CCPA Compliance: Privacy Policy and Notices Checklist

Privacy Policy and Notices

Creating a CCPA-compliant privacy policy and other required notices will take advantage of all the work you’ve done in the previous steps, effectively translating your data map into a public document. Use the following checklist to make sure your privacy notices meet the CCPA’s requirements.

  • Update current privacy policy

    Most businesses already have a privacy policy; this is a good time to make any necessary updates based on your CCPA preparations.

  • Create a CCPA addendum

    This will be an addition to your business’s current policy, with everything needed to meet the CCPA’s notice requirements.

    • Inform consumers of their CCPA privacy rights

      Consumers have a right to know, right to delete, right to opt out, and right to non-discrimination.

    • Instructions on how to make a verifiable request

      Different requests must be verified to different degrees based on the personal information involved. The CCPA addendum should cover these verification procedures.

    • Inform consumers they can make requests through an agent

      Consumers may make privacy requests through an authorized agent, though the business may also need to verify their permission to act on the consumer’s behalf.

    • What personal information is collected, from what source, and for what purposes

      Refer to your business's data map.

    • What sensitive personal information is collected, for what purposes, and whether it sold or shared

      Refer to your business's data map.

    • What personal information is disclosed to third parties, contractors, and service providers, as well as the categories of those parties

      Refer to your business's data map.

    • How long your business intends to retain each category of personal information

      Your business will need to create a data retention policy.

    • What personal information is sold to or shared with third parties, and the categories of such third parties

      Refer to your business's data map.

    • At least two methods for contacting the business and making privacy requests

      These contact methods should reflect the means by which a business normally interacts with consumers. For example, a business that mostly interacts with consumers online must provide at least one online contact method.

  • Additional privacy notices
    • Employees and job applicants

      Employees and job applicants have the same rights as anyone else, so you'll need to include privacy disclosures in application and employment paperwork.

    • "Do Not Sell or Share My Personal Information" page

      Businesses that sell or share consumers’ personal information must provide a “Do Not Sell or Share My Personal Link” on their homepage which goes to either a separate web page or section of the privacy policy which informs consumers of the selling/sharing practices and their opt-out rights.

    • Financial incentives

      Though businesses may not discriminate against consumers who exercise their CCPA rights, in some circumstances they may offer financial incentives to consumers for opting in to the sale or sharing of their personal information. If they do so, they must provide an additional notice that covers the details of those incentives.

    • High volumes of personal information

      Businesses that annually buy, sell, share, or receive the personal information of 10 million or more consumers must compile and disclose additional data in their privacy policy.

    • Notices regarding minors under 18

      If your business has knowledge that it sells or shares the personal information of consumers under the age of 16, it must make additional disclosures regarding the special rules for obtaining their consent.

    • Brick-and-mortar store requirements

      If a business collects and uses personal information at its physical store locations, it must disclose this in its online privacy policy, provide a notice at the point of collection, and designate a toll-free number for making CCPA privacy requests.

  • Placement at points of collection

    Links to the privacy policy should be placed at every point where personal information is collected.

  • General principles
    • Plain, straightforward language
    • Format draws reader's attention to the notice
    • Readable on small screens
    • Available in languages normally used by business
    • Reasonable accessible to users with disabilities

Generate Your Privacy Notices Automatically

Your business’s privacy policy is the most conspicuous expression of CCPA compliance, so it’s important to get it right. TrueVault takes all the necessary information from your business’s data map and instantly generates all the required CCPA privacy notices.

Contact our team to learn how TrueVault can streamline your CCPA compliance.

Schedule Call