100 Overlook Center, 2nd floor, Princeton, New Jersey, 08540, USA
+15853042450
Service order
Blog / GDPR ❘ CCPA ❘ Privacy Policy /

How Can Your Privacy Policy Meet CCPA and CPRA Requirements?

Discussing details
Post date: 23.08.2023
Author: Alina Chukh
Views: 1933
Time to read: 5 minutes

Let’s imagine you have already published a Privacy Policy on your website or mobile app following the California Consumer Privacy Act (CCPA) requirements, but on July 1st, 2023, the CPRA finally entered into force causing the CCPA to change. Now, you need to update your Privacy Policy so our lawyers created a guide on the changes you need to implement. But before that, let’s figure out the most important differences between the CCPA and the CPRA.

 

CCPA vs. CPRA

Passed on November 3, 2020, the CPRA amended and expanded the CCPA. Compared to the CCPA, the CPRA aligns more closely with the General Data Protection Regulation (GDPR). This change caused the CPRA requirements to become stricter.

On the other hand, the CPRA raises the thresholds businesses must meet to be covered by privacy laws in California, this results in a slight weakening of the act.

The thresholds for the company's gross annual revenues earned by selling consumers' personal data remains the same. If your business’s gross annual revenue is in excess of $25 million or, it derives more than 50% of its revenue from selling consumers' personal data, you had been subject to the CCPA but now you are subject to the CPRA. 

The threshold for the number of consumers whose personal information is bought, sold, or shared by your company has changed under the CPRA. When the CCPA was in effect, if your company bought, sold, or shared the personal information of 50,000 or more consumers every year, the company was a subject of the CCPA. The CPRA raises that threshold to 100,000. So, small businesses that do not meet this threshold, or the revenue thresholds, are not required to comply with the CPRA requirements and do not need to update your Privacy Policy.

 

What act must be followed to be compliant with California data privacy laws?

As of July 1, 2023, the CPRA is effective and enforceable, so if you match at least one of the thresholds we defined above, it’s time to do a CPRA audit and update your Privacy Policy.

 

California privacy policy requirements under the CPRA

Below you will find a list of clauses which must be included in every Privacy Policy to satisfy the CPRA requirements.

Types of personal data that you collect

You need to create a list of all personal information your company collects. For example, our tech lawyers wrote a Privacy Policy for Hypelitix, which is a web service that analyzes and provides public Instagram profile data in an automated and aggregated form. The service allows users to track the metadata of posts, IGTV, and profile stories to filter them by hashtags and mentions. The product is focused on B2B marketing agencies in the USA, which means that Hypelitix collects personal data on California residents. This data includes:

  • All available data from the Instagram social network.
  • Processed Data, such as ID, username, profile photo link, bio, verification checkbox, number of posts published, number of followings, number of followers, posts, stories, IGTV, post media, IGTV and stories, including the presence or absence of mentions or hashtags, text recognition on images and videos of an Instagram account.

Please, take into consideration that the renewed CCPA doubled-down on its data minimization principles, so you must collect and process the minimum personal information that is necessary to achieve the business purposes. If some user data is not necessary, you must not collect it. 

Moreover, you must be aware of how this collection impacts consumers. For example, when IT products collect geolocation it will reveal other sensitive personal information, such as health information based on visits to healthcare providers. 

To avoid CPRA fines and guarantee data security you will need additional safeguards, such as encryption or automatic deletion.

 

Sources of obtaining personal data

In this part of your Privacy Policy you must describe all methods used to obtain information from customers. Below you can find a list with possible methods.

  • Directly from customers. For example, when they register or complete forms on a website. 
  • Indirectly. For example, using advertising and analytics services, such as  Google ADS, Google Analytics, Facebook ADS, or Facebook Analytics. It can also be an automated collection of information from customers’ computers, web browsers or mobile devices.

Before launching a product it is important to make a CPRA audit to detect product features, including specific methods of obtaining information, and describe them in a Privacy Policy.

 

Use of personal data

For what purposes do you collect personal information? You must answer this question in the “Use of Personal Data” section of your Privacy Policy. For example, if you publish an application you can use information for the following purposes:

  • To provide users with access to an app.
  • To guarantee data safety and security
  • To provide customer support and communicate with users
  • To run ad campaigns
  • To be compliant with legal obligations under CCPA in California
  • To do research and improve the app

 

Sharing of personal data

If you intend to disclose customers’ personal information to a third party for business or commercial purposes you must have a contract in place that requires the contractor to keep information confidential and use it only for the purposes of the contract. In this part of your Privacy Policy, you need to make a list of the third parties you share information with. For example, advertising providers, internet service providers, analytics providers, affiliates, government and others. 

 

Consumer Rights

Consumers' rights according to California Privacy Policy requirements

The list of consumer rights was updated by CPRA, so businesses which are subject to that legislation, must add new options to their Privacy Policy. Below you will find a full list of rights as well as those that are new additions under CPRA.

  • Access to personal data. In order to exercise that right a customer submits a request via company contact information.
  • Correction of information (new).  Customers have the right to correct errors.
  • Deletion of information. Customers have the right to request deletion of their personal data after verification of their identity.  
  • Limit the use and disclosure of sensitive information (new). Sensitive information includes social security numbers, driver’s license numbers, passport numbers, bank card numbers, account log-in information, geolocation, postal mail, email, racial or ethnic origin, religious beliefs, biometric data, genetic data, and other options.
  • Opt-out of the sale or sharing of personal data. 
  • Opt-out automated decision-making (new).

 

We recommend that you set a term for responses, for example, 30 days. Moreover, add a disclaimer if the company can not complete customers' requests. For example, if you are unable to delete information because of an obligation to comply with the California Electronic Communication Privacy Act. 

Moreover, we advise you to avoid complex website or app architecture, because it must be easy for customers to exercise their choice, including opt-out of the sale/sharing of personal data or automated decision-making.

One more clause you must add to a Privacy Policy is a non-discrimination clause, which is required by the CPRA. Non-discrimination means that you are prohibited from discriminating against customers for exercising any of their rights. Discrimination occurs if businesses deny goods or services, charge different prices, or provide different levels or quality of goods and services.

 

Please review our check-list to make sure your Privacy Policy is CPRA compliant.

  • Did you codify all types of personal information your product collects and processes?
  • Do you follow the data minimization principle?
  • Do you use additional safeguards to guarantee security?
  • Did you describe all methods used to obtain information from customers?
  • Did you create a full list of purposes and third parties you share information with?
  • Did you update the list of rights, adding rights to correct, right to limit the use and disclosure of sensitive information, and right to opt-out of automated decision-making?
  • Did you explain the right to non-discrimination?
  • Does your product UI allow users to easily exercise their CPRA rights? 

 

If all of the answers are “yes”, your Privacy Policy is CPRA compliant.

Article navigation

Cases on the topic of the article

All cases

Services on the topic of the article

All services
Contact IT lawyer will contact you
to discuss details
Call me back IT lawyer will contact you
to discuss details
Service order IT lawyer will contact you
to discuss details
Thanks for reaching out!

An IT lawyer will contact you with legal solutions

OK
Thank you for your request!

An IT lawyer will call you back to discuss details

OK
Thank you for your feedback!

We would love it if you tell your friends and colleagues about us

OK
Thank you for your inquiry!

The IT legal team will contact you with options solutions

OK
Thank you for your inquiry!

An IT lawyer will contact you with a few more questions

OK
Thank you for your interest!

Await advice from IT lawyers

OK
Thank you for your inquiry!

The IT legal team will prepare a solution for you

OK
Thank you for contacting us!

An IT lawyer will analyze your situation and offer a solution

OK