free number, see section 1798.130 of the CCPA.
8. Create alternate language versions of your privacy policy.
If your business serves a large number of customers that are non-native English speakers or if your website includes content in other languages, you should publish your privacy policy in those alternate languages.
9. Save and archive the old versions of your privacy policy and cookie notice.
It is important to maintain previous versions of your privacy policy. Those documents are your record of how your business used customer data in the past and your compliance with the CCPA. The CCPA only requires a 12-month look back period but we recommend holding on to your past privacy policies for a period of two to three years.
Please let us know if you have other tips that we should add to this list.
And please contact us if you have questions about complying with the CCPA or would like more help on drafting your privacy policy (or cookie notice). We can be reached at info@tenrec.com or at +1 888-983-6732.
[Click here to read the CCPA in its entirety.]