CCPA privacy notice requirements
Two additional notices – the notice of financial incentive and the notice of right to opt out – are conditional. They’re required only if a business is providing a financial incentive, or if the business sells personal information.
Point of collection (POC) notice
Businesses that collect consumers’ personal information must inform them, at or before the point of collection, about the categories of personal information to be collected and the purposes for which those categories of information will be used. Subsequent notice must be provided if additional categories of personal information are collected or used for additional purposes.
- It must be included in any California-specific description of consumer’s privacy rights.
- Has annual gross revenues in excess of $25 million, as adjusted pursuant to the law.
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
- Derives half or more of its annual revenue from selling consumers’ personal information.
- Use plain, straightforward language and avoid technical or legal jargon.
- Use a readable format, including on smaller screens, if applicable. This can include a table of contents or jump links for easy navigation, expand/collapse features, or links to pages with supplemental information.
- Make the policy available in the languages in which the business provides contracts, disclaimers, sale announcements, and other information to consumers in California.
- Make the policy reasonably accessible to consumers with disabilities.
- Make the policy in a format that allows a consumer to print it out as a document.
CCPA privacy policies should include:
- A description of California consumer privacy rights, including:
- The right to know (request disclosure of) personal information collected or sold.
- The right to deletion of personal information collected from the consumer.
- The right to nondiscriminatory treatment for exercising any rights.
- The right to opt out of the sale of personal information (if applicable).
- The right to opt in to the sale of personal information of minors (if applicable).
- An explanation of designated methods for exercising consumer rights.
- Instructions for submitting a verifiable consumer request.
- A description of the process used to verify consumer requests.
- Instructions on how an authorized agent can make a request on a consumer’s behalf.
- A statement of whether the business sells personal information and, if it does, notice of the right to opt out or a “Do Not Sell My Personal Information” link.
- Categories of personal information collected about consumers in the past 12 months.
- Categories of personal information disclosed for a business purpose or sold to third parties in the preceding 12 months.
- Categories of sources from which personal information is collected.
- Categories of third parties to whom personal information was disclosed or sold.
- The business purpose or commercial purpose for collecting or selling personal information.
- A statement of whether the business has actual knowledge that it sells the personal information of minors.
- Monitor developments with the CCPA and related regulations to identify potential regulatory changes.
- Monitor and test the process periodically to set a compliance baseline against which to measure effectiveness.
- Retain the records for at least four years – the statute of limitations likely applicable to CCPA enforcement actions.
A smarter, faster approach to CCPA compliance with Bloomberg Law
As organizations shift their business practices to align with California’s data privacy laws and disclosure obligations, it’s imperative that they have a solid understanding of when those requirements apply and how to comply. Stay ahead of CCPA enforcement and compliance developments with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law.
Sign up for your guided Bloomberg Law demo today.