Update 4-24-2020: I’ve updated this post for 2020, as there’s big news – the CCPA (which I’ll discuss throughout the post) has gone into effect and they’ll begin enforcing it in July 2020. If it applies to you, it’s time to get compliant! I’ll show you how in this post.
Let’s be real: Unless you’ve been living under a rock, you probably know how important privacy is in 2020 and beyond. Most of all, you need to be sure to have a proper privacy policy that meets the requirements of the California privacy laws.
In this post, I’ll discuss the various California online privacy policy requirements, including those for the new California Consumer Privacy Act that recently went into effect!
Let’s get started.
California online privacy policy requirements – Why should you care?
If you’re doing business on the Internet, you’re probably doing business in California. As the fifth-largest economy in the WORLD, California has a ton of people online.
Unless you’re geoblocking California residents from using your website, game, or application, you need to pay attention. That means following California’s various privacy laws.
The laws that are in place right now are:
- CalOPPA – this is the one that requires that you have a public privacy policy available
- “Shine the Light” law – this is the one that deals with sharing personal info to third parties for direct marketing purposes
- California Civil Code Section 179.85 – prohibits publicly posting Social Security Numbers or requiring their transmission over an unencrypted connection, among other things
- Privacy Rights for California Minors in the Digital World – this requires that minors are allowed to have their personal information and other materials deleted upon request, such as social media postings
- COPPA – federal law requiring parental consent before you can collect personal information from children under 13 – applies across the US
- The big one (and the new kid in town), the California Consumer Privacy Act of 2018 which went into effect on January 1, 2020.
That last one is a sweeping overhaul of California’s privacy requirements. If you plan to keep doing business that’s in any way connected to online users in California, you’d better pay attention to this law and it’s requirements.
My CCPA Compliance Checklist
I’ve been helping clients with their CCPA compliance, which at the time of this writing (April 2020), is still quite difficult.
This is because, while the law has been passed, the actual implementation is still in flux. The CA Attorney General has been taking public comments and issuing regulations to iron out some of the issues that the hastily-written original law has. You can see the records of all this here.
For now, though, the following plan of attack should help you to prepare for CCPA compliance, if you haven’t already. Obviously, you’re going to want some individualized assistance from an attorney on implementing this.
Want my full 2020 CCPA Compliance Guide? Just sign up for my newsletter using the form below and you’ll get it sent to your inbox, along with all of my other FREE eBooks, right away!
CCPA Compliance Strategy Plan
First thing’s first – you need to have a plan. This usually starts with a Data Map, which shows:
- What data you’re collecting from users
- Why you’re collecting it
- Who you’re sharing it with
- How you’re protecting it and allowing user requests for information, deletion, etc.
- And more.
Having this Data Map gives you the “big picture” that you can work from in complying with CCPA and GDPR, as well as any other privacy-related laws.
Update your Privacy Policy
CCPA requires a few important updates to your privacy policy, including:
- Informing users what data you’re collecting and why, as well as who you’re sharing it with (you probably already do this if you’re GDPR-compliant)
- Informing CA users of their rights, such as the right to information, deletion, and to opt out of the sale of their personal information
- Informing CA users of how they can submit those requests regarding their personal information
- If required, putting a link on your homepage and in your privacy policy for CA users to opt out of the sale of their personal information (this one seems to be in flux under the regulations being written by the CA Attorney General and as courts figure out the meaning of “sell” under the law)
Implement training for employees
If you have employees who are going to be handling CA user requests regarding personal information, or if they’re handling the users’ personal information, you need to implement some kind of training for them in how to stay CCPA compliant.
Strengthen your cybersecurity practices
As part of the Data Mapping process above, you got a handle on what personal data you’re processing. Now, you need to implement processes to strengthen your cybersecurity in order to protect that personal information.
Update agreements with service providers
You should review existing agreements with your service providers, to make sure that they include the kind of language required by the CCPA.
For example, while you may have a GDPR-compliant Data Processing Agreement in place, this may not cover certain aspects of CCPA compliance.
If you’re hoping to avoid the overly broad definition of “selling” personal information in the CCPA, you’re going to want very specific language in these agreements. This language will limit what your service provider can do with personal information you provide them from California users.
Now, let’s take a look at more of the specific requirements behind CCPA, starting with whether it applies to you in the first place.
CCPA – who does it apply to?
The CCPA applies to you or your business if you meet the following criteria:
- If you do business for profit in California or reaching into California,
- You take personal information from California users/consumers (including those who live in CA but are traveling outside the state at the time you collect their personal info), and
- One of the following applies to you: (i) you have at least $25 million in annual revenue, (ii) you buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of at least 50,000 users in California, or (iii) at least half of your revenue comes from selling users’ personal information.
It’s actually unclear whether the 50,000 user threshold means 50,000 Californians or 50,000 users total – the definitions aren’t great in the law and so it’s difficult to determine. I anticipate this will be cleared up by July 1, 2020 when they begin enforcement.
Regardless, if you don’t meet those thresholds, then you are probably safe (at least from the CCPA).
How does the CCPA define “personal information”?
The CCPA expands the definition of personal information from prior California laws.
Generally, “personal information” means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Straight from the law, the types of data that fall under this category now are:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in subdivision (e) of Section 1798.80
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information (Zack’s note: yes, information about a person’s smells could be personal information).
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
That’s a big list.
But most companies are only taking a small amount of that from users. It’s worth taking the time to check this list against your Data Map, to be sure you’re not collecting information that’s not necessary.
Generally, you’re going to want to minimize the amount of personal information you’re collecting and processing – it’s just a good practice in general.
This also helps you streamline your privacy practices, whether it’s writing your privacy policy, handling user data requests, or keeping things secure.
How does it define “personal information”?
The CCPA expands the definition of personal information from prior California laws.
Generally, “personal information” means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Straight from the law, the types of data that fall under this category now are:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in subdivision (e) of Section 1798.80 (Zack’s note: this is a separate list from another law, but similar to the above).
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information (Zack’s note: yes, information about a person’s smells could be personal information).
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
What does the CCPA require?
A lot.
In a way, it’s California’s version of the GDPR.
This means that it seeks to give California residents much more transparency and control about what personal information is being collected, shared, and processed by businesses online. Much like the EU’s GDPR law, which requires many of the same things (with some significant differences).
Aside from disclosing to users what personal information you are collecting and how you’re processing it and who you’re sharing it, you also have the responsibility to honor various requests from users.
These are similar to the various rights that EU citizens have under the GDPR.
What rights do users have and what can they request from you?
Users have 5 main rights under the CCPA:
- The right to know what information you have about them: If the user requests, you must disclose what you’ve collected (both the specific information and the general categories of info), where you collected it from, what the purpose of that collection was, and who you’ve shared it with.
- The right to request deletion of personal information: If the user requests, you must delete their personal information and tell any third parties that you shared it with to delete it, as well. Also, you need to inform them of this right in your privacy policy or elsewhere.
- The right to request details about the sale of personal information: If requested, you need to give details about your sale of their personal information, including the categories of info you collect, categories of info you sell, categories of third parties it was sold to, and the categories of personal info disclosed for “business purposes,” such as advertising and security.
- The right to opt out of the sale of personal information: All consumers need the right to opt out of your selling of their personal info. However, if the user is under 16, they need to explicitly opt-in to this sale. And if the user is under 13, parental consent is needed (similar to existing COPPA laws).
- The right to be free from discrimination: If a user exercises one of the above 4 rights, you are not allowed to discriminate against them because of it. This means you can’t deny them service, charge them a different price, provide a different service quality to them, or (prior to them exercising their right) “suggest” that they may receive different service because of that request.
As for that last one, you may still charge a different price to them as long as the change in price is reasonably related to the fact that them refusing to give personal info affects your ability to provide them the service.
According to the text of the law, you need to have two methods available for sending these requests:
- A toll-free number they can call; and
- A web page where the requests can be made online.
2020 Update Note: This two-method requirement appears to be flexible with regard to online-only companies. We’ll have to wait until the final regulations are approved to know for sure.
Additionally, if you’re selling personal information and subject to #4 above, you need to have a conspicuous link on your site that says “Do Not Sell My Information”, which leads to the opt-out request.
2020 Update Note: This is another requirement that is getting adjusted in the regulations – it may only apply to those who are, or anticipate, selling information. Those who don’t plan to sell personal information may not require this. However, the definition of “selling” is a bit broad and unclear under CCPA, so consult an attorney for more help.
What are the penalties?
If you are subject to the CCPA and you fail to follow its provisions, you could be subject to a few different types of penalties. These are:
- A monetary penalty of the greater of either $750 or the actual damages the user suffered;
- Injunctive relief by a court (which could include a temporary restraining order or a temporary or permanent injunction) to stop you from continuing the infringement; or
- Whatever other penalty the court hearing the case thinks is fair.
But here’s the good news:
If you do run afoul of the CCPA, the user needs to inform you of this and give you 30 days to cure the problem. Only then can the user move forward with legal remedies through the courts.
In addition to the user’s ability to sue under the CCPA, the California Attorney General can also go after you for up to $7,500 per violation. This government action is separate from the user’s lawsuit.
One cool thing about the CCPA, though, is that you have a “safe harbor” against any infringement done by a third party that you shared the personal info with. This requires that you had a reasonable belief that they would be following the law.
This works the other way, as well – if you’re a service provider, you’re not liable for infringement by the one you’re providing the service for.
Both of these safe harbors are a good incentive for you to review those existing service agreements to ensure compliance, and to amend where needed for additional protection.
What does your California-compliant privacy policy need to include?
With all that being said, what should your privacy policy include to get compliant in California, in 2020 and beyond?
Here’s a quick rundown:
- An accurate list of what personal information you collect from users
- A list of what information was sold, or that no information has been sold
- A statement regarding the right to not be discriminated against
- The parties with whom information is shared and the purpose for which it is shared
- A description of all the rights for disclosures, requests to delete and not to have information sold, as described above
- How you deal with “Do Not Track” signals
- Contact information for data-related requests – both a toll-free number and a link to an online form, as needed
- A form that users can use to “opt out” of the sale of their data, with the “Do Not Sell My Information” link text (this should be on the homepage and the Privacy Policy), if needed
- If you’re collecting personal info from children under 13, you need to be compliant with COPPA, as well (including having a mechanism for parental consent)
- If you’re doing business in the EU or with EU citizens, it needs to be GDPR-compliant, too. This includes describing different types of user data requests and including other information (such as info about their right to complain and the basis for collection).
When I draft them, I also usually have an EU-specific section and a CA-specific section, rather than having different privacy policies for different territories. You never know if a CA or EU resident is accessing your site from outside of their home, and therefore you want to be providing them with the correct info no matter what.
Grab a copy of my FREE 2020 CCPA Compliance Guide and all of my other eBooks by signing up below!
What do you do from here?
Pretty much every company that’s online or taking any personal information from users should have a privacy policy in place, as well as the proper contractual agreements with third party services that you’re using.
The usual best practice when dealing with something like this is to create a “data map,” first detailing what information is being taken from users on your game or site. Then you “map” where that data goes, what happens to it, who it’s shared with, etc.
That’s a great way of coming up with a list of what you’re collecting and where it’s going, for the purposes of getting a privacy policy drafted and getting the right data processing agreements in place with third parties that you share that data with.
Once this information is compiled, I recommend taking it to an attorney with experience in drafting privacy policies. Some, like me, work on reasonable flat fee deals so you can keep your budget under control or even bundle the service with other related services to save you money.
Got a question or want some help drafting your CCPA-compliant privacy policy? Just click here to set up a time to talk!