The California Consumer Privacy Act (CCPA) is already the most demanding U.S. state privacy law. By voting "Yes" on Proposition 23 and enacting the California Privacy Rights Act (CPRA), which expands and amends the CCPA, Californians extended their state's privacy law obligations even further.
In addition to affecting the CCPA's scope, the CPRA amendments add some new rights for Californians and new obligations on covered businesses. This article will look at how the CPRA amendments affect your CCPA-compliant Privacy Policy.
The CPRA's Privacy Policy obligations affect different businesses in different ways, so we're going to briefly look at some of the CPRA's new impacts, to help you understand whether and how you need to modify your Privacy Policy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. CPRA Obligations and their Impacts on Your Privacy Policy
- 1.1. Sensitive Personal Information
- 1.1.1. Do You Collect or Use Sensitive Personal Information?
- 1.1.2. Right to Limit Use and Disclosure of Sensitive Personal Information
- 1.2. Right to Correct
- 1.3. Right to Opt Out of Personal Information-Sharing
- 1.4. Disclosure of Retention Periods
- 2. Summary of CPRA Privacy Policy Obligations
CPRA Obligations and their Impacts on Your Privacy Policy
The CPRA expands several existing CCPA provisions, as well as adding some new requirements.
For the purposes of this article, we're assuming you already have a CCPA-compliant Privacy Policy. If not, check out our article CCPA Privacy Policy Checklist.
To explain how the CPRA amendments affect your Privacy Policy, we need to explain a few of its key concepts.
Sensitive Personal Information
The CPRA introduces the concept of "sensitive personal information." Businesses that collect or use sensitive personal information have some new Privacy Policy obligations under the CPRA.
Do You Collect or Use Sensitive Personal Information?
There are two types of sensitive personal information. Here's a breakdown of each type:
-
Type 1. Personal information that reveals:
-
A consumer's:
- Social security number
- Driver's license number
- State ID card number
- Passport number
-
A consumer's:
- Account login
- Financial account number
- Debit card number
- Credit card number
-
A consumer's
- Precise geo-location
-
A consumer's:
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership
-
Unless your business is the intended recipient, the contents of a consumer's:
- Text messages
-
A consumer's:
- Genetic data
-
-
Type 2.
- Biometric information (for the purpose of uniquely identifying a consumer)
- Health information (when collected AND analyzed)
- Sex life or sexual orientation information (when collected AND analyzed)
Under Section 1798.40 (ae) (3) of the CPRA, sensitive personal information doesn't include publicly available information (with some caveats).
Here's how the CPRA lists the first type of sensitive personal information, under Section 1798.40 (ae) (1):
Here's the second type of personal information, under Section 1798.40 (ae) (2) of the CPRA:
Right to Limit Use and Disclosure of Sensitive Personal Information
Under Section 1798.121 of the CPRA, consumers have the right to request that you limit your use and disclosure of their sensitive personal information. In your Privacy Policy, you'll need to make consumers aware of this new consumer right.
So what does this new right entail? Suppose a consumer submits a "verifiable consumer request" under the right to limit your use and disclosure of their personal information. In that case, you must stop using or sharing their sensitive personal information.
There are some exceptions to this right. You may continue to use or disclose the sensitive personal information of a consumer who has submitted a request, but only:
- As necessary to "perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services,"
- To provide a service listed under subdivisions 2, 4, 5, and 8 of Section 1798.140 of the CCPA
- As permitted by further regulations
Right to Correct
The CPRA introduces a new consumer right: the "right to correct" (also known as the "right to rectification"). You must make consumers aware of their "right to correct" in your Privacy Policy.
The right to correct requires you to:
- Make "commercially reasonable efforts" to correct any inaccurate personal information you hold about a consumer within 45 days of receiving a "verifiable consumer request" (an additional 45-day extension is available if required)
- Make available at least two designated methods of submitting a request under the right to correct, including a toll-free phone number
- Disclose information about the right to correct in your Privacy Policy
Here's the "right to correct" under the CPRA Section 1798.106, with the Privacy Policy obligation highlighted:
The CPRA enhances another consumer right that will affect your Privacy Policy content. Let's take a look.
Right to Opt Out of Personal Information-Sharing
The CPRA expands the CCPA's "right to opt out." While the CCPA granted consumers the right to opt out of the "sale" of their personal information, the CPRA extends this right to the "sharing" of personal information.
Your Privacy Policy must make consumers aware of their right to opt out of the sharing of their personal information and sensitive personal information.
The CPRA's definition of "sharing" personal information encompasses any "communication" of personal information, including for the purposes of "cross-context behavioral advertising."
Many observers believe that using third-party cookies already falls under the CCPA's definition of "sale" (see our article "CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?" for more information about that). But the CPRA removes any ambiguity about this.
Here's the relevant part of the CPRA, at Section 1798.40 (ah) (1):
Note that the usual CCPA exceptions apply to the definition of "sharing," under Section 1798.40 (ah) (2):
If you share personal information, you'll need to set up a page where consumers can exercise their right to opt out, and include a link to this page on your homepage (or app) that reads "Do Not Sell or Share My Personal Information."
Disclosure of Retention Periods
The CPRA amendments require you to disclose the period for which you intend to retain (keep/store) a consumer's personal information and sensitive personal information.
You need to provide the information about data retention in your "notice at collection." However, as we explored in a previous article, it is possible to satisfy the CCPA's "notice at collection" requirements via a section in your Privacy Policy. Therefore, you may wish to include this information in your Privacy Policy.
If you can't say precisely how long you intend to keep a consumer's personal information, you must disclose the criteria you use to determine how long you intend to keep it. However, you must not keep the information "for longer than is reasonably necessary" in connection with your disclosed purpose for collecting it.
For example, you may need to keep a consumer's personal information for six years in order to comply with a legal obligation. Or you may need to keep the consumer's personal information for as long as they hold an account and for four weeks after they close their account.
Here's the relevant part of the CCPA, at Section 1798.100 (3):
Summary of CPRA Privacy Policy Obligations
To comply with the CCPA/CPRA's transparency requirements, you'll need to add the following information to your Privacy Policy by January 1, 2023.
For all businesses:
-
Information about the "right to correct," including:
- An explanation of a consumer's right to correct inaccurate personal information you hold about them
- Instructions on how to make a verifiable consumer request under the right to correct
- A general description of how you will verify a consumer's identity
If you "share" personal information (according to the CRPA's definition):
-
Information about the "right to opt out of personal information-sharing," including:
- An explanation of the consumer's right to opt out of the sharing of their personal information and sensitive personal information
- The contents of, or a link to, your "Do Not Sell or Share My Personal Information" page
If you collect or use "sensitive personal information (according to the CPRA's definition):
-
Information about the "right to limit the disclosure or use of sensitive personal information," including:
- An explanation of this CCPA consumer right
- Instructions on how to make a verifiable consumer request under this right
- A general description of how you will verify a consumer's identity
The CPRA also requires you to disclose how long you intend to retain a consumer's personal information at the point of collection. If you wish to use a section in your Privacy Policy as a "notice at collection," you should include the following information in your Privacy Policy:
- The length of time you intend to retain each category of personal information or sensitive personal information you are collecting from the consumer, OR (if this is not possible)
- The criteria you use to determine how long you will retain each category of personal information or sensitive personal information you are collecting from the consumer
Remember to update your Privacy Policy every 12 months.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.