Updated: Jan 19
DISCLAIMER: This website is for informational purposes only - the information provided on this website does not, and is not intended to constitute financial or legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information may not constitute the most up-to-date legal or other information. Readers should contact their CPA and/or attorney to obtain advice with respect to any particular matter.
A Quick History Lesson
As the most restrictive state in terms of consumer privacy protection, I will focus on California as it is thought additional states will follow suit.
This applies to any "commercial website owner [who] collects and maintains personally identifiable information from a consumer residing in California."
2018 - Passage of the California Consumer Privacy Act
Provided consumers the rights to:
Know about the personal information a business collects about them and how it is used and shared;
Right to delete personal information collected from them (with few exceptions);
Right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising any of these rights under the CCPA.
Businesses meeting certain criteria (mostly big businesses and data brokers) are required to provide consumers notices explaining their practices for collecting, using, sharing and selling personal information, both on and offline.
2022 - California Privacy Right Act (Prop 24) - effective January 1, 2023
Allows consumers the right to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses' usage of sensitive personal information.
Categories of personally identifiable information collected through the site or service about users;
Categories of third parties with whom the business may share the personal information;
Description of process for a user or visitor to review and request changes to his or her personally identifiable information collected through the site or service, if the operator maintains such a process,
Data retention periods;
Business contact details; and
How your business responds to a browser DNT (Do Not Track) signal or to “other mechanisms,” and if other parties are conducting online tracking on your site or service.
Note: personally identifiable information includes the following first and last name; home or other physical address, including street name and name of a city or town; e-mail address; telephone number; social security number; any other identifier that permits the physical or online contacting of a specific individual; information concerning a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier.
Scope of Policy
Indicate what entities it covers, such as subsidiaries or affiliates.
Describe how you collect personally identifiable information, such as from other sources and how you do so.
Do you collect personally identifiable information through technologies such as cookies or web beacons on your site or app?
Be reasonably specific about describing the kind of personally identifiable information you collect about users and visitors. At a minimum, list the categories of personal information that you collect from users and visitors.
If you collect personally identifiable information from children under the age of 13, you may have additional obligations under federal law. Consult the FTC’s guidance on the Children’s Online Privacy Protection Act before collecting any such information.
Online Tracking / Do Not Track
Describe your specific policy regarding online tracking or how you respond to consumers’ DNT signals. Use a header, for example “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.”
Describe if you treat consumers whose browsers send a DNT signal differently from those without one; identify if you collect personally identifiable information about a consumer’s browsing activities over time and across third-party web sites or online services if you receive a DNT signal; or if you do continue to collect personally identifiable information about consumers with a DNT signal as they move across other sites or services, describe your uses of the information.
Disclose the presence of other parties that collect personally identifiable information on your site or service, if any. State whether other parties are or may be conducting online tracking of consumers or visitors while they are on your site or service.
Confirm your tracking practices with those responsible for your site’s or service’s operations to ensure that your practices correspond to what you say in your policy.
Data Use and Sharing
Explain the uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
Explain your practices regarding the sharing of personally identifiable information with other entities, including affiliates and marketing partners.
At a minimum, list the different types or categories of companies with which you share customer personal information.
Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.
Provide the retention period for each type or category of personally identifiable information collected.
How You Collect, Use and Share Personal Information
Provide clear instructions on how individuals can exercise their choices regarding your collection, use and sharing of their information. Identify how their preferences will be recorded and how long it will take to implement customer preferences.
You may offer your customers the opportunity to review and correct their personal information. Explain how they can get access to their own personal information in your records. Make sure you have procedures in place to verify identity and authenticate access.
Security of Personal Information
Explain how you protect your customers’ personal information from unauthorized or illegal access, modification, use or destruction.
Give a general description of the security measures used to safeguard the personal information, but not in such detail as to compromise your security.
Give a general description of the measures you use to control the information security practices of third parties with whom you share customer personal information for any purpose.
Provide contact information for questions or concerns about your privacy policies and practices.
At minimum, provide a title and e-mail or postal address of a company official who will respond to privacy questions or concerns. It is a good idea to offer a telephone number, perhaps toll-free.