One week into the final month of what has been a memorable 2020, maintaining an organization’s privacy hygiene is more pressing than ever – and includes new requirements.
From privacy policy updates mandated by the California Consumer Privacy Act (CCPA), to all businesses needing to stay current and non-deceptive in their public disclosures in relation to evolving data collection and use practices, proper transparency updates are mission-critical. Likewise, policy updates must directly align with a business’s consumer-facing privacy controls and internal processes.
CCPA UPDATES
“Every 12 Months.” The CCPA requires that “at least once every 12 months” a business review and update the processing information that the CCPA requires be included in the business’s privacy policy disclosed to consumers. As a reminder, the CCPA applies to a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information (PI), so policies must reflect the business’s interactions with consumers in the physical world as well.
The CCPA requires that a business’s privacy policy describe a business’s data processing activities only for the preceding 12 months.
Per CCPA Section 1798.130(a)(5), required disclosures include:
- a list of the categories of PI a business has collected about consumers in the preceding 12 months;
- a list of categories of PI a business has sold about consumers in the preceding 12 months (or a statement that it has not sold);
- a list of categories of PI a business has disclosed to service providers for a business purpose in the preceding 12 months; and
- designated methods for submitting consumer requests to that business, among other disclosures.
Privacy policies also must state the categories of sources from which PI is collected, identify the commercial or business purpose for collecting or selling PI, and identify the categories of third parties to whom PI was disclosed or sold.
Given that partners, products, and revenue streams can change from year to year, an update to a business’s last CCPA-related privacy policy publication may be in order. Even if processing has not changed, a business should consider documenting that it undertook such a review of its processing activities and determined that no revisions were necessary.
CCPA Regulations. A business’s need to review and perhaps update its current privacy policy is also reinforced by the still freshly minted CCPA implementing regulations, which were largely finalized in late Summer 2020. Businesses that updated privacy policies in anticipation of the CCPA’s Jan. 1, 2020, effective date, or shortly thereafter, may need to make revisions now, given the new requirements those lengthy rules ushered in.
- Verification Procedures. For instance, because prior to the CCPA regulations details were lacking regarding the mechanics of verifying consumer requests, often verification was not described in companies’ privacy policies. Now these processes are clear(er) and must be described generally per Section 999.308(c)(1)(c). Section 999.325(g) also requires that if a business has no reasonable method by which it can verify a consumer (such as a non-accountholder), the business must evaluate and document whether a method can be established at least once every 12 months “in connection with the requirement to update the privacy policy.”
- Mobile-Optimized. Notices at the point of PI collection and privacy policies must be designed for readability wherever a consumer may encounter them, including on smaller screens in the mobile context, making formatting decisions and transparency-focused UX key considerations, and may require a reassessment of whether a business is in line with this requirement.
- Accessibility. Privacy policy accessibility for consumers with visual and auditory disabilities is an additional consideration that may not have been top-of-mind in 2019 or at the start of 2020. CCPA regulations Section 999.305(a) specifically cites the Web Content Accessibility Guidelines version 2.1 as a generally recognized industry standard for doing so, which would require a technical update for many companies. Given the exponential rise in digital-property-related ADA lawsuits filed in recent years, this is a compliance imperative that requires attention beyond just online policies.
- Languages. A privacy policy also must be available in languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to California consumers.
- Printable. A privacy policy also must be available in a format that allows a consumer to print it out as a document; this may require an update for mobile app developers who include an app’s privacy policy in an in-app screen lacking printing functionality, rather than a link out to a mobile web browser.
- Metrics. For the first time, businesses that buy, receive, sell, or share for commercial purposes the PI of 10 million or more California consumers in a calendar year must compile metrics regarding consumer requests received (e.g., access, deletion, opt-out) and the mean or median number of days for their substantive responses to such requests. By July 1 of every calendar year this must be posted in the privacy policy; even though a Jan. 1, 2021, posting is not required, applicable companies should consider beginning work towards this now for the requests already received.
- Offline Notice. According to a third set of proposed modifications to the CCPA regulations released on Oct. 12, 2020, and which is still under consideration, a business that collects PI in the course of interacting with consumers offline must also provide notice via an offline method that facilitates consumers’ awareness of their right to opt out.
Examples provided by the proposed modifications include a PI-collecting brick-and-mortar store providing notice via the paper forms where it collects PI, or by posting signage in the area where the PI is collected and directing consumers to where the notice can be found. For businesses collecting PI over the phone, they must provide the notice orally during the call. These requirements are not yet finalized, but businesses can start to plan for them now in the event they are published largely unchanged.
- Last Updated Date. Although already a common practice, the CCPA regulations require privacy policies to display their “last updated” date.
For more information, subscribe to GT’s Data Privacy Dish blog.