How to Write CCPA Compliant Privacy Notices

An important component of ensuring your cannabis business or cannabis-related business is compliant with the California Consumer Protection Act (CCPA), which will be enforced starting on July 1, 2020, is updating and publishing compliant privacy notices.

All businesses should review their privacy policies on an annual basis. However, to comply with the privacy notice requirements of the CCPA, businesses must review their privacy notices within a 12-month period to ensure the following things are fully disclosed to consumers in a conspicuous and easily accessible way before or after any information is collected:

  1. Why personal information is being collected or sold
  2. Specific pieces of personal information collected
  3. Categories of personal information being collected
  4. Categories of the sources where data was collected
  5. Categories of third parties that personal information is shared with
  6. Categories of personal information that is disclosed for a business purpose
  7. List of categories of personal information disclosed for business purposes in the preceding 12 months and whether or not the information was actually disclosed
  8. Categories of personal information being sold
  9. Categories of third parties that personal information is sold to by category (or categories) of personal information (see #1 above) for every third party that information is sold to
  10. List of categories of personal information sold in the preceding 12 months and whether or not the information was actually sold
  11. Description of the rights consumers have regarding their personal information

In addition, businesses must update their privacy notices whenever there is a change to how consumers’ personal information is collected and why the information is collected.

Sale vs. Disclosure in a CCPA Compliant Privacy Notice

One of the most frequently asked questions that businesses have related to creating and publishing their privacy notice to be CCPA-compliant is what differentiates a sale of personal information from a disclosure for business purposes (per # 6 and #7 in the list above).

Broadly speaking, the CCPA defines the act of selling data for a business that is covered by the law as communicating or transferring consumers’ personal information to a third party “for monetary or other valuable consideration.”

On the other hand, disclosing information for a business purpose could include a number of different activities based on how the law is written. It could include disclosing personal information for certain auditing, to detect or prevent security incidents, or so a third party can provide a service to the business such as customer service, payment processing, fulfilling orders, advertising, marketing, and finance.

A business purpose also includes disclosing personal information for internal research, to develop or demonstrate technology, to verify or maintain quality or safety, or to improve or upgrade a service or device that is either manufactured or controlled by or for the business.

Keep in mind, there are many business purposes defined within the CCPA, so it’s important to review the law and make sure you understand how it impacts your business. Among the things businesses should do to comply with the CCPA is hiring key employees to help you get compliant and stay that way.

Key Takeaways about Writing a CCPA Compliant Privacy Notice

As part of your cannabis or cannabis-related business’ CCPA compliance efforts, you need to make sure you have the right privacy notice available to consumers when and where they should see it. If you haven’t reviewed yours yet, you should do so as soon as possible so your business is compliant before enforcement of the CCPA begins in July.

Cannabiz Media has already updated its Privacy Policy and added a Privacy Center to its website as part of its CCPA compliance efforts. Be sure to work with an attorney who fully understands the CCPA and other relevant regulations, so your cannabis or cannabis-related business is always in compliance.

While California was the first state to approve strict privacy laws related to consumers’ personal information, other states are reviewing their privacy laws and are likely to follow California in enacting legislation that gives consumers more control over how their personal information is used by businesses.

RELATED: Is Your CRM and Email Marketing Compliant with CCPA? Learn more here.

Discuss On Twitter