d. Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the policy in an alternative format.
e. Be available in a format that allows a consumer to print it out as a document.
(b) The privacy policy shall be posted online through a conspicuous link using the word “privacy” on the business’s website homepage or on the download or landing page of a mobile application. If the business has a California-specific description of consumers’ privacy rights on its website, then the privacy policy shall be included in that description. A business that does not operate a website shall make the privacy policy conspicuously available to consumers. A mobile application may include a link to the privacy policy in the application’s settings menu.
(c) The privacy policy shall include the following information:
(1) Right to Know About Personal Information Collected, Disclosed, or Sold.
a. Explanation that a consumer has the right to request that the business disclose what personal information it collects, uses, discloses, and sells.
b. Instructions for submitting a verifiable consumer request to know and links to an online request form or portal for making the request, if offered by the business.
c. General description of the process the business will use to verify the consumer request, including any information the consumer must provide. d. Identification of the categories of personal information the business has collected about consumers in the preceding 12 months. The categories shall be described in a manner that provides consumers a meaningful
understanding of the information being collected.
e. Identification of the categories of sources from which the personal
information is collected.
f. Identification of the business or commercial purpose for collecting or
selling personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.
g. Disclosure or Sale of Personal Information.
1. Identification of the categories of personal information, if any,
that the business has disclosed for a business purpose or sold to
third parties in the preceding 12 months.
2.For each category of personal information identified, the
categories of third parties to whom the information was
disclosed or sold.
3. Statement regarding whether the business has actual knowledge
that it sells the personal information of consumers under 16 years of age.
38
CCPA & GDPR Deskbook