Drafting Your CPRA Privacy Policy: A Comprehensive Guide

drafting-your-cpra-privacy-policy

If you operate a business in California or if you collect personal data from consumers in California, you must abide by the terms of the California Privacy Rights Act.

This means you must have a CPRA privacy policy on your website to avoid legal consequences for yourself and your business.

In this article, we’ll give you a comprehensive guide that you can use to create such a privacy policy.

CPRA Overview:

The CPRA, or California Privacy Rights Act, is an amendment and extension to the CCPA (California Consumer Privacy Act). It became effective on January 1st, 2023, while the CCPA itself became law three years before in 2020.

While the CCPA/CPRA mainly protects consumers who are residents of California, your business doesn’t have to be based in this US state. The law applies to businesses across the globe.

This is why it’s important to create a privacy policy that ensures your consumers are protected under CCPA/CPRA.

Who is Affected by the CPRA?

The law affects customers who live in California permanently, those who are there temporarily (for work), and those who reside in the state but are on vacation elsewhere.

It does not affect someone who is in California for a holiday or vacation.

The CPRA applies to for-profit entities that do business in California. They must also meet one of the following criteria:

  • They buy, sell, or share the personal information of at least 100,000 or more residents, households, or devices in California
  • The business has a gross annual revenue of $25 million or more
  • Or, a minimum of 50% of the businesses’ annual revenue comes from the sale of consumer’s personal information

CPRA Key Requirements

Although the criteria above are pretty straightforward for the most part, they still require a little more explanation.

  • The business must buy, sell, and/or share the personal information of 100,000+ California residents.

This doesn’t include only buying and selling data or sharing data with a third party via cross-context behavioral advertising.

In other words, if you have 100,000 or more unique visits to your website from California (again, only residents, not people vacationing there), you must abide by the CPRA.

  • Your business has a gross annual revenue of at least $25 million.

This criterion is pretty self-explanatory.

Note that “gross revenue” refers to the amount of money your business earns from sales in a certain period. For “gross annual revenue” that would be between January 1st and December 31st of the same year), while “net revenue” equals gross revenue reduced by your expenses for the same period.

  • At least 50 percent of your annual revenue is from selling consumer’s personal information

If at least 50% of your annual revenue derives from selling or sharing personal information of your consumers, then it doesn’t matter if your gross annual revenue is $25 million or $25 thousand.

Defining Privacy Policy

Before we talk about the CPRA privacy policy, let’s go over what a privacy policy is and why you need one.

Today, data has become more valuable than gold and businesses require data to better serve their consumers.

However, they still need to ensure that their consumer’s privacy is protected.

This is where a privacy policy comes in.

You probably saw a link to it somewhere in the footer of the website you visited but didn’t pay much attention (yeah, most privacy policies are dull).

Still, this is one of the most important documents on your website (so be sure it’s written by someone who is an expert, as this is not your typical blog post).

At a minimum, a privacy policy should include the following information:

  • What data you collect (preferably a list with descriptions)
  • Where do you obtain this data
  • How you collect data
  • How you store data
  • Why do you collect data
  • Are you selling or sharing the data you collect, and with whom
  • Your consumer’s privacy rights
  • How can your consumers use their rights
  • How can consumers access and remove the data you collected
  • Links to your terms of service, cookie policy, and other policies on your website

Important Elements of a CPRA Privacy Policy

If you already have an EU GDPR-compliant privacy policy, you’ll have less work in front of you to create one that is CPRA-compliant.

That said, your CPRA privacy policy should include:

  • Personal data that you collect from consumers
  • Where do you collect the data
  • The purpose of collecting this data
  • What data do you sell to or share with third parties
  • Consumers’ privacy rights (how they can opt out of data collection, access or delete their data)
  • How to submit a privacy request (with at least two methods of doing so)
  • Children’s opt-in
  • A link to “Do Not Sell My Personal Information”
  • A 12-month Update

Personal Data that You Collect From Consumers

According to the California Civil Code, “personal information” under CCPA includes “information that identifies, relates to, or could reasonably be linked with you or your household.”

In other words, this includes your name, email address, biometric data like fingerprints, Internet browsing history, social security number, product purchase records, etc.

Note that “personal information” under CPRA does not include already publicly available information.

So, your CPRA privacy policy should reveal if you collect:

  • Data safeguarded against security breaches like name, date of birth, SSN, driver’s license
  • Gender, race, ethnicity
  • Biometric data (face recognition, fingerprints, voice recording, etc.
  • Audio, video, electronic, or thermal data
  • Professional and education data
  • Data made from profiling
  • Commercial data, like records of services purchased

Where Do You Collect the Data?

Websites can collect data as a first-party or third-party.

As a first party, the website collects data directly from its visitors as they engage with its web pages. Consequently, a third party is an outside source that might use trackers to collect consumer data from multiple websites.

Three types of trackers are used to collect data:

  • Cookies, which are small data files that are sent and stored on the user’s computer
  • Pixels, or small, pixel-sized images that are downloaded when a new webpage loads, informing the website owner the page was loaded and
  • Browser fingerprinting, which collects information about what browser you are using, its version, operating system, plugins, etc.

Why Do You Collect Data?

If you are collecting data from your users, you must be clear as to your data gathering purposes.

Here are some of the reasons why you might collect your consumer’s personal data:

  • For identification and verification
  • To better deliver your service
  • To improve user experience
  • To better communicate with them
  • For marketing and advertising purposes
  • Legal compliance

What Data Do You Sell or Share With Third-Party Entities?

If you are selling or sharing data with other third-party parties, like other websites or companies, you must also specify these third parties and why you sell or share consumer personal data with them.

For example, third parties that you sell or share data with might include:

  • Service providers
  • Marketing providers
  • Brands and companies affiliated with yours
  • Government agencies, law enforcement, and other third parties
  • Parties involved in a business transaction or merger (in case your business is acquired by another company, it acquires another company, merges with another company, or is reorganized

Consumer Privacy Rights

As residents of California, your consumers have the following rights:

  • Right to know.

At the moment, consumers can request from you the following: 1) categories and specific pieces of information you have gathered about them; 2) categories of sources where you collected their personal information; 3) purpose(s) you will use their personal information; 4) third parties with which you sell or share this information with.

  • Right to delete

Next, consumers also have the right to request that you delete their personal information that you previously collected as well as instruct any third parties to do the same.

Note that there are some exceptions, such as when the business is by law required to keep this data.

  • Right to correct

If the consumer notices that you have wrong information about them, they can also request that you correct it.

  • Right to limit the use and disclosure of sensitive personal information

Additionally, consumers can also limit the purposes for which you use some of their sensitive personal information, for instance, to only provide the service they requested.

  • Right to opt-out of data sale and sharing

Finally, users can also request to “opt-out” of data selling or sharing until they authorize your business to do so once more.

How can Consumers Submit a Privacy Request?

Besides explaining what rights they have, a CPRA privacy policy should also include at least two methods by which consumers can make a request regarding their personal data.

These can be:

  • An email address
  • A contact form on your website
  • Phone number
  • Post office address

Keep in mind that once a consumer issues a privacy request, you have 45 days to address it.

Children Opt-in

If you are aware that your business is collecting data from children, you need to get an opt-in from their parents or guardians if they are under 13 years old.

For children between 13 and 16, the opt-in can come from the child itself.

Do Not Sell My Personal Information Link

If your business sells or shares personal information it gathers from consumers, you must include a visible “Do Not Sell or Share My Personal Information link as part of your “notice at collection”.

A notice at collection is a notice that you provide before or at the point of data collection.

It includes:

  • A list of categories of personal information that you intend to collect
  • The purposes for which you collect consumer’s personal information
  • Information on how consumers can opt out of the sale of their personal information to third parties
  • And information on how to find the privacy policy on your website

A 12-Month Update of Your CPRA Privacy Policy

To comply with the California Consumer Privacy Act, you update your privacy policy every 12 months as well as have a mechanism to monitor these updates.

Also, you need to display the last date you updated your privacy policy for consumers to see, and in some cases, you may also need to include a short overview of the update, such as what changes you made.

Drafting a CPRA Privacy Policy

Privacy policies are notoriously difficult to create.

On one end, you want to ensure that you include everything that is needed for the policy to comply with the law, and on the other, you want to present the information in a way that is clear for the user.

One easy way to draft a CPRA privacy policy is to follow these steps:

  • Select where the privacy policy will be used (website, app, or both)
  • Add information about your website or app (domain name, URL, etc.)
  • Provide information about your business (business name, address, etc.)
  • Select your country (and state if you operate a business in the United States)
  • Include what personal information you intend to collect from consumers (first and last names, addresses, phone numbers, email addresses, and social media information)
  • Provide a means by which consumers can contact you regarding their personal information and privacy policy (webpage, email, postal mail, phone number)

Privacy Policy Enforcement and Compliance

Even though CPRA took effect on January 1st, 2023, it was not enforced until July 1st.

Specifically, the California Civil Code §1798.185(d) states that:

“Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this Act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date.”

In other words, your business is not subject to enforcement for something that happened before that date under CPRA.

That said, a privacy policy is a legal document that has to be visible at the bottom of every page on your website that a consumer might visit.

While no privacy law explicitly states that your business must have a privacy policy, several state and federal laws still have privacy provisions, including:

  • CCPA/CPRA
  • COPPA (Children’s Online Privacy Protection Act
  • CalOPPA (California Online Privacy Protection Act)
  • PIPA (Personal Protection Information Protection Act of Maryland)
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1997
  • SHIELD (Stop Hacks and Improve Electronic Data Security Act of New York)
  • EU’s GDPR (General Data Protection Regulation)
  • UK’s Data Protection Act 1998
  • Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act)
  • HIPAA
  • Etc.

When it comes to CPRA/CCPA, its enforcement is in the hands of the OAG (Office of Attorney General), which is responsible for overseeing and determining fines and penalties for violations.

FAQs

What is a Good Privacy Policy?

A good privacy policy complies with relevant privacy laws and regulations, is transparent about how customers’ data is handled, and is clear and concise.

How Do You Write a Privacy Policy?

A privacy policy is an important legal document that should outline the following:

  1. The type of personal information that you collect
  2. Why do you collect personal information
  3. How you collect personal information
  4. How you use personal information
  5. How you share personal information
  6. Do you sell personal information
  7. With whom do you share or sell personal information
  8. Your data retention policies (how and why you store data you’ve collected)
  9. How do you protect the data you’ve gathered
  10. What are the consumer’s rights
  11. Your contact information

What is CPRA Compared to GDPR?

CPRA (California Privacy Rights Act) and GDPR (General Data Protection Regulation) aim to protect personal data and enhance privacy rights. However, they differ in several things, such as

  1. Scope. CPRA only applies to California residents, while GDPR applies to EU/EEA residents
  2. Data subject rights. While both privacy laws outline largely the same data subject rights like the right to access data, the right to correct/rectify data, the right to delete/erase data, etc, Additionally, CPRA allows customers to limit the use of their sensitive personal information, which is not specified in GDPR.
  3. Definition of personal data. CPRA has a broader definition of “personal data” than GDPR, which also includes “sensitive personal data” such as health data, race, or ethnicity.

When Does the California Privacy Rights Act (CPRA) Go Into Effect?

The CPRA took effect on January 1, 2023, but it will not be enforceable until July 1, 2023.

What is the Importance of CPRA?

Overall, the California Privacy Rights Act (CPRA) is important because it gives customers more control over their personal information and enforces businesses to protect that information.

More specifically, CPRA does the following:

  1. Enhances user’s privacy rights
  2. Imposes obligations on businesses to protect customer privacy rights
  3. Sets a new privacy law standard
  4. More effectively enforces consumer privacy rights through the California Privacy Protection Agency (CPPA)

Create your Privacy Policy Today

Creating a clear and transparent CPRA privacy policy takes work. Hopefully, this article explained how to create a privacy policy that is compliant with this important law.

Captain Compliance can help your business create a privacy policy that meets all the requirements and is compliant with California’s data privacy laws by providing guidance and expertise.

Ensure that you’re handling your customer’s sensitive data with due care with our team of data privacy compliance superheroes!