View CCPA Act

Privacy Policy

The Statute

Section 1798.130(a)(5) of the CCPA statute is the relevant section for a so-called privacy “policy” (in practice, a privacy statement for the consumption of people outside the organization). It states, pertinent part, that

(a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

*
*
*

(5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website and update that information at least once every 12 months:

A. A description of a consumer’s rights pursuant to Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests.

B. For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.

C. For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:

i. A list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold, or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact.

ii. A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

The Regulations

Section 999.308 of the CCPA Regulations develops the idea of a privacy policy. It states that “[t] he purpose of the privacy policy is to provide the consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.” Noteworthy about this privacy policy requirement is the “plain English” mandate of §308(a)(2), which is part of a larger “user friendliness” theme of that section.

Contents of the policy include: 1
1) Right to know about personal information collected, disclosed, or sold;
2) Right to request deletion of personal information;
3) Right to opt-out of the sale of personal information;
4) Right to non-discrimination for the exercise of a consumer’s privacy rights;
5) Authorized agent (i.e., how an authorized agent can make a request on the consumer’s behalf);
6) Contact for more information;
7) Date the privacy policy was last updated;
8) If subject to the requirements set forth 999.317(g), which addresses record keeping by the business, the information compiled in section 999.317(g)(1), statistics on consumer requests for the previous calendar year, or a link to it; and
9) If the business has actual knowledge that it sells the personal information of minors under 16 years of age, a description of the processes required by sections 999.330 and 999.331, which describe how to opt into such sales.

  • A list of consumer rights cited in §§1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, some examples of which include:
    • Consumer’s right to request disclosure by a business of personal information collected
    • Consumer’s right to request deletion by a business of personal information collected
    • Consumer’s right to request disclosure by a business of personal information sold to third parties
  • Personal information collected in the preceding 12 months by category;
  • Personal information sold in the preceding 12 months by category;
  • Personal information disclosed for a business purpose in the preceding 12 months by category.

1. CCPA Regulations §999.308(c).

Ready to get started?

Schedule a personalized demo with one of our data security experts to see Spirion data protection solutions in action.

Watch demo now
Discover, protect and comply.

Protect sensitive information with a solution that is customizable to your organizational needs. When your job is to protect sensitive data, you need the flexibility to choose solutions that support your security and privacy initiatives.

Governance Suite →

Industry Solutions

Not knowing where sensitive client financial data resides and failing to take the right security precautions can be a costly mistake for your organization. Find out how Data privacy is treated in your sector.

Read more →