California online privacy policy requirements [2018 Guide]

Let’s be real:

Unless you’ve been living under a rock, you probably know how important privacy is in 2018 and beyond. Most of all, you need to be sure to have a proper privacy policy that meets the requirements of existing and upcoming California privacy laws.

It’s never too soon to get ready.

In this post, I’ll discuss the various California online privacy policy requirements, including those for the new California Consumer Privacy Act of 2018 that was recently passed.

Let’s get started.

Understanding the California online privacy policy requirements

California online privacy policy requirements – Why should you care?

If you’re doing business on the Internet, you’re probably doing business in California.

As the fifth-largest economy in the WORLD, California has a ton of people online. Unless you’re geoblocking California residents from using your website, game, or application, you need to pay attention.

That means following California’s various privacy laws.

The laws that are in place right now are:

  • CalOPPA – this is the one that requires that you have a public privacy policy available
  • “Shine the Light” law – this is the one that deals with sharing personal info to third parties for direct marketing purposes
  • California Civil Code Section 179.85 – prohibits publicly posting Social Security Numbers or requiring their transmission over an unencrypted connection, among other things
  • Privacy Rights for California Minors in the Digital World – this requires that minors are allowed to have their personal information and other materials deleted upon request, such as social media postings
  • COPPA – federal law requiring parental consent before you can collect personal information from children under 13 – applies across the US
  • In addition to these, California signed the California Consumer Privacy Act of 2018 into law in June of 2018

Set to become effective on January 1, 2020, this is a sweeping overhaul of California’s privacy requirements.

If you plan to keep doing business that’s in any way connected to online users in California, you’d better pay attention to this law and it’s requirements.

California privacy policies - what's the law?

Let’s check them out:

The California Consumer Privacy Act of 2018 – who does it apply to?

The CCPA applies to you or your business if you meet the following criteria:

  1. If you do business for profit in California or reaching into California,
  2. You take personal information from California users/consumers (including those who live in CA but are traveling outside the state at the time you collect their personal info), and
  3. One of the following applies to you: (i) you have at least $25 million in annual revenue, (ii) you buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of at least 25,000 users, or (iii) at least half of your revenue comes from selling users’ personal information.

If you don’t meet those thresholds, then you are safe (at least from the CCPA).

How does it define “personal information”?

The CCPA expands the definition of personal information from prior California laws.

Generally, “personal information” means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Straight from the law, the types of data that fall under this category now are:

  1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  2. Any categories of personal information described in subdivision (e) of Section 1798.80 (Zack’s note: this is a separate list from another law, but similar to the above).
  3. Characteristics of protected classifications under California or federal law.
  4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information.
  6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information (Zack’s note: yes, information about a person’s smells could be personal information).
  9. Professional or employment-related information.
  10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
  11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

That’s a big list.

But most companies are only taking a small amount of that from users.

As I’ll discuss later on, it’s best to create a map of all this data, so that you know what’s going on and can tailor your privacy practices around it.

What kind of privacy policy do you need for California?

What does the CCPA require?

A lot.

In a way, it’s California’s version of the GDPR.

This means that it seeks to give California residents much more transparency and control about what personal information is being collected, shared, and processed by businesses online. Much like the EU’s GDPR law, which requires many of the same things (with some significant differences).

Aside from disclosing to users what personal information you are collecting and how you’re processing it and who you’re sharing it, you also have the responsibility to honor various requests from users.

These are similar to the various rights that EU citizens have under the GDPR.

What rights do users have and what can they request from you?

Users have 5 main rights under the CCPA:

  1. The right to know what information you have about them: If the user requests, you must disclose what you’ve collected (both the specific information and the general categories of info), where you collected it from, what the purpose of that collection was, and who you’ve shared it with.
  2. The right to request deletion of personal information: If the user requests, you must delete their personal information and tell any third parties that you shared it with to delete it, as well. Also, you need to inform them of this right in your privacy policy or elsewhere.
  3. The right to request details about the sale of personal information: If requested, you need to give details about your sale of their personal information, including the categories of info you collect, categories of info you sell, categories of third parties it was sold to, and the categories of personal info disclosed for “business purposes,” such as advertising and security.
  4. The right to opt out of the sale of personal information: All consumers need the right to opt out of your selling of their personal info. However, if the user is under 16, they need to explicitly opt-in to this sale. And if the user is under 13, parental consent is needed (similar to existing COPPA laws).
  5. The right to be free from discrimination: If a user exercises one of the above 4 rights, you are not allowed to discriminate against them because of it. This means you can’t deny them service, charge them a different price, provide a different service quality to them, or (prior to them exercising their right) “suggest” that they may receive different service because of that request.

As for that last one, you may still charge a different price to them as long as the change in price is reasonably related to the fact that them refusing to give personal info affects your ability to provide them the service.

You need to have two methods available for sending these requests:

  • A toll-free number they can call; and
  • A web page where the requests can be made online.

Additionally, if you’re selling personal information and subject to #4 above, you need to have a conspicuous link on your site that says “Do Not Sell My Information”, which leads to the opt-out request.

Figuring out what you need in your California privacy policy

What are the penalties?

If you are subject to the CCPA and you fail to follow its provisions, you could be subject to a few different types of penalties. These are:

  • A monetary penalty of the greater of either $750 or the actual damages the user suffered;
  • Injunctive relief by a court (which could include a temporary restraining order or a temporary or permanent injunction) to stop you from continuing the infringement; or
  • Whatever other penalty the court hearing the case thinks is fair.

But here’s the good news:

If you do run afoul of the CCPA, the user needs to inform you of this and give you 30 days to cure the problem. Only then can the user move forward with legal remedies through the courts.

In addition to the user’s ability to sue under the CCPA, the California Attorney General can also go after you for up to $7,500 per violation. This government action is separate from the user’s lawsuit.

One cool thing about the CCPA, though, is that you have a “safe harbor” against any infringement done by a third party that you shared the personal info with. This requires that you had a reasonable belief that they would be following the law.

This works the other way, as well – if you’re a service provider, you’re not liable for infringement by the one you’re providing the service for.

What do you need in a California privacy policy?

What does your California-compliant privacy policy need to include?

With all that being said, what should your privacy policy include to stay compliant in California, both now and in 2020?

Here’s a quick rundown:

  • An accurate list of what personal information you collect from users
  • A list of what information was sold, or that no information has been sold
  • A statement regarding the right to not be discriminated against
  • The parties with whom information is shared and the purpose for which it is shared
  • A description of all the rights for disclosures, requests to delete and not to have information sold, as described above
  • How you deal with “Do Not Track” signals
  • Contact information for data-related requests – both a toll-free number and a link to an online form
  • A form that users can use to “opt out” of the sale of their data, with the “Do Not Sell My Information” link text (this should be on the homepage, not in the Privacy Policy, though that can’t hurt)
  • If you’re collecting personal info from children under 13, you need to be compliant with COPPA, as well (including having a mechanism for parental consent)

If you’re doing business in the EU or with EU citizens, it needs to be GDPR-compliant, too. This includes describing different types of user data requests and including other information (such as info about their right to complain and the basis for collection).

That will be the subject of a different post, though.

What's next for your privacy policy?

What do you do from here?

Pretty much every company that’s online or taking any personal information from users should have a privacy policy in place, as well as the proper contractual agreements with third party services that you’re using.

The usual best practice when dealing with something like this is to create a “data map,” first detailing what information is being taken from users on your game or site. Then you “map” where that data goes, what happens to it, who it’s shared with, etc.

That’s a great way of coming up with a list of what you’re collecting and where it’s going, for the purposes of getting a privacy policy drafted and getting the right data processing agreements in place with third parties that you share that data with.

Once this information is compiled, I recommend taking it to an attorney with experience in drafting privacy policies. Some, like me, work on reasonable flat fee deals so you can keep your budget under control or even bundle the service with other related services to save you money.

Got a privacy policy question? Leave it in the comments below!

If you’d like to speak to an attorney about your privacy needs, head over to my Contact page to leave a message or make a free consultation appointment.

Leave a Comment