Display to the consumer all of their rights and how these can be used:
- Right to Opt-Out
- Right to limit the use of sensitive personal information
- Right to opt-out of automated decision making
- Right to know about automated decision making
- Right to Access
- Right to Delete
- Right to Correction
- Right to Data Portability
For the example of the “right to access” their data, you should provide a statement that explains their rights and how they can be enacted. Here's an example below.
Right of Access: You may request access to the specific pieces of Personal Information we have about you. You may also request additional details about our information practices, including the categories of Personal Information we collect, the sources of information, the types of third parties we share information with, the types of Personal Information we share for business purposes, and details about the information we have shared, if any. You may request access by visiting our Privacy Center (opens in a new tab) or contacting us via email@example.com.
To learn more about these consumer rights, read the CCPA requirements here
If your business is using any automated decision making tools for behavioral inference, analysis, or decision making, you should notify the user.
Note: in the case of automated decision making, you must also notify the user that when they exert their right to opt-out, you will not discriminate against them. That is to say, if they opt-out of automated processing, you will still provide the service to them within reasonable limitations.
For each of the 11 categories of data you must have four clear notices as follows:
- Whether you collect that data: simply confirm whether this is a category of data you collect or not.
- How you use the data: confirm the purpose for which you use the data.
- Whether you share it: if you share the data, specify what other parties is it shared with.
- How long you retain the data: you must specify when the data is disposed of. It is no longer permissible to provide an approximation such as “for as long as is necessary”. The CPRA demands specificity.
The following table is a helpful way to consider how to display this information in your policy.
Note: in this description, we have provided an list of examples. You should complete this table with only the categories of data you process for each category.
|Data Category||Description||Do we collect||Categories of Use||Data Retention Policy|
|Identifiers||Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name or other similar identifiers||YES||When your account is deleted or upon request|
|Customer records information||Name, signature, physical characteristics or description, address, telephone number, education, employment, employment history, credit or debit card number, other financial information||YES||When your account is deleted or upon request|
|Characteristics of protected classifications under California or federal law||Race, religion, sexual orientation, gender identity, gender expression, age||No||Not Applicable||Not Applicable|
|Commercial Information||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies||No||Not Applicable||Not Applicable|
|Bio-metric Information||Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data||No||Not Applicable||Not Applicable|
|Internet or other electronic network activity information||Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement||YES||Not Applicable|
|Geo-location data||Longitude, latitude, sensor data that defined location||No||Not Applicable||Not Applicable|
|Audio, electronic, visual, thermal, olfactory, or similar information||Sensor and sensor derived data||No||Not Applicable||Not Applicable|
|Professional or employment-related information||Employment history, salary or job application history||No||Not Applicable||Not Applicable|
|Education information||Information that is Not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)||No||Not Applicable||Not Applicable|
|Inferences||Drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||No||Not Applicable||Not Applicable|
|Sensitive Personal Information||Bio-metric data processed to identify an individual, Data about sexual orientation or sex life, Financial account details in a combination (for example card number and password), Genetic data, Government-issued numbers (such as a social security number or a number on a passport, or driver's license), Health data, Philosophical or religious beliefs, Precise geolocation, Racial or ethnic origin, Union membership||No||Not Applicable||Not Applicable|