One week into the final month of what has been a memorable 2020, maintaining an organization’s privacy hygiene is more pressing than ever – and includes new requirements.
Per CCPA Section 1798.130(a)(5), required disclosures include:
- a list of the categories of PI a business has collected about consumers in the preceding 12 months;
- a list of categories of PI a business has sold about consumers in the preceding 12 months (or a statement that it has not sold);
- a list of categories of PI a business has disclosed to service providers for a business purpose in the preceding 12 months; and
- designated methods for submitting consumer requests to that business, among other disclosures.
Privacy policies also must state the categories of sources from which PI is collected, identify the commercial or business purpose for collecting or selling PI, and identify the categories of third parties to whom PI was disclosed or sold.
Mobile-Optimized. Notices at the point of PI collection and privacy policies must be designed for readability wherever a consumer may encounter them, including on smaller screens in the mobile context, making formatting decisions and transparency-focused UX key considerations, and may require a reassessment of whether a business is in line with this requirement.
Offline Notice. According to a third set of proposed modifications to the CCPA regulations released on Oct. 12, 2020, and which is still under consideration, a business that collects PI in the course of interacting with consumers offline must also provide notice via an offline method that facilitates consumers’ awareness of their right to opt out.
Examples provided by the proposed modifications include a PI-collecting brick-and-mortar store providing notice via the paper forms where it collects PI, or by posting signage in the area where the PI is collected and directing consumers to where the notice can be found. For businesses collecting PI over the phone, they must provide the notice orally during the call. These requirements are not yet finalized, but businesses can start to plan for them now in the event they are published largely unchanged.
Last Updated Date. Although already a common practice, the CCPA regulations require privacy policies to display their “last updated” date.