Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps: Part 3 – The Privacy Policy

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps 
Part 3 of a Series

 The Privacy Policy

This is the third in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to directly impact more than 500,000 businesses, many of them smaller and mid-size businesses; even more companies that are not specifically subject to the CCPA will need to comply to do business with those that are.

The CCPA says that California residents, including minors, have the right to know if their personal data is being collected, and to whom the data is being sold, and with whom it is being shared. Armed with that knowledge, California residents have the further right to object to the sale of their data and to have their data deleted. In short, California consumers now own their personal information and have real control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements — is daunting. In our first article, we highlighted the importance of the data map. In our second article, we covered breach response.

In this post, we’ll review the changes companies need to be making to their privacy policies in order to comply with the CCPA. The Act mandates that any company subject to the CCPA make specific public disclosures, including:

  • The categories of personal information collected about the consumer;
  • The sources from which that information is collected;
  • The commercial or business purpose for which the personal information is collected;
  • The categories of third parties the information will be shared with; and
  • Specific pieces of personal information collected about the consumer.

In addition, companies must provide consumers with a description of their rights under the CCPA as described above. The CCPA specifically prohibits businesses from collecting additional categories of personal information and then using those new categories for other purposes, unless the collection or use is disclosed on the company’s privacy statement.

In addition, if a company sells or discloses a consumer’s personal information to third parties, the privacy policy must disclose the category or categories of consumer personal information the entity has sold or disclosed to a third party for business purposes during the preceding 12 months, as well as the categories of third parties to whom the personal information was sold.

The policy must include a clause notifying consumers of their right to opt out of having their personal information sold or disclosed to third parties. If the business has not sold or disclosed consumers’ personal information to a third party in the preceding 12 months, the privacy policy must reflect this fact.

Many companies have had a “write it and file it” approach to privacy policies. That approach was never effective, and is now contrary to California law. The CCPA requires companies to review and update their policies annually, something privacy-conscious companies have been doing all along.

We’ve been working with companies to update their policies in advance of the Jan. 1, 2020, effective date, and have developed some tips that make for stronger policies and more efficient workflow.

  1. Presentation is Important
    Privacy policies have become longer and more complicated as more and more issues are addressed – cookies, opt-in and opt-out rights, GDPR compliance, and so on. The requirements in the CCPA might encourage companies to write their privacy policy in an “a la carte” format, rather than one long cumbersome document. Make it as easy as possible for consumers to quickly find exactly what they want to know. When addressing this online, start with a short introduction, and then include 5-8 links to relevant topics. Have separate links for your cookie policy, privacy concerns for children, how you use and handle consumers’ data, etc. Any privacy policy contains a lot of moving parts. Segmenting it in this way also makes it easier to update.
  1. User-Friendly Policies, Please
    Much of the criticism of (and regulatory actions against) companies is due to the fact that their privacy policies are unreadable. Consider using short sentences and accessible, jargon-free language. Make sure your policy and statement are easily searchable and avoid broad statements. The privacy policy is not just a legal document; it is an important consumer-facing message.
  1. Consider a Q&A format or FAQs
    More than ever, consumers are comfortable navigating online information via Q&As and FAQs (frequently asked questions). Think about how consumers search for data online generally. It’s often in the form of a question, such as “where is my personal data stored?” Understand that users will have questions about not just “data,” but biometric information, geolocation data, photos, voice messages, phone conversations recorded for quality control purposes, etc.
  1. Run Your Table-Top Exercises with Real Users
    Test your policy with users who are not part of your legal, compliance, IT and marketing teams. Is it understandable and easily navigable? Is the opt-out easy to find and use? What is your online form for letting consumers know what information has been collected about them? Is that report comprehensible? Consider whether you will need a consumer information ombudsperson to handle complaints or issues when they arise. Make sure you are ready, internally and externally, for when this goes live.
  1. Test Your Vertical
    Now that you’ve written a privacy policy that complies with CCPA, you have to make sure the people in your organization are actually doing what you are telling consumers. There will be regulators and plaintiffs attorneys looking to swoop in and nab those whose policies or acts fail to comply with the law. Companies need to be hyper-focused that their practices and procedures match the message they’ve crafted for consumers, or they will face not only violations of the act, but risk additional charges of making false statements. Make sure compliance and disclosure aren’t siloed, but are integrated throughout the appropriate departments.

This can be an expensive process. Smaller companies will undoubtedly struggle with compliance. Even though lawmakers are still tinkering around the edges of the legislation, it’s important to get started now, both on the actual work, and fostering a consumer-centric, rather than company-centered, approach to privacy.

Read our other blogs in this series on Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:

 Part 1 – the Data Map
 Part 2 – the Breach Response Plan
Part 4 – Verified Requests for Data
Part 5 – Consumer Rights

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.