A business that is subject to the CCPA will need to update its consumer-facing online privacy policy. At a bare minimum, a privacy policy (and any California-specific privacy disclosure) must disclose:
- A description of a consumer's right to disclosure regarding the personal information ("PI") that the business has collected about the consumer, a consumer's right to disclosure regarding the business's sale of her or his PI, and a consumer's right not to be discriminated against for exercising any rights under the CCPA [Cal. Civ. Code §1798.130(a)(5)(A)];
- Categories of PI collected, sold, or disclosed in the preceding 12 months [Cal. Civ. Code §1798.130(a)(5)(B)&(C)]; and
- Two or more designated methods for submitting consumer requests, including a toll-free number and a website address [Cal. Civ. Code §1798.130(a)(1)].
There are additional disclosure requirements (e.g., consumer's right to deletion) that, while not specifically required for an online privacy policy under Section 130(a)(5), should be included in a comprehensive privacy policy. And there are requirements regarding not only what one must disclose but also how. For instance, information about a consumer's right to disclosure regarding PI collected or sold is to be made "by reference to the enumerated category or categories," which requires a careful reading and proper interpretation of the statute. What is disclosed in the privacy policy must, of course, be consistent with actual business practices, but it also should be consistent with positions the business has taken with respect to other laws, most notably, the GDPR. In other words, it's complicated.
The right regarding the sale of PI (and the corresponding exemptions and opt-out rights) is a particularly important issue, especially for those in the ad tech community. Senate Bill 753 had proposed to provide an exception from "sale" of PI if a business shared or disclosed to another business or third party a unique identifier only to the extent necessary to serve or audit a specific advertisement to the consumer. Met with heavy resistance from consumer advocates, the bill was eventually withdrawn.
In short, having an updated online privacy policy that fully complies with the CCPA is a critical part of any CCPA compliance program. Checking the necessary boxes is a must, but a business should also weave in best practices to mitigate litigation risk.