Updating your CCPA Privacy Policy for the CPRA

Updating your CCPA Privacy Policy for the CPRA

The California Consumer Privacy Act (CCPA) is already the most demanding U.S. state privacy law. By voting "Yes" on Proposition 23 and enacting the California Privacy Rights Act (CPRA), Californians extended their state's privacy law obligations even further.

In addition to affecting the CCPA's scope, the CPRA adds some new rights for Californians and new obligations on covered businesses. This article will look at how the CPRA affects your CCPA-compliant Privacy Policy.

The CPRA's Privacy Policy obligations affect different businesses in different ways, so we're going to briefly look at some of the CPRA's new impacts, to help you understand whether and how you need to modify your Privacy Policy.


CPRA Obligations and their Impacts on Your Privacy Policy

The CPRA expands several existing CCPA provisions, as well as adding some new requirements.

For the purposes of this article, we're assuming you already have a CCPA-compliant Privacy Policy. If not, check out our article CCPA Privacy Policy Checklist.

To explain how the CPRA affects your Privacy Policy, we need to explain a few of its key concepts.

Sensitive Personal Information

The CPRA introduces the concept of "sensitive personal information." Businesses that collect or use sensitive personal information have some new Privacy Policy obligations under the CPRA.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.


Do You Collect or Use Sensitive Personal Information?

There are two types of sensitive personal information. Here's a breakdown of each type:

  • Type 1. Personal information that reveals:

    1. A consumer's:

      • Social security number
      • Driver's license number
      • State ID card number
      • Passport number
    2. A consumer's:

      • Account login
      • Financial account number
      • Debit card number
      • Credit card number
    3. A consumer's

      • Precise geo-location
    4. A consumer's:

      • Racial or ethnic origin
      • Religious or philosophical beliefs
      • Union membership
    5. Unless your business is the intended recipient, the contents of a consumer's:

      • Mail
      • Email
      • Text messages
    6. A consumer's:

      • Genetic data
  • Type 2.

    1. Biometric information (for the purpose of uniquely identifying a consumer)
    2. Health information (when collected AND analyzed)
    3. Sex life or sexual orientation information (when collected AND analyzed)

Under Section 1798.40 (ae) (3) of the CPRA, sensitive personal information doesn't include publicly available information (with some caveats).

Here's how the CPRA lists the first type of sensitive personal information, under Section 1798.40 (ae) (1):

California Legislative Information: CPRA Section 1798 40 ae 1 - Definition of sensitive personal information

Here's the second type of personal information, under Section 1798.40 (ae) (2) of the CPRA:

California Legislative Information: CPRA Section 1798 40 ae 2 - Definition of sensitive personal information

Right to Limit Use and Disclosure of Sensitive Personal Information

Under Section 1798.121 of the CPRA, consumers have the right to request that you limit your use and disclosure of their sensitive personal information. In your Privacy Policy, you'll need to make consumers aware of this new consumer right.

So what does this new right entail? Suppose a consumer submits a "verifiable consumer request" under the right to limit your use and disclosure of their personal information. In that case, you must stop using or sharing their sensitive personal information.

There are some exceptions to this right. You may continue to use or disclose the sensitive personal information of a consumer who has submitted a request, but only:

  • As necessary to "perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services,"
  • To provide a service listed under subdivisions 2, 4, 5, and 8 of Section 1798.140 of the CCPA
  • As permitted by further regulations

Right to Correct

Right to Correct

The CPRA introduces a new consumer right: the "right to correct" (also known as the "right to rectification"). You must make consumers aware of their "right to correct" in your Privacy Policy.

The right to correct requires you to:

  • Make "commercially reasonable efforts" to correct any inaccurate personal information you hold about a consumer within 45 days of receiving a "verifiable consumer request" (an additional 45-day extension is available if required)
  • Make available at least two designated methods of submitting a request under the right to correct, including a toll-free phone number
  • Disclose information about the right to correct in your Privacy Policy

Here's the "right to correct" under the CPRA Section 1798.106, with the Privacy Policy obligation highlighted:

California Legislative Information: CPRA Section 1798 106 - Consumers Right to Correct Inaccurate Personal Information

The CPRA enhances another consumer right that will affect your Privacy Policy content. Let's take a look.

Right to Opt Out of Personal Information-Sharing

Right to Opt Out of Personal Information-Sharing

The CPRA expands the CCPA's "right to opt out." While the CCPA granted consumers the right to opt out of the "sale" of their personal information, the CPRA extends this right to the "sharing" of personal information.

Your Privacy Policy must make consumers aware of their right to opt out of the sharing of their personal information and sensitive personal information.

The CPRA's definition of "sharing" personal information encompasses any "communication" of personal information, including for the purposes of "cross-context behavioral advertising."

Many observers believe that using third-party cookies already falls under the CCPA's definition of "sale" (see our article "CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?" for more information about that). But the CPRA removes any ambiguity about this.

Here's the relevant part of the CPRA, at Section 1798.40 (ah) (1):

California Legislative Information: CPRA Section 1798 40 ah 1 - Definition of sharing

Note that the usual CCPA exceptions apply to the definition of "sharing," under Section 1798.40 (ah) (2):

California Legislative Information: CPRA Section 1798 40 ah 2 - Exceptions to the definition of sharing

If you share personal information, you'll need to set up a page where consumers can exercise their right to opt out, and include a link to this page on your homepage (or app) that reads "Do Not Sell or Share My Personal Information."

Disclosure of Retention Periods

Disclosure of Retention Periods

The CPRA requires you to disclose the period for which you intend to retain (keep/store) a consumer's personal information and sensitive personal information.

You need to provide the information about data retention in your "notice at collection." However, as we explored in a previous article, it is possible to satisfy the CCPA's "notice at collection" requirements via a section in your Privacy Policy. Therefore, you may wish to include this information in your Privacy Policy.

If you can't say precisely how long you intend to keep a consumer's personal information, you must disclose the criteria you use to determine how long you intend to keep it. However, you must not keep the information "for longer than is reasonably necessary" in connection with your disclosed purpose for collecting it.

For example, you may need to keep a consumer's personal information for six years in order to comply with a legal obligation. Or you may need to keep the consumer's personal information for as long as they hold an account and for four weeks after they close their account.

Here's the relevant part of the CCPA, at Section 1798.100 (3):

California Legislative Information: CPRA Section 1798 100 3 - Data retention time period

Summary of CPRA Privacy Policy Obligations

To meet with the CPRA's transparency requirements, you'll need to add the following information to your Privacy Policy by January 1, 2023.

For all businesses:

  • Information about the "right to correct," including:

    • An explanation of a consumer's right to correct inaccurate personal information you hold about them
    • Instructions on how to make a verifiable consumer request under the right to correct
    • A general description of how you will verify a consumer's identity

If you "share" personal information (according to the CRPA's definition):

  • Information about the "right to opt out of personal information-sharing," including:

    • An explanation of the consumer's right to opt out of the sharing of their personal information and sensitive personal information
    • The contents of, or a link to, your "Do Not Sell or Share My Personal Information" page

If you collect or use "sensitive personal information (according to the CPRA's definition):

  • Information about the "right to limit the disclosure or use of sensitive personal information," including:

    • An explanation of this CCPA consumer right
    • Instructions on how to make a verifiable consumer request under this right
    • A general description of how you will verify a consumer's identity

The CPRA also requires you to disclose how long you intend to retain a consumer's personal information at the point of collection. If you wish to use a section in your Privacy Policy as a "notice at collection," you should include the following information in your Privacy Policy:

  • The length of time you intend to retain each category of personal information or sensitive personal information you are collecting from the consumer, OR (if this is not possible)
  • The criteria you use to determine how long you will retain each category of personal information or sensitive personal information you are collecting from the consumer

Remember to update your Privacy Policy every 12 months.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.