Can I ensure that my company is compliant with expanding privacy protections in California? What are the requirements?

To ensure that your company is compliant with expanding privacy protections in California, you must adhere to the requirements set forth in the California Consumer Privacy Act (CCPA) and its accompanying regulations. Below are some of the key requirements:

Privacy Policy

One of the key requirements of the CCPA is the creation of a privacy policy that informs consumers about your business’s online and offline information practices ^{[1.1][2.1][3.1][2.2]}. The privacy policy must be available in a format that allows a consumer to print it out as a document and must be posted online and accessible through a conspicuous link that complies with section 7003, subsections (c) and (d), using the word “privacy” on the business’s website homepage(s) or on the download or landing page of a mobile application ^[1.1][1.3].

The privacy policy must include a comprehensive description of your business’s online and offline information practices, including the categories of personal information your business has collected about consumers in the preceding 12 months, the categories of sources from which the personal information is collected, and the specific business or commercial purpose for collecting personal information from consumers ^{[1.1][3.1][2.2]}.

The privacy policy must also explain the rights that the CCPA confers on consumers regarding their personal information, including the right to know what personal information your business has collected about the consumer, the right to delete personal information, and the right to opt-out of the sale or sharing of their personal information by your business ^{[1.1][3.1][2.2]}.

Third-Party Contracts

If your business sells or shares a consumer’s personal information with a third party, you must enter into an agreement with the third party that identifies the limited and specified purpose(s) for which the personal information is made available to the third party and requires the third party to use it only for that limited and specified purpose(s) ^[1.1][1.4].

The contract must also require the third party to comply with all applicable sections of the CCPA and these regulations and provide the same level of privacy protection as required of businesses by the CCPA and these regulations ^[1.1][1.4].

Service Providers and Contractors

If your business uses a service provider or contractor to process personal information, you must have a contract that prohibits the service provider or contractor from selling or sharing personal information it collects pursuant to the written contract with your business ^[1.1][1.5].

The contract must also identify the specific business purpose(s) for which the service provider or contractor is processing personal information pursuant to the written contract with your business and prohibit the service provider or contractor from retaining, using, or disclosing the personal information that it collected pursuant to the written contract with your business for any purpose other than the business purpose(s) specified in the contract or as otherwise permitted by the CCPA and these regulations ^[1.1][1.5].

Requirements for Businesses Collecting Large Amounts of Personal Information

If your business collects personal information of 10,000,000 or more consumers in a calendar year, you must compile and disclose certain metrics for the previous calendar year, including the number of requests to delete, correct, know, opt-out of sale/sharing, and limit that your business received, complied with in whole or in part, and denied, as well as the median or mean number of days within which your business substantively responded to such requests ^[1.2].

Conclusion

To ensure that your company is compliant with expanding privacy protections in California, you must adhere to the requirements set forth in the CCPA and its accompanying regulations. This includes creating a privacy policy that informs consumers about your business’s online and offline information practices, entering into contracts with third parties and service providers that protect consumers’ personal information, and complying with the requirements for businesses collecting large amounts of personal information.

Source(s):

• [1.1] Privacy Policy.
• [2.1] Section 22576 - Internet Privacy Requirements
• [3.1] Privacy Policy. [Renumbered]
• [2.2] Section 22575 - Internet Privacy Requirements
• [1.2] Requirements for Businesses Collecting Large Amounts of Personal Information.
• [1.3] Requirements for Disclosures and Communications to Consumers.
• [1.4] Contract Requirements for Third Parties.
• [1.5] Contract Requirements for Service Providers and Contractors.

Jurisdiction

California

• Privacy