Privacy Policy Requirements

Morgan Lewis Practical Advice on Privacy: Guide to the CCPA

November 13, 2019

All businesses subject to the California Consumer Privacy Act (CCPA) will need to have privacy policies that comply with the CCPA, regardless of whether they conduct business in person, online, or through mobile apps, and will need to update those policies at least every 12 months. The CCPA regulations proposed by the California attorney general on October 10, 2019, clarify and expand upon the requirements for privacy policies. This article explains those requirements and provides best practices for privacy policies.

General Rules for Privacy Policies

Prior to the enactment of the CCPA, California law only required that commercial websites and online service operators (including services provided via mobile apps) post privacy policies addressing the collection and use of certain categories of information about consumers.[1] Under Section 22575 of the California Business and Professions Code, known as the California Online Privacy Protection Act (CalOPPA), a privacy policy must cover six topics: (1) identity of the categories of personally identifiable information collected, and the categories of third parties with whom the personally identifiable information might be shared; (2) the process by which consumers may review and make changes to personally identifiable information collected by the business, if the business has such a process; (3) the process by which the business will notify users of material changes to the policy; (4) the effective date; (5) how the business responds to “Do Not Track” signals or similar mechanisms that track consumers’ online activities; and (6) whether other parties may collect personally identifiable information about users over time and across different sites.

In addition to CalOPPA and related guidance from the California attorney general, privacy policies should take into account guidance and enforcement actions of the Federal Trade Commission interpreting Section 5 of the Federal Trade Commission Act, which regulates “unfair or deceptive acts or practices.”

Under the CCPA, as of January 1, 2020, covered businesses[2] must disclose in online privacy policies and in any California-specific description of consumer’s privacy rights several additional categories of information, including information regarding consumers’ rights to know, delete, and opt out, and how consumers can exercise those rights.[3] The proposed regulations make clear that privacy policies must describe a business’s practices with respect to both online and offline collection, use, disclosure, and sale of personal information.[4] Those policies must also be available in an offline/in-person environment where a business conducts substantial business in such a setting.[5]

Privacy Policy Format Requirements

Like all notices required under the CCPA, privacy policies must:

  • use plain language and avoid technical or legal jargon;
  • be readable, including on smaller screens (mobile phones);
  • be available in all languages in which the business ordinarily communicates with its consumers;
  • be accessible to those with disabilities, including to inform persons with disabilities how they may access the policy in an alternative format; and
  • be available in a printable format.

In addition, the privacy policy must be posted online through a conspicuous link using the word “privacy” on the business’s website homepage or the download or landing page of a mobile app.

Privacy Policy Content Requirements

Privacy policies must explain the following consumer rights under the CCPA:[6]

  • Right to Know.[7] The policy must explain that a consumer has the right to request that a business tell the consumer what categories or specific pieces of personal information the business collects, uses, discloses, and sells, and explain how consumers can submit verifiable requests (and how the verification process works). An online policy must include links to online request forms or a portal for making requests. The policy must (1) list the categories of information the business has collected in the preceding 12 months and, for each category, provide the source from which it was collected, the purpose for collection, and the categories of third parties with whom the business shares personal information; (2) state whether the business has disclosed or sold any personal information in the preceding 12 months and, if yes, the categories of information disclosed or sold during that time period; and (3) state whether the business sells personal information of minors under age 16 without affirmative authorization.Providing source, purpose, and third-party sharing information for each category of information is likely to result in a more granular, detailed privacy policy than many businesses currently provide.
  • Right to Delete.[8] The policy must explain that a consumer has the right to request the deletion of the consumer’s personal information, including instructions for submitting a verifiable request (and how the verification process works). An online policy must include links to online request forms or a portal for making requests.
  • Right to Opt Out of Sale.[9] The policy must explain that a consumer has the right to opt out of the sale of the consumer’s personal information. The policy must also include the contents of the right to opt out notice or a link to it via the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage or landing page of a mobile app, as required by Section 999.306(b) of the proposed regulations.
  • Right to Nondiscrimination.[10] The policy must explain that the business cannot discriminate against consumers if they exercise their privacy rights.
  • Authorized Agent.[11] The policy must explain that consumers may designate authorized agents to make requests on their behalf.
  • Contact.[12] The policy must include contact information so that consumers can contact the business to raise questions or concerns about the business’s privacy policy or practices, using a method that the business generally uses for interactions with consumers.
  • Date.[13] As required under existing California law for online privacy policies, the policy must state the date it was last updated.
  • Large Data Sales.[14] Businesses that obtain, sell, or share the personal information of 4 million or more consumers who are California residents must disclose in the privacy policy the metrics they are required to compile under Section 999.317(g)(1) of the proposed regulations. Specifically, these businesses must disclose the number of requests to know, delete, or opt out that the business received for the previous calendar year, and the median number of days it took for the business to respond to such requests.

For businesses that collect or maintain personal information of minors under age 16 years, the privacy policy must also include the special procedures for opting into the sale of personal information, with different procedures applicable for minors under 13 years old and minors under 16 years old.[15] (We will discuss in greater detail the requirements for collecting personal information from minors in a forthcoming Guide to the CCPA article.)

The requirements above supplement the privacy policy requirements in Section 22575 of the Business and Professions Code, and are in addition to the other specific notice requirements required by the CCPA and detailed in the proposed regulations: namely, the notice at collection of personal information,[16] the notice of the right to opt out (including “Do Not Sell My Personal Information” or “Do Not Sell My Info” links),[17] and the notice of financial incentives.[18]

Recommendations and Next Steps

All businesses should identify the types of personal information they collect, use, and share about California consumers, and reconsider whether they have a reasonable business purpose for the collection, use, and sharing of such information. Almost all businesses subject to the CCPA will need to update their privacy policies. Where appropriate, businesses should consider restricting the collection, retention, use, and sharing of personal information with an eye toward reducing their obligations under the CCPA, as well as potential risks and liability. By January 1, 2020, businesses should be prepared to implement procedures for responding to consumer requests to know, delete, or opt out, including verification of those requests, and to explain those procedures in new or revised privacy policies. To the extent a business operates a website or other online service (including through mobile apps), its privacy policy should also comply with the existing requirements of Business and Professions Code Section 22575. Businesses revising their privacy policies should comply with any procedures for amending the policies that are specified in their existing policies. Personnel responsible for handling consumer inquiries about the business’s privacy practices should be trained regarding the CCPA and the governing regulations, and should be able to explain to consumers how they can exercise their rights.

The California attorney general issued proposed regulations for the CCPA on October 10, 2019. The proposed regulations are pending public comment through December 6, 2019. As part of the rulemaking process, the California attorney general will then decide whether any modifications should be made to the proposed regulations before they become final. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which takes effect on January 1, 2020.

Please visit our CCPA Resource Center for more information and the latest updates.

How We Can Help

The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the newly proposed regulations, and how to accept requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Carla Oakley
Michelle Park Chiu
Kevin Benedicto
Gene Park

Silicon Valley
Mark Krotoski

Los Angeles
Joseph Duffy

Gregory Parks
Ezra Church
Kristin Hadgis
Akbar Hossain
Julian Williams

New York
Martin Hirschprung

Washington, DC
Ronald Del Sesto
Dr. Axel Spies

[1] Cal. Bus. & Prof. Code § 22575.

[2] In general, the CCPA applies to for-profit organizations or legal entities that do business in California, collect California consumers’ personal information (directly or indirectly), and determine the purposes and means of processing of consumers’ personal information (alone or jointly with others), and that also satisfy one of three annual thresholds: (1) $25 million gross revenue, (2) 50,000-person data volume, or (3) 50% of revenues from sale of personal information. Covered entities include those that control or are controlled by a business with which it shares common branding. See the Morgan Lewis CCPA Checklist for more details on whether the CCPA applies to a given business.

[3] Cal. Civil Code § 1798.130(5).

[4] CCPA Proposed Regulations, 11 C.C.R. §§ 999.300, 999.308(a)(1).

[5] Cal. Civil Code § 1798.130(5).

[6] 11 C.C.R. § 999.308(b).

[7] 11 C.C.R. § 999.308(b)(1).

[8] 11 C.C.R. § 999.308(b)(2).

[9] 11 C.C.R. § 999.308(b)(3).

[10] 11 C.C.R. § 999.308(b)(4).

[11] 11 C.C.R. § 999.308(b)(5).

[12] 11 C.C.R. § 999.308(b)(6).

[13] 11 C.C.R. § 999.308(b)(7).

[14] 11 C.C.R. §§ 999.308(b)(8), 999.317(g)(1).

[15] 11 C.C.R. § 999.330-332.

[16] 11 C.C.R. § 999.305.

[17] 11 C.C.R. § 999.306.

[18] 11 C.C.R. § 999.307.