Specific CCPA Requirements - Privacy Policy

00:01

welcome everyone to lessen 4.2 as we discussed the specific privacy policy requirements that were established by the passage of the C C. P. A.

00:11

The learning goals and objectives for this course,

00:13

there are approximately 11 privacy policy requirements that were established by the C c. P. A.

00:19

We will review all 11.

00:22

I have to apologize at the outset.

00:24

There really is no other way to present this information to you than to run through all 11.

00:29

I apologize in advance if it might come off as laborious, but we will get through it. I hope, as informative Lee as possible.

00:38

Let's jump right into it.

00:40

Requirement number one.

00:43

Your privacy policy must list the CCP a consumer rights.

00:47

Those are all the rights that identified for you in Module three.

00:51

The privacy policy must inform consumers that they have those rights under the C C. P. A.

00:56

But why?

00:57

Because most people just have no idea what rights they have under the c. C. P. A. And it is the responsibility of the business. I you to tell them that they have those rights.

01:07

You also, by the way, need to include non CCP a rights. Assuming your business is subject to a non CCP a type privacy law,

01:15

usually that's going to be the GDP are

01:21

number two.

01:23

You need to explain that the consumers how they are able to exercise their rights if they choose to do so.

01:29

We will discuss further and modulate the methods that consumers can pursue to exercise their rights.

01:34

The privacy policy needs to let them know how they can do it.

01:40

Requirement number three.

01:42

You must inform consumers of the categories of personal information that the business collects.

01:48

If you recall in Module three, we discussed how access requests pertain to categories as well as the underlying pieces of information.

01:56

You also need to stick it up in your privacy policy and identify on the front end the categories of personal information that your company collects.

02:04

This right here, my friends,

02:06

is frequently a trap.

02:07

You need to make sure that the categories of personal information that your company collects is being represented in the privacy policy. If you are collecting categories of information that your privacy policy is not also declaring that you collect,

02:20

you are going to get fined.

02:22

Please, please, please meet with your stakeholders and make sure that the privacy policy is accurate.

02:28

That goes back to privacy policy concepts in 4.1.

02:31

This needs to be accurate.

02:36

Moving on to requirement number four.

02:38

The categories of personal information that your business has sold needs to also be declared.

02:43

You need to put that separately.

02:45

It's the categories of information that your business collects, and then you separately declare any categories of personal information that your business cells.

02:53

Now, if you believe in your heart of hearts that your business does not sell information, you are also, by the way, welcome. And I encourage you to discuss that with the privacy consultant, a privacy lawyer or your other stakeholders

03:05

that that is not the case.

03:07

The guidance on the C C. P A. Is actually that you can declare in the privacy policy that you don't sell personal information

03:14

again. That's a trap, my friends.

03:16

You need to make sure that that is, in fact, accurate that you do not sell personal information.

03:23

If it is later discovered that you do

03:25

once again,

03:27

you're going to get fined

03:30

requirement. Number five

03:32

the categories of personal information that your business discloses to a third party.

03:38

No

03:38

notice a trend here, but there is a difference.

03:40

There could be categories of personal information that you sent off to your vendors, but

03:46

that's not necessarily a sale.

03:47

You need to again list that separately. I strongly recommend you go through all your vendor contracts.

03:54

You meet with what I've called the data. Stewart's the business line and ask them,

03:59

Hey,

04:00

what vendors do you use? What outbound traffic are you sending?

04:05

I strongly also recommend data inventories and data mapping exercises.

04:11

Privacy consultants and firms and other software solutions can help do that for you,

04:15

but you need to have a really good understanding of where the outbound data flows exist and who is receiving information from your company.

04:25

Let's move on.

04:26

Item number six.

04:28

There needs to be a do not sell link incorporated into your privacy policy as well as the footer of your website.

04:34

We will get to all that in module eight, so I'll skip it for now.

04:40

Requirement number seven.

04:42

You need to also declare how and why your company uses personal information internally.

04:46

That again is consistent with the desires of the privacy advocates and why the CCP, a was passed.

04:54

Organizations have frequently and historically been cryptic about what they do with personal information. Once it arrives within the organization,

05:00

you need to be sure that if there is some sort of internal processing activity that is occurring,

05:06

that that is actually captured in the privacy policy,

05:10

if you are doing something with personal information and that's not captured in the privacy policy,

05:15

I think you see a trend here

05:16

thinking you are going to get find it needs to match reality.

05:21

Item number eight.

05:24

How businesses Share and Disclose Personal Information to Third Party.

05:29

Previously, you are required to identify the categories of personal information that you sent to third parties.

05:35

Now

05:35

we want to know the mechanism you used to effectuate that

05:40

you need to identify the technical data link that is being leveraged by your business to send information to whatever vendor is at issue.

05:47

You don't need to buy the way. Identify the specific vendors. Notice I did not put that there.

05:54

You do need to identify the categories of third parties.

05:58

If you have multiple cloud service providers, then you need to simply right

06:01

cloud service providers.

06:04

You don't need to identify specifically AWS, Google Azure

06:10

Whoever.

06:13

Item number nine.

06:14

How your business addresses the privacy concerns Related to Children.

06:17

I will discuss all things relating to Children in module five, so I'll skip it here.

06:23

I simply need to point out that there needs to be a separate section in your privacy policy on all things Children and data.

06:30

Item number 10.

06:31

Your business has an obligation to declare to the outside world the technical and organizational controls used to safeguard information.

06:40

Right here is why your CSO needs to be involved in the drafting of the privacy policy.

06:46

Because no other arm within the company except information security is going to understand intimately how your network is protected.

06:54

You need to declare it in the privacy policy.

06:57

My guidance here has always been be proud, but

07:00

be realistically humble, one declaring it.

07:02

You don't need to again need Thio specifically cite all the nice controls or anything like that.

07:08

But you do need to generally identify the steps that your company takes to secure information

07:15

last but certainly not least

07:16

contact information for someone.

07:19

If a consumer wants to follow up with their privacy concerns,

07:23

there needs to be someone that can address it.

07:26

Phone and email are required under the C c p A.

07:32

In summary,

07:33

we reviewed all 11 CCP a privacy policy requirements. I'm sorry if that was exhausting, but

07:40

there really was no other way to get through it.

07:42

I recommend you actually pause this video and look at your employer now and see if all 11 are in your privacy policy.

07:48

It's a fantastic way to really understand the concept that we're trying to drive home here.

07:53

Toe. Actually look at a privacy policy

07:58

that summarizes less than 4.2.