The California Consumer Privacy Act (CCPA) has recently been modified in the second round of changes to its initially proposed regulations. The Attorney General is nearing a finalized version of the Act as these new revisions make for the third version in its history. These modifications clarify the type of information collection the Act applies to, rules to responding to requests by consumers, and how businesses should format their websites to meet these new regulations.

 

Clarification on Information Collected

 

The definitions modified in this update give a clearer understanding of the entire Act in general. The ability to access and track the changes made by the Attorney General are available to the public as well. Ultimately this update clarifies the following:

 

Personal Information

 

Personal information is now defined as information that is collected by a business that can be directly linked back to a consumer or household. This means that even if certain information is collected from a visitor of a website, but that information cannot be directly linked back to the consumer, then the collection of that information by a business would not fall under the CCPA. Only information that directly links data to an individual consumer or household would follow under these regulations.

 

In addition, businesses that buy personal information would not have to provide a direct CCPA privacy notice to consumers or the ability to “opt-out” of the disclosure of their information. Businesses that sell personal information would not be required to provide this to any consumer who have had their data collected. However, requests to obtain, delete, opt-out, and opt-in would still have to be met.

 

Service providers, however, would still be able to collect personal information directly from the consumers to improve the quality of their services without profiling that consumer or household. They may also collect personal information directly from the consumer to add additional security to the services, protect against fraud, and comply with all laws and regulations.

 

Notices To Consumers

 

Businesses would still be required to provide notice to consumers at the collection of their data, and those notices would also have to access online through a business’s website. This would essentially make notice of collection of data an industry standard for all websites that collect personal information. The regulations in the update still clear that a business would only be able to use data collected for the purposes disclosed in an initial notice to the consumer.

 

What Would a Notice to the Consumer Need to Disclose?

 

For businesses that sell personal information from a consumer, the update proposes that a notice to the consumer would need to disclose:

 

• What categories of information are collected from the consumer
• What purposes that data will be used for

 

This simplifies both the process of creating a notice to consumer at the point of collection and the creation of a privacy policy for a business.

 

The update remains that: “The purpose of the notice at collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.”

 

Notices should be plain and “easy to read and understandable to consumers”. It should also follow these guidelines:

 

• Use straightforward language and avoid technical or legal jargon
• Be designed in a format to attract attention to the notice on all types of screens
• Be available in multiple different languages
• Be accessible for consumers with disabilities (those who fall under the American Disabilities Act). Businesses may use the Web Content Accessibility Guidelines as a means to follow these standards
• A “Do Not Sell My Personal Information” or “Do Not Sell My Info” button
• A link to the business’s privacy policy

 

Privacy Policy Requirements

 

The privacy policy requirements updated maintain that, “the purpose of the privacy policy is to provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding this information.” It also states that a privacy policy should:

 

• Use straightforward language and avoid technical or legal jargon
• Be designed in a format to attract attention to the notice on all types of screens
• Be available in multiple different languages
• Be accessible for consumers with disabilities (those who fall under the American Disabilities Act). Businesses may use the Web Content Accessibility Guidelines as a means to follow these standards
• Be available in a format that allows it to be printed as a document by a consumer

 

Business privacy policies must also be, “posted online through a conspicuous link using the word ‘privacy,” on the business’s website homepage or on the download or landing page of a mobile application.” This means that businesses will need their privacy policy to be explicitly linked on their home page, if it is not already.

 

The update continues that, “If the business has a California-specific description of consumers’ privacy rights on its website, then the privacy policy shall be included in that description. A business that does not operate a website shall make the privacy policy conspicuously available to consumers.” These may be updates that many businesses working within California will have to make, especially if they do not already operate their own website.

 

It is also noted that, “A mobile application may include a link to the privacy policy in the applications settings menu.”

 

Lastly, the update states that a privacy policy should include the:

 

• Right to know personal information collected, disclosed, or sold
• Right to request deletion of personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for the exercise of a consumer privacy rights
• Authorized agent requests
• Contact for more information section
• Date that the privacy policy has been updated last

 

Businesses that buy, sell or compile the information of minors or more than 10 million consumers yearly should also comply with the specific requirements set under this update.

 

The California Consumer Privacy Act is consistently being updated and it is hopeful that the Attorney General will come to a finalized version of the regulations soon. However, until then businesses will want to stay up-to-date, and consistently modify their websites and privacy policies in accordance.

 

For more information on the CCPA and how it may affect your business, get in contact with Social Spice Media today. Our team of specialists can assist with your needs ranging from web design to digital marketing.