If a business drafted a privacy policy to comply with the CCPA does the business need to revise its policy for the CPRA?

By Greenberg Traurig, LLP on December 23, 2020

Posted in CCPA, CPRA

The CCPA requires that a business include 15 specific disclosures in its privacy policy. These include, for example, disclosures relating to the enumerated categories of personal information that the business collects, the categories of personal information that are shared with service providers or other third parties, and consumers’ ability to request access to and deletion of their information.

The CPRA amended the CCPA to require that by January 1, 2023, companies include the following disclosure:

Required Privacy Policy Disclosure	CCPA	CPRA
1. Rectification rights of individuals.		1

In addition, some companies will be required to include the following two additional disclosures:

Required Privacy Policy Disclosure	CCPA	CPRA
2. Ability to opt-out of sharing of personal information (to the extent that a business engages in sharing as defined under the act).		2
3. Ability to limit the use of a business’s sharing of sensitive personal information (to the extent that a business uses such information for a purpose not contemplated by the CPRA).		3

As a result, businesses that engage in the sharing of personal information or in the use of sensitive personal information (as those terms are defined in the CPRA) may need to revise their privacy policies to comply with the CPRA; businesses that do not engage in the sharing of personal information or the collection and use of sensitive personal information will not need to revise their privacy policies.

The CCPA also requires that beginning on January 1, 2023, businesses state within their policy at collection the length of time that the business intends to retain each category of personal information that it collects. Some businesses may attempt to satisfy this requirement by disclosing retention periods within their privacy policy. If a company uses its privacy policy to satisfy this requirement, the following would also be required:

Required Privacy Policy Disclosure	CCPA	CPRA
4. The length of time the business intends to retain each category of personal information that it collects (or the criteria used to determine that period of time).		4

1 Cal. Civ. Code 1798.106(b).

2 Cal. Civ. Code 1798.135(c)(2).

3 Cal. Civ. Code 1798.135(c)(2).

4 Cal. Civ. Code 1798.100(a)(3).

Data Privacy Dish

If a business drafted a privacy policy to comply with the CCPA does the business need to revise its policy for the CPRA?

About Greenberg Traurig