Cal. Code Regs. Tit. 11, § 7011 - Privacy Policy

(a) The purpose of the privacy policy is to provide consumers with a comprehensive description of a business's online and offline information practices. It shall also inform consumers about the rights they have regarding their personal information and provide any information necessary for them to exercise those rights.

(b) The privacy policy shall comply with section 7003, subsections (a) and (b).

(c) The privacy policy shall be available in a format that allows a consumer to print it out as a document.

(d) The privacy policy shall be posted online and accessible through a conspicuous link that complies with section 7003, subsections (c) and (d), using the word "privacy" on the business's website homepage(s) or on the download or landing page of a mobile application. If the business has a California-specific description of consumers' privacy rights on its website, then the privacy policy shall be included in that description. A business that does not operate a website shall make the privacy policy conspicuously available to consumers. A mobile application may include a link to the privacy policy in the application's settings menu.

(e) The privacy policy shall include the following information:

(1) A comprehensive description of the business's online and offline information practices, which includes the following:

(A) Identification of the categories of personal information the business has collected about consumers in the preceding 12 months. The categories shall be described using the specific terms set forth in Civil Code section 1798.140, subdivisions (v)(1)(A) to (K) and (ae)(1) to (2). To the extent that the business has discretion in its description, the business shall describe the category in a manner that provides consumers a meaningful understanding of the information being collected.

(B) Identification of the categories of sources from which the personal information is collected.

(C) Identification of the specific business or commercial purpose for collecting personal information from consumers. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected.

(D) Identification of the categories of personal information, if any, that the business has sold or shared to third parties in the preceding 12 months. If the business has not sold or shared consumers' personal information in the preceding 12 months, the business shall disclose that fact.

(E) For each category of personal information identified in subsection (e)(1)(D), the categories of third parties to whom the information was sold or shared.

(F) Identification of the specific business or commercial purpose for selling or sharing consumers' personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is sold or shared.

(G) A statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age.

(H) Identification of the categories of personal information, if any, that the business has disclosed for a business purpose to third parties in the preceding 12 months. If the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

(I) For each category of personal information identified in subsection (e)(1)(H), the categories of third parties to whom the information was disclosed.

(J) Identification of the specific business or commercial purpose for disclosing the consumer's personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is disclosed.

(K) A statement regarding whether the business uses or discloses sensitive personal information for purposes other than those specified in section 7027, subsection (m).

(2) An explanation of the rights that the CCPA confers on consumers regarding their personal information, which includes all of the following:

(A) The right to know what personal information the business has collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer.

(B) The right to delete personal information that the business has collected from the consumer, subject to certain exceptions.

(C) The right to correct inaccurate personal information that a business maintains about a consumer.

(D) If the business sells or shares personal information, the right to opt-out of the sale or sharing of their personal information by the business.

(E) If the business uses or discloses sensitive personal information for reasons other than those set forth in section 7027, subsection (m), the right to limit the use or disclosure of sensitive personal information by the business.

(F) The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights.

(3) An explanation of how consumers can exercise their CCPA rights and what consumers can expect from that process, which includes all of the following:

(A) An explanation of the methods by which the consumer can exercise their CCPA rights.

(B) Instructions for submitting a request under the CCPA, including any links to an online request form or portal for making such a request, if offered by the business.

(C) If the business sells or shares personal information, and is required to provide a Notice of Right to Opt-out of Sale/Sharing, the contents of the Notice of Right to Opt-out of Sale/Sharing or a link to that notice in accordance with section 7013, subsection (f).

(D) If the business uses or discloses sensitive personal information for purposes other than those specified in section 7027, subsection (m), and is required to provide a Notice of Right to Limit, the contents of the Notice of Right to Limit or a link to that notice in accordance with section 7014, subsection (f).

(E) A general description of the process the business uses to verify a consumer request to know, request to delete, and request to correct, when applicable, including any information the consumer must provide.

(F) Explanation of how an opt-out preference signal will be processed for the consumer (i.e., whether the signal applies to the device, browser, consumer account, and/or offline sales, and in what circumstances) and how the consumer can use an opt-out preference signal.

(G) If the business processes opt-out preference signals in a frictionless manner, information on how consumers can implement opt-out preference signals for the business to process in a frictionless manner.

(H) Instructions on how an authorized agent can make a request under the CCPA on the consumer's behalf.

(I) If the business has actual knowledge that it sells the personal information of consumers under 16 years of age, a description of the processes required by sections 7070 and 7071.

(J) A contact for questions or concerns about the business's privacy policies and information practices using a method reflecting the manner in which the business primarily interacts with the consumer.

(4) Date the privacy policy was last updated.

(5) If subject to the data reporting requirements set forth in section 7102, the information required under section 7102, or a link to that information.

Notes

Cal. Code Regs. Tit. 11, § 7011

1. Change without regulatory effect renumbering section 999.308 to new section 7011, including amendments, filed 5-5-2022 pursuant to section 100, title 1, California Code of Regulations (Register 2022, No. 18).
2. Amendment of section and NOTE filed 3-29-2023; operative 3-29-2023 pursuant to Government Code section 11343.4(b)(3) (Register 2023, No. 13).

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130 and 1798.135, Civil Code.

1. Change without regulatory effect renumbering section 999.308 to new section 7011, including amendments, filed 5-5-2022 pursuant to section 100, title 1, California Code of Regulations (Register 2022, No. 18).
2. Amendment of section and NOTE filed 3-29-2023; operative 3/29/2023 pursuant to Government Code section 11343.4(b)(3) (Register 2023, No. 13).