CCPA Privacy Policy Checklist

CCPA Privacy Policy Checklist

The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020. On June 1st, 2020, the California Attorney General will start enforcing the law, issuing warnings and penalties to non-compliant businesses.

Are you ready for the CCPA? Updating your Privacy Policy is a major part of CCPA compliance.

We're going to check off all the sections and components your Privacy Policy needs under the CCPA. We'll take a look at each of the different sections in detail with examples, and a complete checklist is included at the end of the article.


CCPA Frequently Asked Questions

The CCPA requires businesses to provide a lot of information about how they treat California consumers' personal information. That can raise a lot of questions, such as the following.

Does the CCPA Apply to Your Business?

The CCPA will affect many businesses across the world. However, its scope is narrower than many other privacy laws.

The law applies to large businesses and those which trade primarily in personal information.

The CCPA defines a "business" as any company operating for profit in California, that fulfills at least one of the following characteristics:

  1. It raises gross revenues of at least $25 million per year,
  2. It buys, sells, receives (for commercial purposes), and/or shares (for commercial purposes) personal information from at least 50,000 consumers, households, and/or individual devices, or
  3. It earns at least half of its gross revenue per year via the sale of personal information

There's another important requirement. A business "that determines the purposes and means of the processing of personal information." This is the definition of a "data controller" from the GDPR.

It's likely that your business fits this definition, for example, if you're collecting personal information directly from your customers.

If your company only operates on behalf of other businesses, it may be a "service provider" (known as a "data processor" under the GDPR), and thus exempt from the CCPA.

For more information about this distinction, read our article on data controllers and data processors under the GDPR.

What Counts as "Personal Information" Under the CCPA?

What Counts as

The CCPA defines "personal information" as:

"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

This covers a vast range of different types of information. The CCPA lists 11 categories of personal information:

  1. Identifiers, e.g., name, username, IP address, email address, etc.
  2. California Customer Records Statute categories of personal information (available here)
  3. Characteristics of protected classifications under California or federal law
  4. Commercial information, including records of personal property, purchases, etc.
  5. Biometric information.
  6. Internet or other electronic network activity information, e.g., browsing history, search history, etc.
  7. Geolocation data
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Professional or employment-related information.
  10. Education information, as defined in the Family Educational Rights and Privacy Act (available here)
  11. Inferences drawn from personal information to create a profile about a consumer

What Counts as "Selling Personal Information?"

The CCPA defines "selling personal information" as:

"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."

The CCPA does not consider the following things to be acts of "selling" personal information:

  • Disclosing the consumer's personal information to a third party at the consumer's request, or enabling the consumer to actively interact with a third party. In either case, the third party must not sell the personal information.
  • Informing third parties that the consumer has exercised their right to opt out.
  • Disclosing personal information for a business purpose, as long as the recipient business doesn't sell the personal information.
  • Transferring personal information that is an asset as part of a merger, acquisition, or another similar process.

What Counts as "Disclosing Personal Information for Business Purposes?"

What Counts as

Not many businesses "sell" personal information, but most benefit from the sharing of personal information. This can be a subtle distinction, and the CCPA requires transparency here.

The CCPA gives seven categories of activities that count as "business purposes." If you share consumers' personal information with a third party so that they can perform these sorts of activities for you, you must disclose this in your Privacy Policy.

  1. Auditing, including:
    • Counting ad impressions to unique visitors
    • Verifying positioning and quality of ad impressions
    • Compliance with laws/standards
  2. Security, including:
    • Detecting security incidents
    • Protecting against malicious or illegal activity
    • Prosecuting the people responsible for such activities
  3. Debugging to identify and repair errors
  4. Short-term, transient use, as long as the personal information is not (for example):
    • Disclosed to a further third party
    • Used for profiling or ad customization outside of the current transaction
  5. Performing services on behalf of your business, including:
    • Account maintenance
    • Customer service
    • Processing orders
    • Customer verification
    • Payments
    • Financing
    • Advertising
    • Analytics services
  6. Undertaking internal research for technological development and demonstration
  7. Undertaking the following activities, in respect of a service or device that is owned, manufactured, manufactured for, or controlled by the business
    • Verifying or maintaining its quality or safety
    • Improving, upgrading, or enhancing it

Note that these examples are not exhaustive.

CCPA Consumer Rights

CCPA Consumer Rights

The first part of your CCPA Privacy Policy is dedicated to explaining the CCPA consumer rights.

Your Privacy Policy must inform consumers about at least three of consumer rights, namely:

  • The right to access
  • The right to deletion
  • The right to non-discrimination

If you sell personal information, your Privacy Policy must also inform consumers about the right to opt-out of this.

The Right to Access

The right to access lets consumers access general information about the personal information you collect, sell, or share for business purposes. The right to access also lets consumers access copies of the specific pieces of their personal information that you have collected.

The right of access is sometimes called "the right to disclosure," or "the right to access and data portability."

Information About the Right to Access

Your Privacy Policy must explain what information is available under the right to access, which is the following 5 types of information, in respect of the preceding 12-month period:

  1. The categories of personal information you have collected about them
  2. The categories of sources from which you have obtained their personal information
  3. Your business or commercial purposes for collecting personal information
  4. The categories of any third parties with whom you have shared their personal information
  5. The specific pieces of personal information you have collected

Note that you don't actually have to list this specific information in your Privacy Policy. You have to make consumers aware that they can request it under the right to access.

However, you may wish to list the information required under points 1-4 (above) in your Privacy Policy. Here's how SurveyMonkey does this, neatly providing the information required under points 1, 2, and 4:

SurveyMonkey California Supplemental Privacy Notice: Excerpt of clause with Categories and sources of information collected and shared

If you sell personal information or disclose personal information for a business purpose, you have additional obligations under the right to access. You must also explain to consumers that they can request access to the following information, in respect of the preceding 12-month period:

  • The categories of personal information you have collected about them
  • The categories of any of their personal information that you have sold
  • The categories of any third parties to whom you have sold their personal information
  • The categories of their personal information that you sold to each of the third parties
  • The categories of any of their personal information that you have disclosed for business purposes

You should also inform consumers that, in each case, your company must provide this information:

  • On receipt of a Verifiable Consumer Request
  • Without charge
  • On up to 2 occasions every 12 months
  • In a portable, readily-usable format (e.g., JSON, XML, or CSV)
  • Within 45 days. If reasonably necessary, you can extend this period by an additional 45 days if you notify the consumer

Here's how FICO explains the right to access to consumers:

Fico Privacy Policy: Excerpt of Right to Access Your Personal Information clause

Instructions on How to Exercise the Right to Access

You must set up a process by which consumers can submit a Verifiable Consumer Request to access their personal information. This must include, at a minimum, a toll-free phone number and a webpage.

The California Attorney General is due to release guidance as to what constitutes a Verifiable Consumer Request. Until then, businesses are using their best judgment to find a balance between safeguarding individual privacy and facilitating consumers' requests.

Here's an example from NVA:

NVA Privacy Policy: Exercising Access, Data Portability, and Deletion Rights clause

NVA leaves itself some discretion about what it considers "verifiable," which is reasonable until the Attorney General provides some clear advice for businesses.

The Right to Deletion

The right to deletion enables consumers to request that you delete their personal information under certain conditions.

The right to deletion is sometimes known as "the right to be forgotten."

Information about the Right to Deletion

Your Privacy Policy must make consumers aware of their right to request that you delete their personal information. You should also inform consumers that, in each case, your company must delete their personal information:

  • On receipt of a Verifiable Consumer Request
  • Without charge
  • On up to 2 occasions every 12 months
  • Within 45 days. If reasonably necessary, you can extend this period by an additional 45 days if you notify the consumer.

However, there are many exceptions to the right deletion, which you should also detail in your Privacy Policy.

You may be able to refuse to delete a consumer's personal information if you need it for one or more of the following purposes:

  1. Contract:
    • To complete the transaction for which you collected the consumer's personal information
    • To provide a product or service that the consumer has requested, or that they would reasonably expect in the context of their relationship with your business
    • To carry out a contract with the consumer
  2. Security:
    • To detect security incidents
    • To protect against malicious, deceptive, fraudulent, or illegal activity
    • To prosecute people responsible for such activities
  3. Debugging in order to detect and repair errors that affect intended functionality
  4. Free speech:
    • To exercise free speech
    • To ensure that another consumer can exercise free speech
    • To exercise other legal rights
  5. To comply with California's Electronic Communications Privacy Act (CalECPA (available here)
  6. Research: To engage in public or peer-reviewed scientific, historical, or statistical research, that:
    • Is in the public interest,
    • Would be seriously impaired or impossible to carry out without retaining the personal information, and
    • Has been consented to by the consumer
  7. Internal purposes: To use it for a purpose that is:
    • Internal to your company, and
    • In-line with the reasonable expectations of the consumer, in the context of their relationship with your business
  8. To comply with a legal obligation
  9. Other purposes: To use it for any other purpose that is:
    • Lawful,
    • Internal to your company, and
    • Compatible with the context in which the consumer provided the information

The list above represents every exception in the CCPA. It's very detailed and quite repetitive. Therefore, many companies include a simplified version of this list in their Privacy Policies.

Here's an example from UGG:

UGG Privacy Policy: Right to Deletion clause - Exceptions excerpt

It's important to use language that your customers will understand. But be sure to remain accurate in your representation of the law. UGG gets this balance about right.

Instructions on How to Exercise the Right to Deletion

The rules around facilitating the right to deletion are the same as for the right to access. Most businesses allow consumers to access both rights by the same means.

Here's a typical example, from Cubitts:

Cubitts Privacy Policy: Exercising Access, Data Portability, and Deletion Rights clause excerpt

The Right to Non-Discrimination

The right to non-discrimination means that you cannot discriminate against a consumer who exercises their CCPA rights. The CCPA gives a non-exhaustive list of ways in which you may not discriminate against a consumer:

  • Denying them goods or services
  • Charging them different prices, e,g., through denying discounts or imposing penalties
  • Provide them with a different level or quality of goods or services
  • Suggest that you might do any of the discriminatory things listed above

Your Privacy Policy must explain the right to non-discrimination to consumers.

Here's an example from Cypress:

Cypress Privacy Policy: Non-Discrimination clause

The right to non-discrimination is a "passive" right, and so consumers cannot exercise it. You don't need to explain this in your Privacy Policy.

The Right to Opt Out

The right to opt out gives California consumers the right to order your company not to sell their personal information. This is only applicable if you sell consumers' personal information.

The right to opt out is sometimes known as "the right to say 'no.'"

If you sell consumers' personal information, you must set up a webpage entitled "Do Not Sell My Personal Information" via which consumers can exercise their right to opt out.

You must provide a link to your "Do Not Sell My Personal Information" page in your Privacy Policy, along with a brief explanation of the right to opt out.

Here's an example from UDX Leads:

UDX Leads Privacy Policy: Do Not Sell My Personal Information clause

This page should have instructions for how a user can opt out of the selling of their personal information either via contact information, or with a webform if you have the resources to implement one.

Your Personal Information Practices

Your Personal Information Practices

The second half of your CCPA Privacy Policy must contain at least one of the CCPA's three lists:

  • A list of the categories of personal information your business has collected over the preceding 12-month period
  • A list of the categories of personal information you've sold over the preceding 12-month period
  • A list of the categories of personal information you've disclosed for business purposes over the preceding 12-months period

If one or more of these lists doesn't apply to your business, you need to disclose this.

Personal Information You've Collected

Your Privacy Policy must disclose the categories of personal information your business has collected in the past 12 months. This list should correspond with the CCPA's 11 categories of personal information.

Here's how Skyworks does this:

Skyworks Privacy Policy: Categories of personal information collected from California residents clause excerpt

Other businesses, such as YotPo, use a table to display which categories of personal information they have collected:

Yotpo Privacy Policy CCPA: Excerpt of chart for Categories of information collected

Personal Information You've Sold

Your Privacy Policy must list all the categories of personal data your business has sold in the past 12 months. If you haven't sold any personal information over this period then your Privacy Policy must disclose this.

Here's an example from NextRoll's Privacy Policy:

NextRoll Privacy Policy: Sales of Personal Information clause

NextRoll accompanies its disclosure with a reminder about the right to opt out, with a link to the relevant section of its Privacy Policy. This is a good practice.

Personal Information You've Disclosed for Business Purposes

Your Privacy Policy must list all the categories of personal information your business has disclosed for business purposes in the past 12 months. If you haven't disclosed any personal information for business purposes over this period then your Privacy Policy must disclose this.

Here's how Horne LLP does this:

Horne LLP CCPA Privacy Notice: Sharing Personal Information clause

And now, here's the checklist to help you hit all the points we just covered.

CCPA Privacy Policy Checklist

CCPA Privacy Policy Checklist

Here's a checklist of everything your Privacy Policy needs to be CCPA-compliant. We've split it up into two broad sections to make it clear what you need to include.

  • Information about the CCPA's consumer rights:
    • The right to access, and how consumers can exercise this right
    • The right to deletion, and how consumers can exercise this right
    • The right to non-discrimination
    • If you sell personal information: the right to opt-out, and a link to your "Do Not Sell My Personal Information" page
  • Information about your personal information practices over the past 12 months:
    • A list of the categories of personal information your business has collected over the preceding 12-month period
    • A list of the categories of personal information you've sold over the preceding 12-month period; or, if you haven't sold any personal information in the preceding 12-month period, disclosure of this
    • A list of the categories of any personal information you've disclosed for business purposes over the preceding 12-months period; or, if you haven't disclosed any personal information for business purposes in the preceding 12-month period, disclosure of this

You must update your Privacy Policy every 12 months. Amend your Privacy Policy's "effective date" each year, even if you don't need to make any other changes.

You must post a conspicuous link to your Privacy Policy on the homepage of your company's website.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.