Termly

| By | Reviewed By Masha Komnenic CIPP/E, CIPM, CIPT, FIP

CCPA Privacy Policy Checklist

CCPA privacy policy checklist featured image Build My CCPA Privacy Policy

Home Resources Articles CCPA Privacy Policy Checklist

You need a CCPA privacy policy if your business is subject to comply with the California Consumer Privacy Act (CCPA).

The CCPA applies to businesses that collect personal information from California consumers. Let’s define each of these terms in the context of the official CCPA legislation:

Businesses — Under the CCPA, businesses meet one of the following thresholds:

  • Makes $25million+ in annual gross revenue
  • Annually buys, sells, or engages in the exchange of 50,000+ consumers’ personal information for commercial purposes
  • Makes 50%+ annual revenue from the sale of personal information

Personal Information — Personal information is any piece of data that can be reasonably linked to an individual. Information lawfully made available from federal, state, or local authorities is not considered personal information under the CCPA if this information is used for purposes compatible with the purposes for which the data is “maintained and made available” to the public. All other types of publicly available information are within the scope of CCPA.

Consumers — Consumers are California residents.

Understanding these definitions is the first step toward creating a CCPA-compliant privacy policy. The next step is to edit your existing privacy policy, or create a new CCPA privacy policy.

Here’s a checklist for making your privacy policy CCPA compliant:

Table of Contents
  1. Provide a Notice of Collection
  2. Explain Consumer Rights
  3. Add a Do Not Sell My Personal Information Link
  4. Provide Contact Information
  5. Post Your Policy
  6. Update Your Policy
  7. Create Your CCPA Privacy Policy
  8. CCPA Privacy Policy Checklist FAQs

1. Provide a Notice of Collection

The CCPA requires you to provide consumers with a notice of what personal information you’ve collected in the past 12 months, along with details about your purpose for collecting that information.

Here’s an example of what a notice of collection looks like in a CCPA privacy policy:

experian notice of collection example

The above is an excerpt from Experian’s privacy policy. Notice that the table is broken into multiple columns that address different details of how Experian collects and handles personal information.

Let’s break down each item of information you need to include in your CCPA privacy policy’s notice of collection.

Categories of Personal Information

Your notice of collection must list which categories of personal information your business collects from consumers. The CCPA lists the following as categories of information:

Category Examples
Personal identifiers Name, email address, social security number
Commercial information Records of purchase, property records, transaction histories
Information described in subdivision (e) Section 1798.80 of the California Civil Code Passport number, driver’s license number, state ID number
Protected classifications Race, gender, sexual orientation
Biometric information Fingerprints, call recordings, facial recognition
Electronic network activity Browsing records, search history, internet preferences
Geolocation information IP address, mobile app location, search settings
Sensory information Audio recordings, thermal data, visual settings
Professional information Employment history, employment records, application information
Education information Exam details, admissions history, attendance records
Inferences used to create a consumer profile Aptitudes, behavior, preferences

 

However, the CCPA explicitly states that personal information is not limited to the above categories. If you collect any personal information or category of personal information that doesn’t match one of those listed, you still need to include it in your privacy policy in order to comply with the CCPA.

Here’s an example of how Caderet Grant’s notice of collection lists the categories of personal information they’ve collected in the past 12 months:

caderet grant notice of collection categories of personal information example

Types of Personal Information Collected

In the example above, you’ll notice that next to each category of personal information is a list of types of personal information collected.

Your list should be as exhaustive as possible, and each type of personal information should be grouped with the corresponding category.

Purpose of Collection

The next item in your CCPA notice of collection should be your commercial or business purpose for collection.

State why your business collects each category of personal information and how you use this information.

Check out Daimler’s privacy notice and how they state their purposes for collection under the heading “How we use it”:

daimler how we use your personal information example

Like you can see in the example, your explanation of purpose doesn’t need to be extensive or formal. Use plain language and be transparent so consumers can easily understand why you need their personal information.

Sources of Collection

Alongside each category of personal information, list what sources this information is collected from. See the example above for reference.

Common sources include:

  • Directly from the consumer
  • Social media
  • Cookies
  • Analytics software
  • Third parties

Data mapping can help you determine each piece of personal information you collect and where that information comes from.

Sharing or Sale of Information

The last activity that your notice of collection needs to address is whether you share or sell any categories of personal information. The CCPA defines “selling” as:

selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating […] for monetary or other valuable consideration

You need to specify whether each category of personal information is sold (as defined above) or simply shared.

Your notice of collection doesn’t need to be entirely in table format. For example, LinkedIn’s privacy policy has a table detailing their collection of personal information, followed by an standalone section explaining why they may share personal information:

linkedin privacy policy example of what personal information they share

Whether you outline this information within a table or its own section, you need to explain whether you share or sell information, who with, and for what purposes.

2. Explain Consumer Rights

The next item on your CCPA privacy policy checklist is to address the unique rights that consumers are granted under the CCPA.

Have a single “California Consumer Rights” section in your privacy policy that covers all the rights, or dedicate individual sections to each right.

Here are the rights you need to explain to consumers in your CCPA privacy policy:

Right to Access

The right to access allows consumers to request you provide them with logs of the personal information you’ve collected from or about them.

Keep in mind two unique features of the CCPA right to access:

  1. A consumer can only request access to their personal information twice in a year.
  2. Once you’ve verified a consumer’s request, you need to provide them with their requested information within 45 days. A one-time extension of up to 90 days may be possible, but you’re required to notify the customer of reasons for such extension within the first 45 days after receiving the request.

Here’s how Toyota’s privacy policy explains the right to access:

toyota privacy policy consumer right to access

Toyota’s policy clearly explains this right and what information consumers may request from the business.

Right to Deletion

The next CCPA consumer right you need to address in your privacy policy is the right to deletion. Consumers have the right to request that you delete personal information collected from them in the past 12 months.

Looking again at Toyota’s privacy policy, here’s how it outlines the right to deletion:

toyota privacy policy consumer right to deletion

Like Toyota’s, your CCPA privacy policy needs to explain why a deletion request may be denied.

Right to Non-Discrimination

The CCPA also grants consumers the right to not be discriminated against because of actions they take regarding their privacy rights. For example, you can’t penalize a consumer who requests the deletion of their personal information.

Forms of discrimination that are prohibted under the CCPA include:

  • Denying goods, services, or discounts
  • Charging different prices
  • Providing a different quality of goods or services
  • Implying that you’ll discriminate against them if they act on their consumer rights

Here’s how Toyota addresses the right to non-discriminaton in their CCPA privacy policy:

toyota privacy policy consumer right to non-discrimination

After describing all of the above rights in its privacy policy, Toyota gives instructions on how consumers can act on their rights:

toyota privacy policy how to submit a consumer request

You also need to explain to consumers how they can act on their rights. Methods can include a form, webpage, phone number, or email address.

Another consumer right under the CCPA is the right to opt out of the sale of their personal information. To lawfully grant consumers this right, your privacy policy needs a Do Not Sell My Personal Information link.

Here’s how Government Executive’s privacy policy provides consumers with a Do Not Sell link:

government executive do not sell my personal information

A Do Not Sell My Personal Information link directs consumers to a method where they can opt out of the sale of their personal information.

If you sell consumers’ personal information, you must provide this link in your privacy policy as well as on your website’s homepage.

When consumers click this link, they should be taken to a form, page, or portal that allows them to request their personal information not be sold. Once you receive this request, verify it immediately and honor the consumer’s right to opt out.

4. Provide Contact Information

Add accurate contact information to your CCPA privacy policy.

According to the CCPA, you must provide at least an active email address or a toll-free number where consumers can reach you if they have questions, or want to take action regarding your privacy policy or their consumer rights.

Here’s an example of Blueair’s contact information section in their privacy policy:

blueair privacy policy contact information

While a toll-free number or email address is the minimum CCPA requirement, it’s recommended that you add multiple contact methods (as Blueair does in the example above).

5. Post Your Policy

Post your CCPA privacy policy conspicuously on your website so consumers can easily find it.

Common places to link to your privacy policy include:

  • Website footer
  • Main menu
  • Checkout pages
  • Sign-up pages
  • Help centers

If your CCPA privacy policy is separate from your general privacy policy, make sure to clearly label it as “CCPA Privacy Policy” or “California Privacy Policy” so consumers know where to find information about their unique rights.

6. Update Your Policy

The final checklist item for your CCPA privacy policy is to update your privacy policy at least once every 12 months, as annual policy updates are mandated by the CCPA.

7. Create Your CCPA Privacy Policy

Follow this CCPA privacy policy checklist when updating your current policy or creating a new one on your own.

If you want to save time, generate a privacy policy with CCPA compliance built in using our free builder.

8. CCPA Privacy Policy Checklist FAQs

Written by KJ Dearie

KJ Dearie is a product specialist and privacy consultant for Termly, where she advises small business owners on how to comply with the latest data privacy laws and trends. She's been published in Business News Daily, Omnisend, ITProToday, MarTechExec, and more.

Related Articles