All businesses subject to the California Consumer Privacy Act (CCPA) will need to have privacy policies that comply with the CCPA, regardless of whether they conduct business in person, online, or through mobile apps, and will need to update those policies at least every 12 months. The CCPA regulations proposed by the California attorney general on October 10, 2019, clarify and expand upon the requirements for privacy policies. This article explains those requirements and provides best practices for privacy policies.
In addition to CalOPPA and related guidance from the California attorney general, privacy policies should take into account guidance and enforcement actions of the Federal Trade Commission interpreting Section 5 of the Federal Trade Commission Act, which regulates “unfair or deceptive acts or practices.”
Under the CCPA, as of January 1, 2020, covered businesses must disclose in online privacy policies and in any California-specific description of consumer’s privacy rights several additional categories of information, including information regarding consumers’ rights to know, delete, and opt out, and how consumers can exercise those rights. The proposed regulations make clear that privacy policies must describe a business’s practices with respect to both online and offline collection, use, disclosure, and sale of personal information. Those policies must also be available in an offline/in-person environment where a business conducts substantial business in such a setting.
Like all notices required under the CCPA, privacy policies must:
Privacy policies must explain the following consumer rights under the CCPA:
The California attorney general issued proposed regulations for the CCPA on October 10, 2019. The proposed regulations are pending public comment through December 6, 2019. As part of the rulemaking process, the California attorney general will then decide whether any modifications should be made to the proposed regulations before they become final. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which takes effect on January 1, 2020.
Please visit our CCPA Resource Center for more information and the latest updates.
The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the newly proposed regulations, and how to accept requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:
 Cal. Bus. & Prof. Code § 22575.
 In general, the CCPA applies to for-profit organizations or legal entities that do business in California, collect California consumers’ personal information (directly or indirectly), and determine the purposes and means of processing of consumers’ personal information (alone or jointly with others), and that also satisfy one of three annual thresholds: (1) $25 million gross revenue, (2) 50,000-person data volume, or (3) 50% of revenues from sale of personal information. Covered entities include those that control or are controlled by a business with which it shares common branding. See the Morgan Lewis CCPA Checklist for more details on whether the CCPA applies to a given business.
 Cal. Civil Code § 1798.130(5).
 Cal. Civil Code § 1798.130(5).
 11 C.C.R. § 999.308(b).
 11 C.C.R. § 999.308(b)(1).
 11 C.C.R. § 999.308(b)(2).
 11 C.C.R. § 999.308(b)(3).
 11 C.C.R. § 999.308(b)(4).
 11 C.C.R. § 999.308(b)(5).
 11 C.C.R. § 999.308(b)(6).
 11 C.C.R. § 999.308(b)(7).
 11 C.C.R. §§ 999.308(b)(8), 999.317(g)(1).
 11 C.C.R. § 999.330-332.
 11 C.C.R. § 999.305.
 11 C.C.R. § 999.306.
 11 C.C.R. § 999.307.