When privacy policies make it into the news, it’s rarely because people are raving about them. Bad privacy policies are talked about, lambasted for being incomprehensible, unfriendly, and, frankly, unreadable. (Just take a look at The New York Times’ “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster” to see just how excruciatingly unreadable they can be.) 

In the worst cases, privacy policies make headlines when their data practices and privacy notices don’t align. (At the extreme end, Facebook paid a hefty fine due to privacy notice violations) 

Or maybe you’ve thought a lot about privacy policies. You care about your customers and staying in line with laws and now you can cross this off your to-do list. Compliance – achieved!

But compliance is more complex than that. It’s not a bag of popcorn that you pop in the microwave and in 2 minutes, *ding*, it’s done and ready. Compliance is like a sourdough starter. (Yes, even privacy consultants do pandemic baking!) You’ve got to pay attention to environmental conditions, make adjustments to keep it happy, and treat it like the living, breathing being that it is. 

So let’s get started.

CCPA Privacy Policy Requirements

The California Consumer Privacy Act (CCPA) became enforceable on July 1, 2020, and a major element of it is keeping your privacy policy and privacy notice up to date. Let’s talk about how we make that happen.

Privacy policies and notices are essential for communicating how your organization thinks about personal information and data security. They facilitate compliance. They define terms, how data is handled, and communicate this critical information. 

Privacy notices should be like snowflakes

No two should be alike. Every company is on its own mission when it comes to data. That website your customer just visited? It’s got its own mindset at work. 

It’s not an overstatement to say this is a great opportunity. Own your privacy notice! Your privacy notice is an opportunity to show your customers the specifics of your data collection plans. Transparency builds trust, after all. 

How to get your privacy notice right

Communicating with your customers is critical when it comes to your data collection, so let’s focus on how you get your privacy notice done so well, they thank you for putting it together. (Hey, a privacy consultant can dream, can’t she?) 

Putting it together well is a statement of your brand, your values, and a chance to connect with your customers. Some things to keep in mind:

  • Make sure your brand voice and tone extend to your privacy notice. Whether you’re no-nonsense, cheeky, approachable, or authoritative, make sure it carries over.
  • Use sections and hyperlink between them to increase readability and usability
  • Visual elements can be valuable – consider a graphic summary to deliver the content to your audience in a way they’ll quickly understand.

Getting it right means starting with a good privacy program. Learn more about what goes into one.

And remember, privacy regulations change over time. Although CCPA just became enforceable, there’s a new privacy regulation on the horizon – the California Privacy Rights Act (CPRA). This act will bring new requirements to bear on privacy practices and notice obligations will definitely be affected. What works today may need to change tomorrow. That’s why your business benefits from really integrating privacy into your brand values – it makes adapting to new conditions considerably easier when you have that infrastructure in place. 

Don’t make your customers look for it:

Keep these following line items in mind when determining if your privacy notice is ready to go:

  • How are your customers getting your privacy notice? You’ve got some options. You can make it available via a web form or cookie banner on your websites or a just-in-time pop up on your mobile app. 
  • However you choose to implement it, it needs to be available to users “at or before the point of collection.” That means no surprise notifications after the fact! 
  • Your privacy notice can’t just be “available.” It needs to be conspicuous. The standard location is the footer or within the hamburger menu on a mobile app. 
  • Make sure you include it for every personal data collected – this includes digital technologies like Facebook and Google Pixels. 

What does your notice need to tell people?

Under CCPA, there are some specific line items that you have to cover in order to be in compliance.

Privacy notice checklist

Let’s take a look at the content requirements for a CCPA compliant privacy notice. Your privacy notice has to include the following information. 

Categories of information

Your privacy notice should disclose how and when you collect the following information:

  • What categories of personal information your business has collected?
  • What categories of information have you sold?
  • What categories of personal information have you disclosed for business purposes?
  • What categories of third parties have received your customers’ personal information?

These disclosures should be relevant to the last twelve months of data collection. 

Individual rights

Your privacy notice needs to contain a description of your customer’s rights to disclosure, access, opting out and nondiscrimination. The biggest one is opting out – your notice should provide your customers the opportunity right then and there to opt out of the sale of their personal information. 

Contact methods

Consumer requests have to come in somehow! Your business needs to have two or more ways to allow your customers to contact you and exercise their CCPA rights. If your business is:

  • Online only: An email address, as well as a webform for “Do Not Sell.”
  • Physical only: A toll-free number and mailing address
  • Physical and online: Toll-free number and website. May also include mailing address, email address, or other. 

Have your contact methods well established and your team trained on how to respond is a big win for your business. There’s no clearer way to communicate to your customers that you value your relationship with them than by making things easy. 

How are you communicating this information?

Remember, you’ve got to get this information in front of your customer’s eyes AT OR BEFORE the point of collection. (I know, I already said this, but it’s really important!)

Another really important piece? The “Do Not Sell My Personal Information” piece. You’ve got to have a visible, easily identifiable button on your website with this title that links to a webpage that allows people to opt-out of the sale of their personal information. This link has to be available:

  • On your homepage
  • In your privacy policy
  • And in any California-specific description of consumers’ privacy rights

Here are some other points to remember

Privacy compliance is a lot of work. It’s complex. There are a lot of moving parts. It can feel like a puzzle where all the pieces keep changing shape. 

But it’s far from impossible. Especially when you have someone who can help you keep track of the pieces and who can remind you who’s going to be looking at this very puzzle later: your customers.  

How, you might ask, do you keep that in mind? Here are a few starting points:

Map your data

Data mapping – it’s not just for the General Data Protection Regulation (GDPR). Data mapping is a vital practice for any privacy-forward company. If you’ve already done data mapping for GDPR, great – you’ve got a head start, although you’ll still need to review and document if you’re selling data as per CCPA

If not, you’ll need to put together an inventory that documents your collection and sale and disclosure of personal information. 

Data mapping is multifunctional, but for our purposes today, you need it to be shipshape to build accurate privacy notice disclosures AND to provide accurate responses to your customer’s information requests.  

Stay up to date

Privacy notices are dynamic, living documents. It needs to be updated every twelve months to comply with CCPA and it needs to be current with what you’re doing with the data you’re collecting. 

That means, if you’ve shifted strategies and you’re collecting new categories of information, sharing/selling it with new vendors, or using it for different purposes, you’ve got to disclose these changes. 

And that’s not all. Got a new marketing campaign? Rolling out a new product feature? These totally normal business activities are relevant to your privacy notice. 

If you don’t, you risk violating your own notice and your mission to be transparent.

(Don’t forget, your privacy notice may live across multiple digital properties. Keep it updated at each location.)  

Make everything really easy to find and understand

You should make your privacy notice as easy to find as possible and your notice should be in a format that’s easy to read across all devices. As per CCPA accessibility rules, privacy notices and privacy policies be “reasonably accessible to consumers with disabilities,” and should be available to be printed out as a separate document. 

And (I know, I’ve said this already) it needs to be accessible where people will see if BEFORE information is collected and written in plain, straightforward language. No legalese or iambic pentameter, please.

Getting all the pieces of compliance can be challenging. Sometimes it takes a village to get your team trained, your policies in place, and help shift your business in a consumer privacy-oriented direction. But that’s what gets us up in the morning and excited for the day. Drop us a line and let us know how we can help you.

The post What Does My Privacy Notice Need To Include For CCPA? appeared first on Red Clover Advisors.

Jodi Daniels

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional with the…

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional with the daily privacy operations such as data mapping, individual rights, training, policies, etc. and also serves as a fractional chief privacy officer. Jodi Daniels is a national keynote speaker, host of the She Said Privacy / He Said Security Podcast, and also has been featured in The Economist, Forbes, Inc., Authority Magazine, ISACA, and more. Jodi holds a Masters of Business Administration and a Bachelor of Business Administration from Emory University’s Goizueta Business School.