CCPA / CPRA Notice Requirements

How to adapt your Privacy Policy for California, with examples

Depending on where you do business and where your users are located, the minimum notice requirements for your privacy policy will differ. We previously looked at the requirements for businesses processing the information of EU residents and the implications of the GDPR.

Now we pivot across the Atlantic to examine another important regulation, the California Consumer Privacy Act (CCPA) of 2018. This was later updated to the California Privacy Rights Act (CPRA) effective in 2023, which is essentially California’s equivalent to the GDPR.

The significance of the CCPA

The CCPA was a landmark piece of legislation that set precedent for other states and sparked discussion at a federal level. With California being the largest state in the US, with a population close to 40 million, the CCPA, and subsequently the CPRA increased awareness of privacy issues for the entire US region.

In this chapter, we will explain when the CPRA applies and discuss the specific requirements of CPRA Section 1798.130 and 1798.135, which both place requirements on privacy policies.

We will continue using the fictional company "FituraLife" as an example, as they increase their customer base in California.

When does the CPRA apply?

The CPRA applies to any company that processes the personal data of California residents, does business in California and meets at least one of the following criteria:

• Annual gross revenues over $25,000,000

• Buys, sells or shares the personal information of 100,000 California residents or households

• Devices at least half of its annual revenue from selling or sharing personal information of California residents

Given FituraLife's aggressive growth and presence in California, it must comply the with CPRA’s requirements.

Update every 12 months

FituraLife must update its privacy policy at least once every 12 months.

Example

This privacy policy was last updated 1 January 2023.

Description of consumer rights

FituraLife must provide a description of consumer rights regarding notice, disclosure, correction, and deletion requirements, including those found in specific sections of the regulation.¹

Example

Your rights under the CPRA include:

• the right to information about the categories of personal information and purpose for collection, including sensitive personal information and the retention of such information

• the right to know what personal information is being collected about you

• the right to access that information

• the right to correct inaccurate personal information

• the right to delete your personal information

• the right to know what personal information is sold or shared and to whom

• the right of no retaliation following opt out or exercise of other rights

Method for submitting requests

The CPRA requires that companies provide tow or more methods for submitting consumer requests regarding privacy rights, unless the business operates exclusively online and has a direct relationship with the consumer.

In this case, FituraLife is only required to provide an email address for submitting requests.

Example

You can submit requests regarding your rights to privacy@fituralife.com.

Categories of personal information collected

FituraLife must disclose a list of the categories of personal information collected in the previous 12 months. There are numerous categories.²

Example

Over the past 12 months, we've collected the following categories of personal information: identifiers, commercial information, biometric information, internet or other network activity information, geolocation data, and inferences drawn from this information.

Categories of sources of personal information

FituraLife must disclose the categories of sources from which the personal information is collected.

Example

We collect personal information directly from you when you use our services, from our business partners, and from third parties that interact with our website or app.

Purpose(s) of the processing

FituraLife must disclose the purposes for which the personal information is collected or sold.

Example

We collect your personal information for the following purposes: to provide and personalise our services, to send you relevant marketing information, and to improve our services.

Categories of third parties

FituraLife must disclose the types third parties with whom the personal information is shared or disclosed.

Example

FituraLife shares personal data with third-party payment processors, nutrition experts, and partner gyms to offer comprehensive fitness and wellness services.

Categories of personal information sold or shared

FituraLife must disclose the categories of personal information sold or shared for advertising purposes in the past 12 months. If not, FituraLife must disclose that fact.

Example

Over the past 12 months, we have not sold or shared for advertising purposes any personal information.

Categories disclosed for a business purpose

FituraLife must disclose the categories of personal information disclosed for a business purpose in the past 12 months. If not, FituraLife must disclose that fact.

Example

Over the past 12 months, we have disclosed identifiers and commercial information for business purposes such as payment processing and service provision.

Description of additional consumer rights

In addition to the previous section, FituraLife must describe the consumer rights describing methods of limiting sale, sharing, and use of personal information and use of sensitive personal information found in two additional sections.³

Example

Under the CPRA, you have the right to opt out of the sale or sharing of your personal information, and the right to limit the use and disclosure your sensitive personal information.

Do Not Sell or Share My Personal Information

FituraLife must provide a link to the Do Not Sell or Share My Personal Information page if applicable.

This page must enable a consumer to opt-out of the sale or sharing their personal information. In this case, as FituraLife does not sell or share personal information, this does not apply.

Limit the Use of My Sensitive Personal Information

FituraLife must provide a link to the Limit the Use of My Sensitive Personal Information page if applicable.

This page must enable a consumer to limit the use and disclosure of their sensitive personal information to those which are necessary to perform the services or provide the goods reasonably expected by a consumer, including ensuring security and integrity, transient use, performing services on behalf of the business (such as providing customer service) and to maintain quality or safety.

Opt-out Preference Signals

In lieu of providing the links above, FituraLife may abide by an opt-out preference signal set by a platform, technology or other mechanism, and provide a statement to that effect. For example, this could be a preference in a settings panel on FituraLife’s app.

---

FituraLife will be able to establish trust and transparency with its Californian customers, in turn upholding the principles of Privacy by Design.

In our next chapter, we'll take a closer look at the intersection of GDPR and CCPA/CPRA, and discuss how companies can create a unified privacy policy that satisfies both regulations. This is a critical step for businesses operating in multiple jurisdictions, and particularly for digital businesses that operate globally.

1

The relevant sections describing consumer rights are:

• 1798.100: General Duties of Businesses that Collect Personal Information

• 1798.105: Consumers’ Right to Delete Personal Information

• 1798.106: Consumers’ Right to Correct Inaccurate Personal Information

• 1798.110: Consumers’ RIght to Know What Personal Information is Being Collected and Consumers’ Right to Access Personal Information

• 1798.115: Consumers’ Right to Know What Personal Information is Sold or shared and to Whom

• 1798.125: Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights

2

Categories of personal information defined by the CPRA include:

• identifiers including a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number or passport number

• commercial information, such as records of personal property, products or services purchased or considered

• biometric information

• internet activity

• geolocation data

• audio, electronic or visual information

• professional or employment-related information

• inferences drawn from personal information

• sensitive personal information

Categories of sensitive personal information include:

• social security, driver’s license or passport numbers

• account login information, financial account, debit or credit card number in combination with credentials allowing access

• precise geolocation

• racial or ethnic origins, religious beliefs

• contents of email, email or text messages

• genetic data

3

The two additional sections describing consumer rights are:

• 1798.120: Consumers’ Right to Opt Out of Sale or sharing of Personal Information

• 1798.121: Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information