Do I Need a Privacy Policy? The California Consumer Privacy Act and Beyond

On January 1, 2020, the California Consumer Privacy Act of 2018 (the “CCPA”) went into effect. An expansive piece of legislation, the CCPA grants consumers (i.e., natural persons who are California residents) certain rights concerning the use of their personal information. Such rights include (a) allowing consumers to request that a business disclose to the consumer the specific pieces of personal information about that consumer that the business collects; and (b) requiring businesses to inform consumers, at or before the point of collection of any personal information, as to the categories of personal information to be collected and the purposes for which such personal information shall be used. See California Civil Code §1798.100.

Furthermore, the CCPA allows a consumer to request that businesses delete any personal information about such consumer that the business has collected from the consumer. See California Civil Code §1798.105(a). In addition, consumers may request that a business disclose to the consumer the categories of third parties with whom the business shares such personal information. See California Civil Code §1798.105(b). What’s more, consumers may request that a business that sells personal information about the consumer to third parties not to sell such personal information. See California Civil Code §1798.120(a). To this end, such business may also be required to add to their Internet homepage a clear and conspicuous link titled “Do Not Sell My Personal Information” that enable a consumer, or a person authorized by the consumer, to opt out of the sale of such personal information. See California Civil Code §1798.135.

Accordingly, the rights of consumers, as well as the obligations of businesses has significantly expanded thanks to the newly enacted CCPA. What’s clear is that businesses that collect personal information about consumers now have greater responsibilities in terms of how they obtain such information as well as how they handle such information moving forward.

It is important to note that only certain “businesses” are currently subject to the CCPA. To this end, the CCPA defines a “business” to include any business (including any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) that does business in the State of California, operates on a for-profit basis and falls into one or more of the following categorie

1. Has gross annual revenues in excess of $25 million;
2. Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers (i.e., California residents), households or devices; or
3. Derives 50% or more of annual revenues from selling consumers’ (i.e., California residents’) personal information.

See California Civil Code §1798.140(c)(1).

To this end, any entity that controls or is controlled by—and shares common branding, such as a shared name, service mark, or trademark, with—a business that falls under categories 1-3 above is also subject to the CCPA. See California Civil Code §1798.140(c)(2). As such, affiliates, subsidiaries and parent companies of such “businesses” could be subject to the CCPA.

Additionally, under California law, a privacy policy is required for any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service.” See Cal. Bus. & Prof. Code Sec. 22575(a). The categories of “personally identifiable information” are quite broad and include identifiable information about an individual consumer collected online, including first and last names, physical addresses, email addresses, phone numbers, social security numbers, and/or any other information that may permit the physical or online contacting of a specific individual. See Cal. Bus. & Prof. Code Sec. 22577(a).

Not only should a privacy policy strive to address the requirements set forth in the CCPA, it should also address the following items:

1. Identify the categories of personally identifiable information collected through the website or online service;

2. Provide a description of the process, if any, for an individual consumer to review and request changes to any of his or her personally identifiable information that is collected through the website or online service;

3. Describe the process by which consumers are notified of material changes to the privacy policy;

4. Identify the privacy policy’s effective date;

5. Disclose how the website operator responds to Web browser “do not track” signals, including the option to provide a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description of any program or protocol the operator follows that offers consumers the choice as to how his or her personal information is collected via the consumer’s online activities over time and across third-party websites or online services (if the operator engages in such collection); and

6. Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities when the consumer uses the operator’s website or service.

See Cal. Bus. & Prof. Code Sec. 22575(b).

Failure to comply with the foregoing obligations could result in substantial liability. A business is considered out of compliance with the requirements of the CCPA as well as the California Business and Professions Code if within thirty (30) after being notified of noncompliance the business fails to rectify such noncompliance. See California Civil Code §1798.155(b); Cal. Bus. & Prof. Code Sec. 22575(a). Should a business fail to cure such noncompliance with the CCPA, they can be subject to an injunction as well as civil penalties up to $2,500 for each un-intentional violation or $7,500 for each intentional violation. See California Civil Code §1798.155(b).

Federal law also regulates the collection, safeguarding, sharing and/or use of personal information. For instance, pursuant to the Children’s Online Privacy Protection Act (COPPA), an operator of a website and/or online service (including mobile applications) that is targeted at children under the age of 13, or knowingly collects information about children under the age of 13, is required to post on its website and/or online service a clear and conspicuous privacy policy that describes its privacy practices; namely for personal information collected online from children. See 15 U.S.C. §§6501-6505. Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to safeguard sensitive, personal data as well as provide clear and conspicuous statements about their information-sharing practices, namely as it relates to nonpublic personal information. See 15 U.S.C. §§6801-6809. Pursuant to the Health Insurance Portability and Accountability Act (HIPAA), businesses are required to provide written notice of their privacy practices involving protected health information. See 45 C.F.R. §164.520.

Based on the foregoing, business that operate websites and collect personal information about individuals should establish written protocols to address how they collect, share and otherwise use such information, including setting forth a clear and conspicuous online privacy policy. It’s best not to wait until one is notified that they are out of compliance. Proactivity is often the key to mitigating liability before it arises.

DISCLAIMER: Legal advice is the application of law to an individual’s specific circumstances. This article was prepared for general information purposes only. This article is not legal advice and is not to be acted on as such. Poole Shaffery & Koegle, LLP disclaims any intent to provide legal advice to, or to form an attorney-client relationship with, any person using this article. Please consult a lawyer for information and advice that is particular to your situation.