CCPA Explained: Part 4 - Privacy Policy

 Oct 14, 2019 11:00 AM
by Derek Lackey

§ 999.308. Privacy Policy

A  Purpose and General Principles
1. to be transparent with your practices regarding the collection, us, disclosure and sale of personal information. The Privacy notice should not use personal information to personalize the message.
2. shall be written in an easy to read format and be understandable to an average consumer.
a) use plain, straightforward language and avoid technical of legal jargon.
b) make it easy to read - including on a mobile device.
c) present it in the languages normally used on your website.
d) make it accessible to consumers with disabilities.
e) make it available in an alternative format so consumers can print it.

3. Post your Privacy Policy online via obvious links. If the business has a California-specific description of the consumers rights on it's website, the Privacy Policy must be included in that description (link). A business with no website should offer the Privacy Policy upon request.

B A business must include:
1. a description of the right to know about personal information being collected, disclosed or sold.
a) explain that you are aware that a consumer has the right to request disclosure of collection, uses, disclosure and sale of their data.
b) be clear about the process for requesting their rights.
c)  inform the consumer how you verify it is them.
d) regarding collection of personal information:
1. list the categories collected in the last 12 months.
2. for each category, provide the source where that data was collected. Include the commercial purpose for collecting that data and the categories of third parties it will be shared with. The notice should be in writing in an easy to understand format.
e) Regarding disclosure of the personal information:
1. state whether the data has been disclosed to a third party for business or commercial purposes, in the last 12 months.
2. List the categories shared or sold to third parties in the past 12 months.
3. State your position on selling the personal information of minors under the age of 16 without affirmative authorization.

2.  regarding the right to request deletion:
a) make it clear that a consumer has the right to request deletion of their personal information collected or maintained by a business.
b) tell the consumer how to submit a verifiable request to delete, providing links to forms if appropriate.
c) tell the consumer how you will verify their identity upon receiving a request.

3. Regarding the right opt-out of the sale of personal information:
a) clearly explain their right to opt-out of the sale of their personal information.
b) include a link to Section 999.306 that explains in detail.

4. regarding the consumer's right to non-discrimination for exercising their privacy rights:
a) explain clearly that a consumer has the right not to receive discriminatory treatment by the business for exercising their privacy rights.

5. Authorized Agents
a) state clearly that a consumer has the right to appoint an authorized agent to make a privacy request on behalf of the consumer.

6. Using a format your business typically uses to communicate with consumers, provide a contact person that a consumer can reach with any questions/concerns about their privacy policies and practices regarding your business.

7.  state the date the Privacy Policy was last updated.

8.  If subject to the requirements set forth section 999.317(g) (companies that collect and sell data of more than 4,000,000 consumers), the information compiled in section 999.317(g)(1) or a link to it. (logs of metrics for the previous calendar year)


CCPA Explained: Article 1 General Provisions - Part 1 - Scope and Definitions

CCPA Explained: Article 2 - Notices to Consumers - Part 2 - Notice at Collection

CCPA Explained: Part 3 The Right to Opt-Out and Offering Financial Incentives