Depending on where you do business and where your users are located, the minimum notice requirements for your privacy policy will differ. We previously looked at the requirements for businesses processing the information of EU residents and the implications of the GDPR.
Now we pivot across the Atlantic to examine another important regulation, the California Consumer Privacy Act (CCPA) of 2018. This was later updated to the California Privacy Rights Act (CPRA) effective in 2023, which is essentially California’s equivalent to the GDPR.
The significance of the CCPA
The CCPA was a landmark piece of legislation that set precedent for other states and sparked discussion at a federal level. With California being the largest state in the US, with a population close to 40 million, the CCPA, and subsequently the CPRA increased awareness of privacy issues for the entire US region.
In this chapter, we will explain when the CPRA applies and discuss the specific requirements of CPRA Section 1798.130 and 1798.135, which both place requirements on privacy policies.
We will continue using the fictional company "FituraLife" as an example, as they increase their customer base in California.
When does the CPRA apply?
The CPRA applies to any company that processes the personal data of California residents, does business in California and meets at least one of the following criteria:
Annual gross revenues over $25,000,000
Buys, sells or shares the personal information of 100,000 California residents or households
Devices at least half of its annual revenue from selling or sharing personal information of California residents
Given FituraLife's aggressive growth and presence in California, it must comply the with CPRA’s requirements.
Update every 12 months
FituraLife must update its privacy policy at least once every 12 months.
Example
This privacy policy was last updated 1 January 2023.
Description of consumer rights
FituraLife must provide a description of consumer rights regarding notice, disclosure, correction, and deletion requirements, including those found in specific sections of the regulation.1
Example
Your rights under the CPRA include:
the right to information about the categories of personal information and purpose for collection, including sensitive personal information and the retention of such information
the right to know what personal information is being collected about you
the right to access that information
the right to correct inaccurate personal information
the right to delete your personal information
the right to know what personal information is sold or shared and to whom
the right of no retaliation following opt out or exercise of other rights
Method for submitting requests
The CPRA requires that companies provide tow or more methods for submitting consumer requests regarding privacy rights, unless the business operates exclusively online and has a direct relationship with the consumer.
In this case, FituraLife is only required to provide an email address for submitting requests.
Example
You can submit requests regarding your rights to privacy@fituralife.com.
Categories of personal information collected
FituraLife must disclose a list of the categories of personal information collected in the previous 12 months. There are numerous categories.2
Example
Over the past 12 months, we've collected the following categories of personal information: identifiers, commercial information, biometric information, internet or other network activity information, geolocation data, and inferences drawn from this information.
Categories of sources of personal information
FituraLife must disclose the categories of sources from which the personal information is collected.
Example
We collect personal information directly from you when you use our services, from our business partners, and from third parties that interact with our website or app.
Purpose(s) of the processing
FituraLife must disclose the purposes for which the personal information is collected or sold.
Example
We collect your personal information for the following purposes: to provide and personalise our services, to send you relevant marketing information, and to improve our services.
Categories of third parties
FituraLife must disclose the types third parties with whom the personal information is shared or disclosed.
Example
FituraLife shares personal data with third-party payment processors, nutrition experts, and partner gyms to offer comprehensive fitness and wellness services.
Categories of personal information sold or shared
FituraLife must disclose the categories of personal information sold or shared for advertising purposes in the past 12 months. If not, FituraLife must disclose that fact.
Example
Over the past 12 months, we have not sold or shared for advertising purposes any personal information.
Categories disclosed for a business purpose
FituraLife must disclose the categories of personal information disclosed for a business purpose in the past 12 months. If not, FituraLife must disclose that fact.
Example
Over the past 12 months, we have disclosed identifiers and commercial information for business purposes such as payment processing and service provision.
Description of additional consumer rights
In addition to the previous section, FituraLife must describe the consumer rights describing methods of limiting sale, sharing, and use of personal information and use of sensitive personal information found in two additional sections.3
Example
Under the CPRA, you have the right to opt out of the sale or sharing of your personal information, and the right to limit the use and disclosure your sensitive personal information.
Do Not Sell or Share My Personal Information
FituraLife must provide a link to the Do Not Sell or Share My Personal Information page if applicable.
This page must enable a consumer to opt-out of the sale or sharing their personal information. In this case, as FituraLife does not sell or share personal information, this does not apply.
Limit the Use of My Sensitive Personal Information
FituraLife must provide a link to the Limit the Use of My Sensitive Personal Information page if applicable.
This page must enable a consumer to limit the use and disclosure of their sensitive personal information to those which are necessary to perform the services or provide the goods reasonably expected by a consumer, including ensuring security and integrity, transient use, performing services on behalf of the business (such as providing customer service) and to maintain quality or safety.
Opt-out Preference Signals
In lieu of providing the links above, FituraLife may abide by an opt-out preference signal set by a platform, technology or other mechanism, and provide a statement to that effect. For example, this could be a preference in a settings panel on FituraLife’s app.
FituraLife will be able to establish trust and transparency with its Californian customers, in turn upholding the principles of Privacy by Design.
In our next chapter, we'll take a closer look at the intersection of GDPR and CCPA/CPRA, and discuss how companies can create a unified privacy policy that satisfies both regulations. This is a critical step for businesses operating in multiple jurisdictions, and particularly for digital businesses that operate globally.
The relevant sections describing consumer rights are:
1798.100: General Duties of Businesses that Collect Personal Information
1798.105: Consumers’ Right to Delete Personal Information
1798.106: Consumers’ Right to Correct Inaccurate Personal Information
1798.110: Consumers’ RIght to Know What Personal Information is Being Collected and Consumers’ Right to Access Personal Information
1798.115: Consumers’ Right to Know What Personal Information is Sold or shared and to Whom
1798.125: Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights
Categories of personal information defined by the CPRA include:
identifiers including a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number or passport number
commercial information, such as records of personal property, products or services purchased or considered
biometric information
internet activity
geolocation data
audio, electronic or visual information
professional or employment-related information
inferences drawn from personal information
sensitive personal information
Categories of sensitive personal information include:
social security, driver’s license or passport numbers
account login information, financial account, debit or credit card number in combination with credentials allowing access
precise geolocation
racial or ethnic origins, religious beliefs
contents of email, email or text messages
genetic data
The two additional sections describing consumer rights are:
1798.120: Consumers’ Right to Opt Out of Sale or sharing of Personal Information
1798.121: Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information