The California Consumer Privacy Act (CCPA) is a landmark data privacy law that gives consumers more control over the personal information businesses collect from them. But for the law to be effective, it’s imperative for businesses to comply with its regulations.
One requirement under the CCPA is to update your website’s privacy policy to include details of the rights afforded by the law, a description of the data access and deletion processes, and a list of all categories of personal information collected, used, and sold by the business, among others. These must be written in plain English and formatted in readable text that’s easy to navigate.
What Is A Privacy Policy?
A privacy policy is a written statement that provides information on the online and offline data practices of a business, particularly as they relate to its consumers (i.e. the sources of the data). It describes the collection, use, sale, sharing, or transfer of people’s personal information.
Under the CCPA, personal information refers to any information that identifies, relates to, or in any way links to a California consumer or household. This includes, but is not limited to, basic information, non-commercial data, and insights gathered from user activity and preferences.
What Do I Need To Include In My Privacy Policy?
A CCPA privacy policy is required to disclose the rights established by the data privacy law and explain how a consumer can exercise their rights under the law. It should be outlined in plain, readable text that is easy to navigate, and it must be linked to visible areas of your website.
Here are the essential parts of a compliant privacy policy:
CCPA Consumer Rights
Your privacy policy must inform consumers of their rights under the CCPA, namely:
- the right to know about the personal information a business collects from its customers, uses, and shares
- the right to delete personal information collected by businesses (with some exceptions)
- the right to opt-out of the sale of personal information
- the right to non-discrimination for exercising rights under the CCPA
Requesting Data Access And Deletion
Consumers must be given the option to access their data. So your privacy policy should include instructions on how they can perform a CCPA data subject access request. In the same way, under the CCPA right to deletion, it should give consumers the avenue to delete the personal information collected from them.
These usually mean operating a toll-free number or email address that they can use to submit data access and deletion requests.
“Do Not Sell My Personal Information” Page
The CCPA mandates businesses that give access or sell consumer data to third parties to provide a dedicated web page where consumers can opt out of the sale of their personal information.
This page, called the Do Not Sell My Personal Information page, must be linked to both your privacy policy and website homepage.
Details Of Personal Information Collected, Used, Or Sold
Your privacy policy must make your data practices transparent, from collection to sale. It must list all categories of personal information collected, the sources of these data, and the purpose for collecting them.
Your privacy policy should also disclose how and to whom personal information is shared, exchanged, transferred, or sold, especially if it’s done for profit.
Does My Privacy Policy Need To Comply With The CCPA?
All businesses that do business in California or with California consumers must comply with the CCPA and, consequently, create or update their privacy policy according to the requirements of the law.
Although not all businesses fall under the jurisdiction of the CCPA, businesses are encouraged to adopt the law in their data practices. With other data privacy laws such as the General Data Protection Regulation (GDPR) already in place, it won’t be long until more local and international markets work to secure consumers’ rights to their data privacy.
Conclusion
The CCPA requires your website’s privacy policy to include the provisions of this legislation so that consumers are informed of the control they now have over their personal information. Visitors to your website must also be given any necessary instructions on how to avail themselves of those rights.
