Yes, your privacy notice does need to be “that good.” If it isn’t, the California Attorney General’s Office might come knocking.
Here are some key points from the AG’s second year enforcement report:
Get Those Global Privacy Controls. Period.
You can’t use web tracking technologies to make consumers’ personal information available to third parties in exchange for services like advertising or analytics, without offering an opt-out mechanism or ensuring the third party is a CCPA-compliant service provider. There is a specific emphasis on not recognizing/using Global Privacy Control.
Privacy Notice Deficiencies
- The notice must be easy to read or understandable to the average consumer.
- You must include a notice of CCPA consumer rights and whether or not you sell information (with clear disclosures).
- You must describe the information a consumer must provide in order to make a verifiable consumer request.
- You must list the categories of personal information collected or disclosed in the past twelve months.
- If you are a service provider and a business for some processes, you must make this clear in your notice.
- You can’t limit the exercise of rights to once per 12 months.
- You can’t force people to take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising.
- You can’t use a double negative.
- You have to use simple language.
- Simple, easy to understand toggles are better than confusing drop down menus.
- It can’t be unclear if the consumer was required to create an account in order to complete their requests.
Do Not Sell
- You have to have a clear and conspicuous “Do Not Sell My Personal Information” link.
- You have to recognize GPC.
- You can’t provide choices that are confusing with unclear language and toggle options. For example, when a consumer turned the toggle for “opt-out of sale of personal information” to “on”, the consumer would opt in to third-party cookies and the sale of their personal information. A consumer would need to turn this toggle “off” to opt-out of the sale of their personal information.
- You have to clearly state that you do not sell personal information of minors under 18.
- The link can’t just work on some browsers but not others.
- The link can’t direct consumers to a confusing webpage that requires several additional steps to submit CCPA requests.
- You can’t make clicking an “accept sharing” button when creating a new account as a way to establish blanket consent to sell personal information. This is not compliant.
- You need to make clear what effectuates an opt out of sale. If adjusting mobile device settings would limit future tracking, but would not effectuate a CCPA opt-out request, you have to make that clear.
Notice at Collection Issues
If using a link, you cannot just link to the beginning of the privacy notice. You have to link to the relevant sections for the disclosure (deep link).
Service Provider Agreement failures
You must contractually prohibit your service providers from retaining, using or disclosing personal information received for any purpose other than performing the services specified in the contracts.
Notice of Financial Incentive
- If you operate loyalty programs that offer financial incentives (including product discounts, service differences and/or reduced prices) for the collection of consumers’ personal information, you must post a compliant Notice of Financial Incentive.
- The notices need to be at the cash register if appropriate.
- If using hyperlinks, the notices must be appropriately titled “deep links.” You must have an express opt-in consent to the financial incentive.