California’s strict privacy laws significantly shape how Privacy Policies must be created and presented. Importantly, these laws apply to your business even if it’s not based in California—or the U.S. In this article, we will delve into each relevant law, give a simple overview, and offer guidance on how to comply with each law.
A Brief Overview of California Privacy Laws
California has enacted several stringent privacy laws that set a high standard for data protection and transparency. Understanding these laws is crucial for any business, regardless of its location, as they affect how Privacy Policies must be crafted and presented. The three main privacy laws in California are:
- California Consumer Privacy Act (CCPA);
- California Online Privacy Protection Act (CalOPPA), and;
- Children’s Online Privacy Protection Act (COPPA).
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA), which came into effect in 2020, established comprehensive privacy rights and consumer protections for residents of California. The CCPA mandates that businesses must be transparent about the personal data they collect and how it is used. Key features of the CCPA include:
- Transparency Requirements
The CCPA requires businesses to inform consumers about the categories of personal data collected, the purposes for which it is used, and the categories of third parties with whom this information is shared.
- Consumer Rights
Consumers have the right to access their personal data, request its deletion, and opt-out of its sale. They must also be informed about these rights in the business’s Privacy Policy.
- Amendments and Expansion
In January 2023, the California Privacy Rights Act (CPRA) amended and expanded the CCPA. The CPRA introduced additional protections, including the right to correct inaccurate personal information and limitations on the use of sensitive personal data.
- Enforcement and Penalties
The CCPA allows consumers to sue businesses that fail to comply with its requirements, providing a powerful enforcement mechanism. Additionally, the California Attorney General can impose fines for non-compliance.
CCPA Compliant Privacy Policy
Key Requirements
- Annual Updates: The CCPA requires companies to update their Privacy Policy annually. To meet this requirement, ensure that your policy includes the date it was last updated. While it’s common to list the date at the beginning of the Privacy Policy, placement anywhere in the document is acceptable as long as it is clear.
- ‘Do Not Sell My Personal Information’ Link: The CCPA (CPRA) mandates that companies display a ‘clear and conspicuous’ link titled “Do Not Sell My Personal Information” on both their homepage and within their Privacy Policy. Companies that do not sell personal information are exempt but should clarify this in their policy to ensure transparency. For those that do sell personal data, this link must guide consumers on how to opt out.
- Conspicuous Privacy Policy Link: Your Privacy Policy must be easily accessible. Standard practice is to place the link in the website footer, ensuring it is prominent and easily found by visitors.
- Children’s Opt-In: The CCPA (CPRA) stipulates that companies can only sell the personal data of children aged 13-16 if they have opted in. For children under 13, parental consent is required. Include a clause in your Privacy Policy explaining this requirement.
- Consumer Rights: The CCPA (CPRA) grants several rights to consumers, including:
- The right to know if their personal information is being collected.
- The right to access and correct their personal data.
- The right to delete their personal data.
- The right to limit the use of their personal data.
- The right to opt out of data sharing with third parties.
- The right not to be discriminated against for exercising their rights under the CCPA.
To comply, your Privacy Policy should:
-
- Inform users about the collection of their personal information and the categories of data collected.
- Explain how users can access, correct, or delete their personal data.
- Detail how users can opt out of data sharing and who their data has been shared with.
- Assure users they will not be discriminated against for exercising their rights.
The California Online Privacy Protection Act (CalOPPA)
Enacted in 2003, the California Online Privacy Protection Act (CalOPPA) was the first state law in the United States to require commercial websites and online services to post a privacy policy. Key provisions of CalOPPA include:
- Privacy Policy Requirements
CalOPPA mandates that websites and online services conspicuously post a privacy policy detailing the types of personal information collected, third parties with whom the data is shared, and how users can review and make changes to their personal information.
- Do Not Track (DNT) Disclosure
Companies must include a disclosure in their privacy policies explaining how they respond to DNT signals from web browsers, which allow users to opt out of tracking by websites.
- Conspicuous Posting
The law requires that the privacy policy be posted conspicuously on the company’s website. This means it must be easily accessible, often placed in the footer or a similar prominent location.
CalOPPA Compliant Privacy Policy
Key Requirements
- Conspicuous Posting: CalOPPA mandates that your Privacy Policy be prominently displayed on your homepage. The link should be visible, using the word “Privacy” to make it clear.
- ‘Do Not Track’ Clause: CalOPPA requires companies to disclose how they respond to DNT requests. While the law does not mandate compliance with DNT requests, it requires that your Privacy Policy state your company’s stance clearly.
- Effective Date: Include the effective date or the last update date in your Privacy Policy. This is typically listed at the top of the policy.
- Communication of Policy Updates: Explain how users will be informed of updates to the policy. This might include email notifications, website notices, or prompts for users to review changes.
- Consumer Rights Disclosure: CalOPPA grants consumers the right to know what personal information is collected and shared. Your Privacy Policy must include clauses explaining these rights and provide a contact method for further inquiries.
The Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) is a federal law that applies to the collection of personal data from children under the age of 13. COPPA sets strict requirements to protect children’s privacy online:
- Parental Consent
COPPA requires that websites and online services obtain verifiable parental consent before collecting personal information from children under 13. This can be achieved through various methods such as consent forms, payment systems, or phone calls.
- Privacy Policy Requirements
Websites must include specific information in their privacy policies about their data collection practices, including what information is collected from children, how it is used, and whether it is shared with third parties.
- Posting Requirements
The privacy policy must be prominently posted on the website, and the link to it should be easily distinguishable from other links. Additionally, the policy must be clear and written in language that children can understand.
- Parental Rights
Parents have the right to review and delete their child’s personal information and to refuse further data collection or use. Websites must provide a clear process for parents to exercise these rights.
COPPA Compliant Privacy Policy
Key Requirements
- Prominent Display: COPPA requires that Privacy Policies be clearly visible on any page collecting children’s data, as well as on the homepage. Unlike other laws, the link must stand out distinctly from other links, perhaps through bold or larger font.
- Understandable Language: Your Privacy Policy must be easy to understand, especially for children. Ensure that it is written in clear, simple language.
- Parental Rights: COPPA grants parents the right to access, refuse further data collection, and delete their child’s data. Your Privacy Policy should include a clause about these rights and explain the procedures for exercising them.
- Parental Consent and Verification: Websites and apps must obtain verifiable parental consent before collecting data from children under 13. Methods can include downloadable consent forms, credit card verification, toll-free numbers, or digital signatures. Disclose your verification method in your Privacy Policy.
- Third-Party Data Sharing: COPPA restricts sharing children’s data with third parties unless necessary for the website or app to function. If data sharing is necessary, inform parents and provide opt-out methods.
- Notifying Parents of Major Changes: COPPA requires direct notification to parents of any significant changes to your Privacy Policy. Ensure your policy includes a clause about how these notifications will be made.
Other Essential Privacy Policy ClausesÂ
In addition to California-specific requirements, every privacy policy should include certain standard clauses:
- What Data We Collect: Inform individuals about the personal data your company collects. Be as detailed and inclusive as possible, updating the clause if you start collecting additional information.
- How We Use Personal Data: Explain why your company collects personal data and how it is used. Be thorough to ensure transparency.
- How We Keep Data Secure: Detail the measures your company takes to protect personal data. While specific methods need not be disclosed, general information on security practices should be included.
- Data Retention: Explain how long personal data is retained and the reasons for data retention. Regular data purges should be conducted to ensure compliance with retention policies.
- Changes to the Privacy Policy: Advise users that the Privacy Policy may change and explain how they will be notified of significant updates.
- How to Contact Us: Provide clear contact information for users to reach out with questions or concerns about the Privacy Policy.
Are you looking to sort compliance with California’s privacy laws?
If you want to simplify compliance with California’s data privacy laws, GetTerms is the easiest compliance solution on the market. After asking you a few quick questions, we’ll create all of the legal document’s your business needs. you’ll also get access to our awesome cookie consent management platform!
- Privacy policyâś…
- Terms and conditionsâś…
- Acceptable use policyâś…
- Cookie policyâś…
- Return policyâś…
- Cookie bannerâś…
- Cookie consent management platformâś…
Trusted by 500k customers. Unlimited policy edits. 100% money-back guarantee.
Try our privacy policy generator