The California Consumer Privacy Act (CCPA) is a landmark data privacy law that gives consumers more control over the personal information businesses collect from them. But for the law to be effective, it’s imperative for businesses to comply with its regulations.
One requirement under the CCPA is to update your website’s privacy policy to include details of the rights afforded by the law, a description of the data access and deletion processes, and a list of all categories of personal information collected, used, and sold by the business, among others. These must be written in plain English and formatted in readable text that’s easy to navigate.
A privacy policy is a written statement that provides information on the online and offline data practices of a business, particularly as they relate to its consumers (i.e. the sources of the data). It describes the collection, use, sale, sharing, or transfer of people’s personal information.
Under the CCPA, personal information refers to any information that identifies, relates to, or in any way links to a California consumer or household. This includes, but is not limited to, basic information, non-commercial data, and insights gathered from user activity and preferences.
A CCPA privacy policy is required to disclose the rights established by the data privacy law and explain how a consumer can exercise their rights under the law. It should be outlined in plain, readable text that is easy to navigate, and it must be linked to visible areas of your website.
Here are the essential parts of a compliant privacy policy:
Your privacy policy must inform consumers of their rights under the CCPA, namely:
Consumers must be given the option to access their data. So your privacy policy should include instructions on how they can perform a CCPA data subject access request. In the same way, under the CCPA right to deletion, it should give consumers the avenue to delete the personal information collected from them.
These usually mean operating a toll-free number or email address that they can use to submit data access and deletion requests.
The CCPA mandates businesses that give access or sell consumer data to third parties to provide a dedicated web page where consumers can opt out of the sale of their personal information.
This page, called the Do Not Sell My Personal Information page, must be linked to both your privacy policy and website homepage.
Your privacy policy must make your data practices transparent, from collection to sale. It must list all categories of personal information collected, the sources of these data, and the purpose for collecting them.
Your privacy policy should also disclose how and to whom personal information is shared, exchanged, transferred, or sold, especially if it’s done for profit.
All businesses that do business in California or with California consumers must comply with the CCPA and, consequently, create or update their privacy policy according to the requirements of the law.
Although not all businesses fall under the jurisdiction of the CCPA, businesses are encouraged to adopt the law in their data practices. With other data privacy laws such as the General Data Protection Regulation (GDPR) already in place, it won’t be long until more local and international markets work to secure consumers’ rights to their data privacy.
The CCPA requires your website’s privacy policy to include the provisions of this legislation so that consumers are informed of the control they now have over their personal information. Visitors to your website must also be given any necessary instructions on how to avail themselves of those rights.