This is our fourth blog post in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA). This post focuses on a business’ obligations when it comes to their privacy policy, such as including and disclosing certain information regarding consumers’ rights. While this post does not require any background on the CCPA, if you would like the benefit of our preliminary discussions before diving into this post we invite you to start with Part 1: The California Consumer Privacy Act – What Insurers Need to Know.
The CCPA requires a business to provide and maintain, in a reasonably accessible format to its consumers, a privacy policy that includes the following information:
1. A description of a consumers’ rights under the CCPA, including the right to request the information a business has collected on consumers, the right to request the consumers’ information that a business has sold or disclosed to a third party, and the consumers’ right to not be discriminated against for exercising their CCPA rights.
2. Instructions on how California consumers can request access to and deletion of their personal information. At a minimum, a business should have a toll-free telephone number, and if the business maintains a website, a web site address to submit requests for information.
3. If you sell personal information, a link to your “Do Not Sell My Personal Information” page so that consumers can opt-out of the business’ collection efforts. The opt-out provision provides that consumers shall have the right to direct a business that sells personal information about the consumers to third parties not to sell the consumers’ personal information. Notably, if a business does not sell consumers information, their privacy policy must clearly state that fact.
4. A list of the categories of personal information collected over the past 12 months. A business’ privacy policy must include a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories referenced in the CCPA’s definition of personal information that most closely describes the personal information collected.
5. Your sources of each category of personal information you collect. A business must disclose the sources from which the personal information is collected and the categories of third parties with whom the business shares personal information.
6. Your purposes for collecting each category of personal information. A business is required to disclose the business or commercial purpose for collecting or selling personal information.
7. A list of all the categories of personal information you have sold over the past 12 months. A business is required to publish within its privacy policy two separate lists; one for the categories of personal information it has sold, and another for the categories of information it has disclosed for a business purpose. Specifically, a business must publish a list of categories of personal information the business has sold in the preceding 12 months by reference to the enumerated category or categories referenced in the CCPA’s definition of personal information that most closely describes the personal information collected, or, if the business has not sold consumers’ personal information in the preceding 12 months, the business must also disclose that fact.
8. A list of all the categories of personal information you have disclosed for business purposes over the past 12 months. A business must also publish a list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category that most closely describes the personal information disclosed, or, if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business must disclose that fact.
9. Routinely update your privacy policy every 12 months and indicate the date that the policy was last updated within the policy.
In addition to the privacy policy requirements outlined in the CCPA, the California Attorney General (AG) issued proposed regulations that include additional requirements. Specifically, the California AG notes that the privacy policy section in the proposed regulations, which can be found at Section 999.308, requires that the privacy policy:
- Use plain and easily understandable language, use a conspicuous format, and be easy to read on smaller screens, be accessible to disabled consumers or at a minimum provide information on how consumers with a disability may access the privacy policy, and be available in an additional format that allows consumers to easily print the policy out as a separate document
- Be posted online through a conspicuous link using the word privacy on the business’s website homepage or on the download or landing page of a mobile application
- Must state whether or not the business sells the personal information of minors under 16 years of age without affirmative authorization
- Must describe the process the business will use to verify consumers’ requests, including any information the consumers must provide
- Must explain how consumers can designate an authorized agent to make a request under the CCPA on the consumers’ behalf
- Provide consumers with a contact for questions or concerns about the business’s privacy policies and practices using a method reflecting the manner in which the business primarily interacts with the consumers
The CCPA becomes effective January 1, 2020. Now is a prudent time to have an assessment of your privacy policy completed to determine compliance with the CCPA. Likewise, a discussion should be had regarding whether you will maintain one privacy policy for all consumers, add an addendum for California residents to your existing privacy policy, create an entirely different policy for California residents, or whether you feel another course of action would be best suited for your business.
If you have any questions concerning your privacy policy or the CCPA in general, you can read our previous blog posts on the CCPA here: Part 1, Part 2, and Part 3. In addition, Goldberg Segalla offers a comprehensive CCPA Compliance Package tailored to your specific business. For more information on how Goldberg Segalla can help you comply with the CCPA, please contact any of the authors or partner Marc S. Voses, chair of the Cybersecurity and Data Privacy Practice Group.