California’s strict privacy laws significantly shape how Privacy Policies must be created and presented. Importantly, these laws apply to your business even if it’s not based in California—or the U.S. In this article, we will delve into each relevant law, give a simple overview, and offer guidance on how to comply with each law.
A Brief Overview of California Privacy Laws
California has enacted several stringent privacy laws that set a high standard for data protection and transparency. Understanding these laws is crucial for any business, regardless of its location, as they affect how Privacy Policies must be crafted and presented. The three main privacy laws in California are:
- California Consumer Privacy Act (CCPA);
- California Online Privacy Protection Act (CalOPPA), and;
- Children’s Online Privacy Protection Act (COPPA).
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA), which came into effect in 2020, established comprehensive privacy rights and consumer protections for residents of California. The CCPA mandates that businesses must be transparent about the personal data they collect and how it is used. Key features of the CCPA include:
- Transparency Requirements
The CCPA requires businesses to inform consumers about the categories of personal data collected, the purposes for which it is used, and the categories of third parties with whom this information is shared.
- Consumer Rights
Consumers have the right to access their personal data, request its deletion, and opt-out of its sale. They must also be informed about these rights in the business’s Privacy Policy.
- Amendments and Expansion
In January 2023, the California Privacy Rights Act (CPRA) amended and expanded the CCPA. The CPRA introduced additional protections, including the right to correct inaccurate personal information and limitations on the use of sensitive personal data.
- Enforcement and Penalties
The CCPA allows consumers to sue businesses that fail to comply with its requirements, providing a powerful enforcement mechanism. Additionally, the California Attorney General can impose fines for non-compliance.
CCPA Compliant Privacy Policy
Key Requirements
- Annual Updates: The CCPA requires companies to update their Privacy Policy annually. To meet this requirement, ensure that your policy includes the date it was last updated. While it’s common to list the date at the beginning of the Privacy Policy, placement anywhere in the document is acceptable as long as it is clear.
- ‘Do Not Sell My Personal Information’ Link: The CCPA (CPRA) mandates that companies display a ‘clear and conspicuous’ link titled “Do Not Sell My Personal Information” on both their homepage and within their Privacy Policy. Companies that do not sell personal information are exempt but should clarify this in their policy to ensure transparency. For those that do sell personal data, this link must guide consumers on how to opt out.
- Conspicuous Privacy Policy Link: Your Privacy Policy must be easily accessible. Standard practice is to place the link in the website footer, ensuring it is prominent and easily found by visitors.
- Children’s Opt-In: The CCPA (CPRA) stipulates that companies can only sell the personal data of children aged 13-16 if they have opted in. For children under 13, parental consent is required. Include a clause in your Privacy Policy explaining this requirement.
- Consumer Rights: The CCPA (CPRA) grants several rights to consumers, including:
- The right to know if their personal information is being collected.
- The right to access and correct their personal data.
- The right to delete their personal data.
- The right to limit the use of their personal data.
- The right to opt out of data sharing with third parties.
- The right not to be discriminated against for exercising their rights under the CCPA.
To comply, your Privacy Policy should:
-
- Inform users about the collection of their personal information and the categories of data collected.
- Explain how users can access, correct, or delete their personal data.
- Detail how users can opt out of data sharing and who their data has been shared with.
- Assure users they will not be discriminated against for exercising their rights.
Sample CCPA Policy Structure
- Introduction:
i. A brief overview of your commitment to privacy and the purpose of the Privacy Policy.
- Personal Data Collection:
i. Detailed list of what personal data is collected.
ii. Purpose of data collection.
- Consumer Rights:
i. Detailed explanation of rights under CCPA.
ii. Instructions on how to exercise these rights.
- Data Sharing and Opt-Out:
i. Information on third parties with whom data is shared.
ii. Clear instructions and links for opting out.
- Children’s Privacy:
i. Explanation of consent requirements for children’s data.
- Policy Updates:
i. Date of last update and method of notifying users of changes.
- Contact Information:
i. How users can reach out for more information or concerns.
The California Online Privacy Protection Act (CalOPPA)
Enacted in 2003, the California Online Privacy Protection Act (CalOPPA) was the first state law in the United States to require commercial websites and online services to post a privacy policy. Key provisions of CalOPPA include:
- Privacy Policy Requirements
CalOPPA mandates that websites and online services conspicuously post a privacy policy detailing the types of personal information collected, third parties with whom the data is shared, and how users can review and make changes to their personal information.
- Do Not Track (DNT) Disclosure
Companies must include a disclosure in their privacy policies explaining how they respond to DNT signals from web browsers, which allow users to opt out of tracking by websites.
- Conspicuous Posting
The law requires that the privacy policy be posted conspicuously on the company’s website. This means it must be easily accessible, often placed in the footer or a similar prominent location.
CalOPPA Compliant Privacy Policy
Key Requirements
- Conspicuous Posting: CalOPPA mandates that your Privacy Policy be prominently displayed on your homepage. The link should be visible, using the word “Privacy” to make it clear.
- ‘Do Not Track’ Clause: CalOPPA requires companies to disclose how they respond to DNT requests. While the law does not mandate compliance with DNT requests, it requires that your Privacy Policy state your company’s stance clearly.
- Effective Date: Include the effective date or the last update date in your Privacy Policy. This is typically listed at the top of the policy.
- Communication of Policy Updates: Explain how users will be informed of updates to the policy. This might include email notifications, website notices, or prompts for users to review changes.
- Consumer Rights Disclosure: CalOPPA grants consumers the right to know what personal information is collected and shared. Your Privacy Policy must include clauses explaining these rights and provide a contact method for further inquiries.
Sample CalOPPA Policy Structure
- Introduction:
i. Overview of the policy’s purpose and commitment to transparency.
- Information Collection:
i. Description of data collected.
- ‘Do Not Track’ Policy:
i. Explanation of how DNT requests are handled.
- Consumer Rights:
i. Rights to access, review, and delete personal data.
- Policy Updates:
i. Date of the last update and method of informing users of changes.
- Contact Information:
i. How to reach the company with questions or concerns.
The Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) is a federal law that applies to the collection of personal data from children under the age of 13. COPPA sets strict requirements to protect children’s privacy online:
- Parental Consent
COPPA requires that websites and online services obtain verifiable parental consent before collecting personal information from children under 13. This can be achieved through various methods such as consent forms, payment systems, or phone calls.
- Privacy Policy Requirements
Websites must include specific information in their privacy policies about their data collection practices, including what information is collected from children, how it is used, and whether it is shared with third parties.
- Posting Requirements
The privacy policy must be prominently posted on the website, and the link to it should be easily distinguishable from other links. Additionally, the policy must be clear and written in language that children can understand.
- Parental Rights
Parents have the right to review and delete their child’s personal information and to refuse further data collection or use. Websites must provide a clear process for parents to exercise these rights.
COPPA Compliant Privacy Policy
Key Requirements
- Prominent Display: COPPA requires that Privacy Policies be clearly visible on any page collecting children’s data, as well as on the homepage. Unlike other laws, the link must stand out distinctly from other links, perhaps through bold or larger font.
- Understandable Language: Your Privacy Policy must be easy to understand, especially for children. Ensure that it is written in clear, simple language.
- Parental Rights: COPPA grants parents the right to access, refuse further data collection, and delete their child’s data. Your Privacy Policy should include a clause about these rights and explain the procedures for exercising them.
- Parental Consent and Verification: Websites and apps must obtain verifiable parental consent before collecting data from children under 13. Methods can include downloadable consent forms, credit card verification, toll-free numbers, or digital signatures. Disclose your verification method in your Privacy Policy.
- Third-Party Data Sharing: COPPA restricts sharing children’s data with third parties unless necessary for the website or app to function. If data sharing is necessary, inform parents and provide opt-out methods.
- Notifying Parents of Major Changes: COPPA requires direct notification to parents of any significant changes to your Privacy Policy. Ensure your policy includes a clause about how these notifications will be made.
Sample COPPA Policy Structure
- Introduction:
i. Overview of the policy’s purpose, focusing on protecting children’s privacy.
- Data Collection:
i. Detailed list of data collected from children.
- Parental Rights:
i. Explanation of parental rights and how to exercise them.
- Parental Consent:
i. Methods for obtaining and verifying consent.
- Third-Party Sharing:
i. Information on data sharing with third parties and opt-out methods.
- Policy Updates:
i. Procedure for notifying parents of significant changes.
- Contact Information:
i. How parents can contact the company for more information.
Understanding and complying with these laws is essential for businesses that handle personal data. By aligning their Privacy Policies with the requirements of the CCPA, CalOPPA, and COPPA, businesses can ensure they respect consumer privacy and avoid potential legal penalties.
Other Essential Privacy Policy Clauses
In addition to California-specific requirements, every Privacy Policy should include certain standard clauses:
- What Data We Collect: Inform individuals about the personal data your company collects. Be as detailed and inclusive as possible, updating the clause if you start collecting additional information.
- How We Use Personal Data: Explain why your company collects personal data and how it is used. Be thorough to ensure transparency.
- How We Keep Data Secure: Detail the measures your company takes to protect personal data. While specific methods need not be disclosed, general information on security practices should be included.
- Data Retention: Explain how long personal data is retained and the reasons for data retention. Regular data purges should be conducted to ensure compliance with retention policies.
- Changes to the Privacy Policy: Advise users that the Privacy Policy may change and explain how they will be notified of significant updates.
- How to Contact Us: Provide clear contact information for users to reach out with questions or concerns about the Privacy Policy.
Wrapping Up
In Summary, three main California laws—the CCPA (including the CPRA update), CalOPPA, and COPPA—significantly shape how businesses must create and display their Privacy Policies. While each law has its specific requirements, they collectively aim to protect the personal data of Californians, ensure clear and accessible Privacy Policies, and inform individuals about data collection practices and their rights.
To comply effectively, your Privacy Policy should clearly state what personal information you collect and why, how you safeguard this data, and how users can exercise their rights to access, delete, or opt-out of data sharing. Make sure your Privacy Policy is easy to find on your website, enhancing transparency and fostering trust with your users.
To assist you in creating a compliant Privacy Policy tailored to your business, tools like the GetTerms Privacy Policy Generator offer a simple solution, ensuring you meet legal standards while maintaining user confidence in your data handling practices. Create an account and get started in 5 minutes.