Privacy Policy Changes Required by California Consumer Privacy Act
Expect businesses to update privacy policies again in 2019 and annually thereafter as part of compliance efforts for the California Consumer Privacy Act. The new CA privacy law requires businesses to change their privacy policy to describe consumer rights in California and provide a link to the opt-out form so consumers can request businesses stop selling their personal information.
Businesses just completed a massive wave of updates for compliance with the European Union General Data Protection Regulation. GDPR required businesses be transparent with users about their rights under the law and the company’s practices with respect to data collection, usage and sharing with third-parties. Thousands of businesses updated their privacy policy in response to it and many emailed consumers to inform them about their new practices. This created a bit of a logjam in email inboxes which was covered by several major media outlets.
Since the California Consumer Privacy Act requires that businesses inform consumers about their new rights, privacy policies will be undergoing another round of updates. However, there is no indication yet that another round of email notifications will occur similar to what happened because of GDPR. The text does not require it, so we will have to wait and see whether it ultimately becomes a best practice to ensure that sufficient disclosure has happened.
Here is what will need to be updated pursuant to the CaCPA requirements:
Businesses are going to need to disclose the consumer’s rights to access, delete, opt out (for adults) and opt in (for kids) under the law. They must also disclose that businesses may not discriminate against consumers unless one of the exceptions in the law is met.
The designated methods for exercising these rights must also be added to business privacy policies. Two or more methods are required for the exercise of the right to access the personal information collected and sold.
Businesses must disclose a list of the categories of personal information it has collected about consumers in the preceding 12 months. Section 1798.100 also requires that businesses disclose at or before the point of collection, the categories of personal information collected and the purposes for which the information will be used. Some businesses may put this notification in the privacy policy, while others with more advanced technology (or Clarip privacy software) will handle it through a just-in-time notice.
A business that sells consumers’ personal information is required by Section 1798.120(b) to provide notice to consumers that personal information may be sold and that they have the right to opt out. Section 1789.135 specifies the form of such a notice.
Businesses need to disclose two separate lists in their privacy policy concerning their third-party data sharing. One list must contain a list of the categories of personal information sold in the preceding 12 months. The other list must contain a list of the categories of personal information disclosed about consumers for a business purpose in the last 12 months. If the business has not sold or disclosed such information in the past 12 months, the business shall make a statement to that effect.
Section 1798.185(a)(6) authorizes the CA Attorney General to establish rules and procedures to ensure that the notices and information provided by businesses are easily understood by the average consumer, accessible to consumers with disabilities, and available in the language primarily used to interact with the consumer. It is too early to say whether they will publish a GLB Act-like template that is universally adopted will be recommended.
If a business has an online privacy policy, they must add a link to a “Do Not Sell My Personal Information” Internet Web page. The link must also be contained in any California-specific description of privacy rights.
Businesses will be required to update their notifications at least once every 12 months. Even if it was not specifically required by law, businesses would likely have to do this anyway because it is going to be important to keep up to date the categories of personal information collected and sold.
To recap:
Businesses need disclosures for:
– California consumers of their rights under the law,
– the categories of personal information collected,
– the business purposes of the personal information collected,
– the categories of personal information sold,
– the methods to exercise their rights,
– the link titled “Do Not Sell My Personal Information” to the form to exercise the right to opt out.
Contact Clarip for Help with Your Privacy Program
The Clarip data privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping software, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie consent manager, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Other Blog Posts on the California Consumer Privacy Act:
PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
California Adopts SB-1121 Amendments to Consumer Privacy Act
SB 1121 to Amend California Consumer Privacy Act Soon
California AG Objects to 5 Sections of CCPA Privacy Law
SB 1121 Won’t Make Substantive Changes to New California Privacy Law
SB 1121 Amendments Kickoff Debate Over California Consumer Privacy Act Changes
Expect AG to Issue California Privacy Regulations in June 2019
Will California’s Privacy Law Extend to the Rest of the Country?
Big Day for California Privacy Law
California to Pass New Privacy Law: CA Consumer Privacy Act