CCPA 12-Month Compliance Series Part 4: Update Your Privacy Policy
Perkins on Privacy

CCPA 12-Month Compliance Series Part 4: Update Your Privacy Policy

A business that is subject to the CCPA will need to update its consumer-facing online privacy policy. At a bare minimum, a privacy policy (and any California-specific privacy disclosure) must disclose:

  • A description of a consumer's right to disclosure regarding the personal information ("PI") that the business has collected about the consumer, a consumer's right to disclosure regarding the business's sale of her or his PI, and a consumer's right not to be discriminated against for exercising any rights under the CCPA [Cal. Civ. Code §1798.130(a)(5)(A)];
  • Categories of PI collected, sold, or disclosed in the preceding 12 months [Cal. Civ. Code §1798.130(a)(5)(B)&(C)]; and
  • Two or more designated methods for submitting consumer requests, including a toll-free number and a website address [Cal. Civ. Code §1798.130(a)(1)].
There are additional disclosure requirements (e.g., consumer's right to deletion) that, while not specifically required for an online privacy policy under Section 130(a)(5), should be included in a comprehensive privacy policy. And there are requirements regarding not only what one must disclose but also how. For instance, information about a consumer's right to disclosure regarding PI collected or sold is to be made "by reference to the enumerated category or categories," which requires a careful reading and proper interpretation of the statute. What is disclosed in the privacy policy must, of course, be consistent with actual business practices, but it also should be consistent with positions the business has taken with respect to other laws, most notably, the GDPR. In other words, it's complicated. The right regarding the sale of PI (and the corresponding exemptions and opt-out rights) is a particularly important issue, especially for those in the ad tech community. Senate Bill 753 had proposed to provide an exception from "sale" of PI if a business shared or disclosed to another business or third party a unique identifier only to the extent necessary to serve or audit a specific advertisement to the consumer. Met with heavy resistance from consumer advocates, the bill was eventually withdrawn. In short, having an updated online privacy policy that fully complies with the CCPA is a critical part of any CCPA compliance program. Checking the necessary boxes is a must, but a business should also weave in best practices to mitigate litigation risk.

Print and share

Authors

Profile Picture
Counsel
NAmlani@perkinscoie.com

Notice

Before proceeding, please note: If you are not a current client of Perkins Coie, please do not include any information in this e-mail that you or someone else considers to be of a confidential or secret nature. Perkins Coie has no duty to keep confidential any of the information you provide. Neither the transmission nor receipt of your information is considered a request for legal advice, securing or retaining a lawyer. An attorney-client relationship with Perkins Coie or any lawyer at Perkins Coie is not established until and unless Perkins Coie agrees to such a relationship as memorialized in a separate writing.

310.788.3347

Explore more in

Privacy & Security
Blog series

Perkins on Privacy

Perkins on Privacy keeps you informed about the latest developments in privacy and data security law. Our insights are provided by Perkins Coie's Privacy & Security practice, recognized by Chambers as a leading firm in the field. 
View the blog
© 2025 Perkins Coie LLP