Takeaways

New California rights and how to exercise them must be disclosed.
Expanded disclosures: categories of information collected, sources of information, categories of information sold and shared for business purposes.
Update must be posted by January 1, 2020, and updated annually.

The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. By this date, all covered businesses interacting with California consumers must update their online privacy policy. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information.[i]

  1. The right to request disclosure of your business’ data collection and sales practices in connection with the requesting consumer, including the categories of personal information you have collected, the source of the information, your use of the information and, if the information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold;
  2. The right to request a copy of the specific personal information collected about them during the 12 months before their request (together with right #1, a “personal information request”);
  3. The right to have such information deleted (with exceptions);
  4. The right to request that their personal information not be sold to third parties, if applicable; and
  5. The right not to be discriminated against because they exercised any of the new rights.

The CCPA requires covered businesses to make disclosures in their public-facing privacy policies and to update annually such disclosures, in addition to those disclosures already required by current law, in those policies starting January 1, 2020.

Existing law, the California Online Privacy Protection Act (Busn. & Prof Code 22575) (OPPA), requires the operator of a commercial website or online service that collects personally identifiable information about a California consumer to post a privacy policy that (i) identifies the categories of personally identifiable information it collects and the categories of third parties with whom it shares such information, (ii) describes how a site visitor can access and change information previously submitted, (iii) describes how the operator notifies consumers of changes to the privacy policy, (iv) identifies the effective date of the policy, (v) describes how the operator responds to do-not-track signals from a user’s browser and (vi) discloses whether it permits third parties to collect information about site visitors’ online activities over time and across other websites. For purposes of the statute “personally identifiable information” means individually identifiable information about a consumer including name, physical or email address, telephone number, social security number, any other identifier that permits physical or online contact of the specific individual, and any other information about a user in personally identifiable form in combination with an identifier described above. A “consumer” means an individual who seeks or acquires, by purchase or lease, any goods, services, money or credit for personal, family or household purposes.

However, the CCPA broadens the definition of “consumer” to mean any California resident, and eliminates the restriction of transacting for personal, family or household purposes. It also expands the definition of “personal information” to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It provides a non-exclusive list of categories of personal information more expansive than that in the OPPA. Where the OPPA requires disclosures about information collected by an online service or website, the CCPA requires the privacy policy to disclose its practices with respect to information collected online or offline, in any format and from any source.

To comply with the CCPA, the privacy policy must include the following:

  1. A description of the new rights afforded California residents. The description should address all of the above new rights. It should also indicate that the consumer may only make a personal information request twice in a 12-month period, that the business will need to collect information from the requesting party so that it can verify their identity, and that the business will respond within 45 days of receiving a personal information request.
  2. A description of the methods for submitting a personal information or erasure request. The business is required to provide at least two channels for receiving personal requests that must include, at a minimum, a web page and a toll-free telephone number. This section of the privacy policy should also describe the process for making a request through either channel. A link to the web page is recommended.
  3. A link to an opt-out page on the website. If a business provides access to or discloses personal information to a third party for monetary or other valuable consideration (a “sale” for purposes of the CCPA), then it must also provide a link, titled “Do Not Sell My Personal Information,” to a web page where the consumer can opt out of having his or her information sold. Note that the link must also appear in the footer of the website home page.
  4. A list of all the categories of personal information that have been collected in the past 12 months. This requirement both expands and limits the existing obligation. The OPPA only addresses information that is collected online; the CCPA addresses information collected in any format from any source. Note that the CCPA requirement only addresses the information collected during the past 12 months. While the privacy policy must be updated annually under the CCPA, its description of the information collected should make clear that the listed categories of information were collected in the 12 months prior to the current annual effective date of the policy. The CCPA definition of personal information includes eleven categories of personal information, which can be used for this disclosure. For responses to personal information requests, the enumerated categories of personal information are required to be used. The CCPA categories are: identifiers (such as contact information, government IDs, cookies, etc.), information protected against security breaches (such as your name and financial account, driver’s license, social security number, user name and password, health/medical information), protected classification information (like race, gender, ethnicity, etc.), commercial information, Internet/electronic activity, geolocation, audio/video data, professional or employment related information, education information, biometrics, and inferences from the foregoing.
  5. The sources of each category of personal information. For each category of personal information that is identified, the business must also identify the sources of such information. This may be the individual submitting the information, a third party from whom the business receives the information, or the business observing activities and recording the information, such as through the use of cookies.
  6. All of the purposes for using each category of collected information. The CCPA institutes a requirement that all purposes for using each category of information must be disclosed in the privacy policy. If information is to be used for additional purposes, then a new notice must be provided. As a result, it is recommended that the business identify all the reasons why information is used by the business. Note that in responding to requests for disclosure of personal information collected the business is also required to include the business or commercial purposes for which information was collected.
  7. A list of the categories of personal information sold in the past 12 months. If a business engages in transactions that qualify as a “sale” under the CCPA’s broad definition, it is required to list the categories of personal information that it has sold in the past 12 months. Although the business does not have to list the categories of third parties receiving the information in the privacy policy, it is required to do so in responding to a consumer request.
  8. A list of the categories of personal information disclosed for a business purpose in the past 12 months. The privacy policy must list the categories of personal information that it has disclosed for a business purpose in the past 12 months. The CCPA defines a “business purpose” as:
  • Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with laws and other standards;
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
  • Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business;
  • Debugging to identify and repair errors that impair existing intended functionality;
  • Short-term, transient use, provided the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction;
  • Undertaking internal research for technological development and demonstration; and
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the company, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

Finally, as mentioned above, the privacy policy must be updated annually. This effort requires an annual review of the business’s information collection, use, disclosure and sales practices.

(For more information about CCPA and its ramifications, or for information about properly creating and orchestrating a crisis prevention plan around CCPA requests for information, please contact the authors.)


[i] Note the CCPA’s requirements do not apply to “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules. Moreover, providers of health care subject to CMIA and covered entities subject to HIPAA are not covered businesses under CCPA if they maintain all patient information in the same manner they maintain “medical information” or “protected health information” subject to CMIA and HIPAA, respectively. CCPA also exempts information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act as well as other exemptions. In contrast, the GDPR has no such carve out for health-related data.