Formal Policy to Maintain Privacy Policy

Our company’s California Consumer Privacy Act (CCPA) privacy policy should be maintained periodically and notice of any changes to the policy must be clearly made. Here are some recommended measures to consider for maintenance and notice of changes:

• Document and maintain a procedure for maintaining and updating the privacy policy.
• Monitor developments with the CCPA and related regulations to identify potential regulatory changes.
• Update the privacy policy at least annually.
• Review any relevant vendor agreements to confirm and, as needed, revise terms and conditions to address your privacy policy procedure.
• Deliver and record periodic training to individuals responsible for maintaining or carrying out the privacy policy procedure.
• Monitor and test the process periodically to set a compliance baseline against which to measure effectiveness.
• Maintain the privacy policy procedure via periodic reviews and amend as needed to factor in operational and regulatory changes.
• Retain the records for at least four years – the statute of limitations likely applicable to CCPA enforcement actions.

What should be in a privacy policy?

In general, CCPA privacy policies are required to include a description of consumer rights, methods for exercising those rights, contact information, and the date the policy was last updated. Also be sure to specify that the privacy policy is limited in scope and applies only to California residents.

CCPA privacy policies should include:

• A description of California consumer privacy rights, including:
  • The right to know (request disclosure of) personal information collected or sold.
  • The right to deletion of personal information collected from the consumer.
  • The right to nondiscriminatory treatment for exercising any rights.
  • The right to opt out of the sale of personal information (if applicable).
  • The right to opt in to the sale of personal information of minors (if applicable).
• An explanation of designated methods for exercising consumer rights.
• Instructions for submitting a verifiable consumer request.
• A description of the process used to verify consumer requests.
• Instructions on how an authorized agent can make a request on a consumer’s behalf.
• A statement of whether the business sells personal information and, if it does, notice of the right to opt out or a “Do Not Sell My Personal Information” link.
• Categories of personal information collected about consumers in the past 12 months.
• Categories of personal information disclosed for a business purpose or sold to third parties in the preceding 12 months.
• Categories of sources from which personal information is collected.
• Categories of third parties to whom personal information was disclosed or sold.
• The business purpose or commercial purpose for collecting or selling personal information.
• A statement of whether the business has actual knowledge that it sells the personal information of minors.
• Contact information for questions or concerns about the business’ privacy policy or practices.
• The date the CCPA privacy policy was last updated.

Privacy policy design and accessibility

CCPA privacy policies are required to be designed and presented in a way that’s easy to read and understandable to consumers. A CCPA privacy policy should:

• Use plain, straightforward language and avoid technical or legal jargon.
• Use a readable format, including on smaller screens, if applicable. This can include a table of contents or jump links for easy navigation, expand/collapse features, or links to pages with supplemental information.
• Make the policy available in the languages in which the business provides contracts, disclaimers, sale announcements, and other information to consumers in California.
• Make the policy reasonably accessible to consumers with disabilities.
• Make the policy in a format that allows a consumer to print it out as a document.

Our privacy policy should be available to consumers both online and offline and should address both online and offline practices. Publish the privacy policy online with a conspicuous link using the word “privacy” on the website’s homepage, or on every page of our website in a recurring header or footer.