Skip to content
Regulations
CCPA - California Consumer Privacy Act
02: Privacy Policy Updates

CCPA Step 02: Update your Privacy Policy

There are several changes you should make to your privacy policy to comply with the CCPA.

1. Displaying Consumers' Rights

Display to the consumer all of their rights and how these can be used:

  • Right to Opt-Out
  • Right to limit the use of sensitive personal information
  • Right to opt-out of automated decision making
  • Right to know about automated decision making
  • Right to Access
  • Right to Delete
  • Right to Correction
  • Right to Data Portability

For the example of the “right to access” their data, you should provide a statement that explains their rights and how they can be enacted. Here's an example below.

Right of Access: You may request access to the specific pieces of Personal Information we have about you. You may also request additional details about our information practices, including the categories of Personal Information we collect, the sources of information, the types of third parties we share information with, the types of Personal Information we share for business purposes, and details about the information we have shared, if any. You may request access by visiting our Privacy Center (opens in a new tab) or contacting us via privacy@acme.com.

To learn more about these consumer rights, read the CCPA requirements here

2. Notifying Users of Automated Tools

If your business is using any automated decision making tools for behavioral inference, analysis, or decision making, you should notify the user.

Provide the user with a written notice of automated decision making in your privacy policy, describing what categories of personal data you are using and for what type of automated decision making.

Note: in the case of automated decision making, you must also notify the user that when they exert their right to opt-out, you will not discriminate against them. That is to say, if they opt-out of automated processing, you will still provide the service to them within reasonable limitations.

3. Providing Privacy Notices

For each of the 11 categories of data you must have four clear notices as follows:

  • Whether you collect that data: simply confirm whether this is a category of data you collect or not.
  • How you use the data: confirm the purpose for which you use the data.
  • Whether you share it: if you share the data, specify what other parties is it shared with.
  • How long you retain the data: you must specify when the data is disposed of. It is no longer permissible to provide an approximation such as “for as long as is necessary”. The CPRA demands specificity.

The following table is a helpful way to consider how to display this information in your policy.

Note: in this description, we have provided an list of examples. You should complete this table with only the categories of data you process for each category.

Data CategoryDescriptionDo we collectCategories of UseData Retention Policy
IdentifiersName, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name or other similar identifiersYES
  1. To provide our e-commerce service
  2. Marketing
When your account is deleted or upon request
Customer records informationName, signature, physical characteristics or description, address, telephone number, education, employment, employment history, credit or debit card number, other financial informationYES
  1. Payment processing
When your account is deleted or upon request
Characteristics of protected classifications under California or federal lawRace, religion, sexual orientation, gender identity, gender expression, ageNoNot ApplicableNot Applicable
Commercial InformationRecords of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendenciesNoNot ApplicableNot Applicable
Bio-metric InformationHair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric dataNoNot ApplicableNot Applicable
Internet or other electronic network activity informationBrowsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisementYES
  1. Analysis
  2. Marketing
  3. Third Party Advertising
Not Applicable
Geo-location dataLongitude, latitude, sensor data that defined locationNoNot ApplicableNot Applicable
Audio, electronic, visual, thermal, olfactory, or similar informationSensor and sensor derived dataNoNot ApplicableNot Applicable
Professional or employment-related informationEmployment history, salary or job application historyNoNot ApplicableNot Applicable
Education informationInformation that is Not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)NoNot ApplicableNot Applicable
InferencesDrawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.NoNot ApplicableNot Applicable
Sensitive Personal InformationBio-metric data processed to identify an individual, Data about sexual orientation or sex life, Financial account details in a combination (for example card number and password), Genetic data, Government-issued numbers (such as a social security number or a number on a passport, or driver's license), Health data, Philosophical or religious beliefs, Precise geolocation, Racial or ethnic origin, Union membershipNoNot ApplicableNot Applicable

If you're unsure how to setup your privacy policy, ask a question on the Fides Slack Community (opens in a new tab), or get Privacy Engineering Intelligence from Ethyca (opens in a new tab) now.

01: Data Mapping03: Updating your Opt-Out Notices