CCPA/CPRA Privacy Notices: Building Trust and Ensuring Compliance
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), require businesses to provide consumers with clear and comprehensive privacy notices. Well-crafted privacy notices are crucial for demonstrating compliance and empowering California consumers with control over their personal information and as such are essential for building trust and ensuring compliance.
Privacy Notices
Let’s get into details of some of the crucial notices you need to include for CCPA/CPRA compliance, incorporating the latest updates:
Notice at Collection
Transparency with consumers begins at the very moment you collect their data. This notice informs consumers at the point of data collection about the categories of personal information (PI) you’re collecting and how you intend to use it. This notice includes information as:
– The specific categories of PI being collected (e.g., name, email, location);
– The purposes for collecting the PI (e.g., to fulfill an order, send marketing emails, etc.);
– If you collect sensitive personal information (SPI) under the CPRA, a clear and conspicuous notice must be provided at or before the point of collection, specifying the SPI categories and intended use.
Notice of Right to Opt-out of Sale and Sharing
The purpose of the notice is to inform consumers about their right to opt-out of the “sale” or “sharing” of their PI for certain purposes. “Sale” broadly refers to disclosing PI for monetary or other valuable consideration. “Sharing” refers to the transfer of PI to third parties for cross-context behavioral advertising, where a consumer’s activities across different websites are used to tailor ads.
The obligation under this notice entails providing information about the categories of PI you sell or share and including a “Do Not Sell or Share My Personal Information” link or another simple mechanism for consumers to opt out of these practices. It’s essential to be transparent about any changes to your product’s functionality or pricing that might result if a consumer opts out
Notice of Right to Limit Use of Sensitive Personal Information
A new requirement under the CPRA, this notice informs consumers about their right to limit the use of their sensitive personal information (SPI) to purposes reasonably necessary for providing goods or services or fulfilling legal obligations. The notice should include a clear explanation of the CPRA’s right to limit SPI use and a method for consumers to exercise this right (e.g., a web form, email address). Since this is a recent CPRA requirement, best practices and detailed regulations on managing SPI limitations are still evolving.
Notice of Financial Incentive
If you offer loyalty programs or other benefits in exchange for consumer data, your notice must detail the types of PI collected, how it’s used within the program, and its value when calculating incentives. Whenever feasible, the CPRA requires you to estimate the value of consumer data within the incentive program. Importantly, emphasize that consumers hold the right to withdraw from these programs entirely, at any time.
Additional Consideration
Employees & B2B
While the CPRA still maintains exemptions for employee and business-to-business data, it extends some privacy rights within these contexts. Update your notices to reflect any newly covered data.
Clarity and Accessibility
Use plain language, clear headings, and avoid technical jargon. Place your notice prominently (such as in your website footer) and consider supplemental notices alongside specific data collection forms.
Stay Updated
The CPRA is continuously evolving, so consult with privacy experts for the most up-to-date guidance.
How Can We Help?
Our privacy specialists at GDPRLocal can offer your business solutions for compliance with the CCPA/CPRA which essentially ensures building a reputation that sets you apart. By prioritizing privacy, you foster consumer trust, protect your brand, and minimize the risk of costly penalties.
Contact us today for a consultation – we’ll work with you to develop privacy notices that accurately reflect your data practices and guide you in designing systems and processes for data collection, handling, and responding to consumer requests in line with the CCPA/CPRA.