Home Table of Contents

§ 999.308. Privacy Policy.

11 CA ADC § 999.308BARCLAYS OFFICIAL CALIFORNIA CODE OF REGULATIONS

Barclays Official California Code of Regulations Currentness
Title 11. Law
Division 1. Attorney General
Chapter 20. California Consumer Privacy Act Regulations
Article 2. Notices to Consumers
11 CCR § 999.308
§ 999.308. Privacy Policy.
(a) Purpose and General Principles
(1) The purpose of the privacy policy is to provide consumers with a comprehensive description of a business's online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.
(2) The privacy policy shall be designed and presented in a way that is easy to read and understandable to consumers. The policy shall:
a. Use plain, straightforward language and avoid technical or legal jargon.
b. Use a format that makes the policy readable, including on smaller screens, if applicable.
c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.
d. Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the policy in an alternative format.
e. Be available in a format that allows a consumer to print it out as a document.
(b) The privacy policy shall be posted online through a conspicuous link using the word “privacy” on the business's website homepage or on the download or landing page of a mobile application. If the business has a California-specific description of consumers' privacy rights on its website, then the privacy policy shall be included in that description. A business that does not operate a website shall make the privacy policy conspicuously available to consumers. A mobile application may include a link to the privacy policy in the application's settings menu.
(c) The privacy policy shall include the following information:
(1) Right to Know About Personal Information Collected, Disclosed, or Sold.
a. Explanation that a consumer has the right to request that the business disclose what personal information it collects, uses, discloses, and sells.
b. Instructions for submitting a verifiable consumer request to know and links to an online request form or portal for making the request, if offered by the business.
c. General description of the process the business will use to verify the consumer request, including any information the consumer must provide.
d. Identification of the categories of personal information the business has collected about consumers in the preceding 12 months. The categories shall be described in a manner that provides consumers a meaningful understanding of the information being collected.
e. Identification of the categories of sources from which the personal information is collected.
f. Identification of the business or commercial purpose for collecting or selling personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.
g. Disclosure or Sale of Personal Information.
1. Identification of the categories of personal information, if any, that the business has disclosed for a business purpose or sold to third parties in the preceding 12 months.
2. For each category of personal information identified, the categories of third parties to whom the information was disclosed or sold.
3. Statement regarding whether the business has actual knowledge that it sells the personal information of consumers under 16 years of age.
(2) Right to Request Deletion of Personal Information.
a. Explanation that the consumer has a right to request the deletion of their personal information collected by the business.
b. Instructions for submitting a verifiable consumer request to delete and links to an online request form or portal for making the request, if offered by the business.
c. General description of the process the business will use to verify the consumer request, including any information the consumer must provide.
(3) Right to Opt-Out of the Sale of Personal Information.
a. Explanation that the consumer has a right to opt-out of the sale of their personal information by a business.
b. Statement regarding whether or not the business sells personal information. If the business sells personal information, include either the contents of the notice of right to opt-out or a link to it in accordance with section 999.306.
(4) Right to Non-Discrimination for the Exercise of a Consumer's Privacy Rights.
a. Explanation that the consumer has a right not to receive discriminatory treatment by the business for the exercise of the privacy rights conferred by the CCPA.
(5) Authorized Agent.
a. Instructions on how an authorized agent can make a request under the CCPA on the consumer's behalf.
(6) Contact for More Information.
a. A contact for questions or concerns about the business's privacy policies and practices using a method reflecting the manner in which the business primarily interacts with the consumer.
(7) Date the privacy policy was last updated.
(8) If subject to the requirements set forth in section 999.317, subsection (g), the information compiled in section 999.317, subsection (g)(1), or a link to it.
(9) If the business has actual knowledge that it sells the personal information of consumers under 16 years of age, a description of the processes required by sections 999.330 and 999.331.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.105, 1798.115, 1798.120, 1798.125 and 1798.130, Civil Code.
HISTORY
1. New section filed 8-14-2020; operative 8-14-2020 pursuant to Government Code section 11343.4(b)(3) (Register 2020, No. 33).
This database is current through 10/16/20 Register 2020, No. 42
11 CCR § 999.308, 11 CA ADC § 999.308
End of Document© 2020 Thomson Reuters. No claim to original U.S. Government Works.