Support Centre

California: New year, new privacy policy: CCPA obligations and obstacles

1 January 2020 marked the compliance deadline for the groundbreaking California Consumer Privacy Act of 2018 ('CCPA'). The CCPA imposes significant requirements on most businesses that handle personal information about California residents. One of the key requirements of the CCPA is the obligation for covered businesses to include specific disclosures in their privacy policies. Unfortunately for those businesses, and the consumers who read CCPA privacy policies, the requirements regarding these disclosures are murky. In addition, the California Attorney General's implementing regulations ('Draft Regulations') have not been finalised, resulting in businesses facing a long list of dilemmas in determining how to structure their privacy policies to comply with the CCPA. Lisa Sotto and Danielle Dobrusin, from Hunton Andrews Kurth LLP, provide an overview of the CCPA's privacy policy requirements and discuss significant issues a business must consider when drafting a privacy policy designed to comply with the CCPA.

Image Source / Signature collection / istockphoto.com

The CCPA's privacy policy requirements

The CCPA requires businesses to make certain disclosures in their 'online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers' privacy rights1.' Confusingly, there is no single dedicated section in the CCPA that comprehensively lists each required privacy disclosure. Instead, the privacy policy content requirements are strewn throughout multiple provisions of the CCPA, and the final regulations may impose additional obligations. Below is a description of the key disclosures a business must make in its CCPA privacy policy.

A business must provide a description of the personal information it collected in the preceding 12 months, including:

  • the categories of personal information it collected about consumers;
  • the categories of sources from which the personal information was collected;
  • the business or commercial purposes for which the personal information was collected or sold; and
  • the categories of third parties with whom the personal information was shared2.

Under the Draft Regulations, a business must tie each category of personal information to the relevant sources, purposes, and third parties with whom the data was shared3.

If the business sells consumers' personal information or discloses it to third parties for a business purpose, the privacy notice must also include two separate lists of the categories of personal information sold or disclosed about consumers in the preceding 12 months4. If the business has not sold or disclosed for a business purpose consumers' personal information in the preceding 12 months, the business must disclose that fact in the privacy notice5. Under the Draft Regulations, a business must affirmatively state whether it has 'disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months6.' Regardless of whether a business 'sells' personal information, the Draft Regulations also would require the business to disclose whether it sells the personal information of minors under 16 years of age without affirmative authorisation7.

The privacy policy also must include a description of consumers' rights under the CCPA8. These are the right to:

  • request that a business provide the consumer with access to and certain details about the consumer's personal information collected by the business9;
  • request that a business delete any personal information about the consumer that the business has collected from the consumer10;
  • direct a business not to sell the consumer's personal information; and
  • not be discriminated against because the consumer exercises any of the consumer's rights under the law11.

In addition, the privacy policy must include a description of one or more designated methods for consumers to submit the relevant requests12. If the business sells personal information, the privacy policy must include a hyperlink to a 'Do Not Sell My Personal Information' webpage that the company must make available to enable a consumer to opt out of the sale13.

The CCPA also contains a requirement for a business to clearly describe the material terms of any financial incentive program it offers14. While the statute reasonably may be interpreted to require this disclosure in the business's privacy policy, the statutory language is not clear. The Draft Regulations, however, introduce additional requirements for the 'Notice of Financial Incentives,' which may be provided as a standalone notice, separate and apart from the privacy policy15.

In addition to the requirements described above, the Draft Regulations would impose a number of other disclosure obligations. For example, the privacy policy would need to include information regarding the process by which a business will verify consumer access and deletion requests, including any information the consumer must provide16, and explain how a consumer can designate an authorised agent to make a request under the CCPA on the consumer's behalf17. The Draft Regulations also require certain other disclosures, such as information about how a consumer with a disability may access the policy in an alternative format18, a contact for questions or concerns about the business's privacy policies and practices19, and the date the policy was last updated20.

Businesses are required to update the CCPA-specific information in their privacy policies at least once every 12 months21. While this is an annuity for lawyers, it is not necessarily useful to consumers if a business's practices have not changed in the preceding 12-month period. Nevertheless, having a recent effective date on a privacy policy shows that a business is keeping a mindful eye on its privacy practices.

Key considerations for businesses

When it comes to drafting a privacy policy, accuracy is critical. Ensuring that a business's information practices are described in a materially complete and accurate manner is often challenging for large companies with complex, varied, and data-intensive operations. Therefore, many companies opt for broad, over-inclusive disclosures to minimise legal risk, but, this has the effect of conveying less useful information to consumers. Including broad disclosures in a privacy policy is a common practice as inaccurate descriptions could place a company in the crosshairs of the Federal Trade Commission ('FTC'). Section 5 of the FTC Act of 1914 prohibits unfair or deceptive trade practices, and the FTC has brought numerous enforcement actions against companies that have misrepresented their information practices in their privacy policies22. An organisation's failure to comply with its privacy representations could constitute a deceptive practice in violation of Section 5. The FTC's use of Section 5 to enforce against material inaccuracies in privacy statements provides strong incentive to organisations to ensure the accuracy of their privacy and data security assertions.

While companies in the US typically draft broad privacy notices to limit the risk of Section 5 liability, the CCPA requires pinpointed disclosures. Crafting these highly specific provisions is not so straightforward, however, given the CCPA's convoluted drafting and the current lack of final implementing regulations. Businesses, therefore, are faced with a number of difficult decisions when drafting privacy policies to comply with the CCPA. These issues are discussed below.

Should the CCPA provisions be incorporated or form a supplement to the main privacy policy?

In preparing CCPA-compliant provisions, businesses need to decide whether to incorporate the disclosures into the main body of the existing policy or address them in a separate CCPA-specific section or addendum. There are benefits and drawbacks to each approach.

Given the CCPA's highly prescriptive disclosure requirements, incorporating the CCPA provisions into an existing privacy policy inevitably will result in an awkward, less user-friendly document. For example, when listing the categories of personal information the business collects, the CCPA requires that the list follow the categories of personal information set out in the law23. The definition of 'personal information' in the CCPA is unusual, for example, it lumps a consumer's name into the same category as Social Security number, without any differentiation based on the sensitivity of the data elements.

In an effort to avoid adding convoluted and awkward verbiage to the main privacy policy, many companies have chosen to include the required CCPA disclosures in a supplement to the main policy. Creating a CCPA-specific section or addendum allows a company to incorporate the CCPA's prescribed language without damaging the more readable and user-friendly main privacy policy. This approach may need to be revisited if other states pass similar legislation requiring alternate language as it would become untenable to have separate sections for different states.

Other companies have addressed the unwieldy CCPA-required disclosures by incorporating them into the general privacy policy. This approach often has the result of skirting the precise requirements and verbiage of the CCPA. Companies that have chosen this path have opted to address the spirit of the law, but not strictly adhere to its prescriptive requirements.

Should the Draft Regulations be addressed?

Another immediate decision businesses must consider is whether to address the requirements of the Draft Regulations or wait to see if they remain in place in the final rules. Some of the new requirements imposed by the Draft Regulations are easy to implement and already may be addressed in a business's existing privacy policy, for example, providing a point of contact for questions or concerns about the business's privacy policies and practices24, and including the date the policy was last updated25.

Other requirements introduced in the Draft Regulations are more difficult to implement. In particular, the requirement to tie each category of personal information to the relevant sources of the data, purposes of use, and third parties with whom the data was shared, is extremely cumbersome. These obligatory provisions lend themselves to use of a chart format, but such a chart can look awkward and detract from the policy's readability. In addition, many companies undertook significant due diligence in the months following the CCPA's enactment, and those immediate efforts were not designed to elicit information that would allow this type of data matching. Regardless, companies should be prepared to comply with these obligations in the event they remain in the final regulations.

One silver lining that emerged from the Draft Regulations is the concept of providing consumers with a 'meaningful understanding' of the personal information maintained by the business26. A stark contrast remains, however, between the prescriptive language of the statute and the requirement to provide a meaningful understanding. Many companies may choose to adhere to the CCPA's literal disclosure requirements rather than try to address the more abstract 'meaningful understanding' principle.

Should consumers be proactively notified of the CCPA revisions?

When posting a privacy policy that has been updated to address the CCPA's requirements, businesses must consider whether and how to notify consumers of the changes to the policy. The beginning of this decade was marked by countless emails and website pop-ups notifying consumers that businesses had updated their privacy policies, but is such a notification actually required?

The CCPA itself does not obligate companies to notify consumers of revisions to their privacy policies. Instead, a business should look to its existing privacy policy to determine how it has committed to notifying consumers of changes to the policy. As previously mentioned, adherence to representations made in a privacy policy is key to avoiding an FTC enforcement action.

If, for example, a privacy policy states that the business will notify customers via email of any material changes to the policy, the business should consider whether the revisions are, in fact, 'material.' Updates to privacy policies to address the CCPA's requirements generally would not be considered material unless the company has changed its privacy practices. For example, prior to the enactment of the CCPA, many companies stated in their privacy policies that they do not sell personal information. Such statements may need to be revised in light of the CCPA's broad definition of 'sell.' Those revisions likely would not be considered 'material' because they were made to address a change in the law, rather than a change in the business's practices.

Conclusion

The disclosure requirements of the CCPA are intended to create more transparency around companies' information practices. The highly prescriptive, but poorly drafted, language of the CCPA, however, has achieved the opposite result. The privacy policies that follow the letter of the law are lengthy and highly legalistic documents that are unlikely to be read by most consumers. Nevertheless, a business's privacy policy may be the most important public-facing evidence of its effort to comply with the CCPA. As such, it is critical to expend the time and effort necessary to address the CCPA's complex notice requirements and accurately articulate the business's information practices.

Lisa Sotto Partner
[email protected]
Danielle Dobrusin Associate
[email protected]
Hunton Andrews Kurth LLP, New York


1. §1798.130(a)(5), §135(a)(2) of the California Civil Code ('Cal. Civ. Code').
2. Id. §1798.110(c) of the Cal. Civ. Code.
3. Proposed California Code of Regulations ('Cal. Code Regs.'). tit. 11, § 999.308(b)(1)(d)(2).
4. §1798.130(a)(5)(C) of the Cal. Civ. Code.
5. Id.
6. Proposed Cal. Code Regs. tit. 11, § 999.308(b)(1)(e)(1).
7. Id. § 999.308(b)(1)(e)(3).
8. § 1798.130(a)(5)(A); § 1798.135(a)(2) of the Cal. Civ. Code.
9. Id. §§ 1798.110(a); 1798.115(a).
10. Id. § 1798.105(a).
11. Id. § 1798.125(a)(1).
12. Id. § 1798.130(a)(5)(A).
13. Id. § 1798.135(a)(2).
14. Id. § 1798.115(b)(3).
15. Proposed Cal. Code Regs. tit. 11, § 999.307.
16. Id. §§ 999.308(b)(1)(c); 999.308(b)(2)(c).
17. Id. § 999.308(b)(5)(a).
18. Id. § 999.308(a)(2)(d).
19. Id. § 999.308(b)(6).
20. Id. § 999.308(b)(7).
21. §1798.130(a)(5) Cal. Civ. Code.
22. 15 U.S.C. §45(a) (2012).
23. §1798.130(c) of the Cal. Civ. Code.
24. Proposed Cal. Code Regs. tit. 11, § 999.308(b)(6).
25. Id. § 999.308(b)(7).
26. Id. § 999.308(b)(1)(d).