CCPA Landmine No 5
Paying Attention to the Privacy Notice
- Businesses looking to comply with the CCPA need to make sure that their privacy notice is designed in a way that is “easy to read and understandable to an average consumer”. It must use “plain, straightforward language” and “use a format that makes the policy readable, even on small screens.” Expect the California Attorney General to scrutinize current notices. Rethink your privacy notice if it was drafted “by lawyers for lawyers”. A failure to craft a notice as mandated could result in fines or litigation.
- Privacy Notices must be concise, readable, accessible notices, and should not present a rabbit hole with twists, turns and complications that the average user will never be able to comprehend. The privacy notice for Caesar’s Entertainment, considered by some to be the longest, clocks in at 9,965 words. Compare that to the average short story, which is 7,500 words. (Washington Irving’s “Rip Van Winkle” is only 6,950 words, and certainly more gripping than the usual privacy notice.) Consider using tables, icons or pictographs as part of your notice. (See, e.g, www.fitbit.com/privacy.).
- So, crafting a privacy notice must be done carefully and with one thing in mind – are we adequately communicating our privacy practices to our average consumer? Today’s privacy notices are best structured as “layered notices”, that is a notice built in layers, such that readers can skip directly to a notice of interest to that reader. But even layered notices are subject to scrutiny and, in Google’s case, resulted in a fine under the
GDPR for forcing readers through a labyrinth of documents such that “users are not able to fully understand the extent of the processing operations carried out by Google”1.
CYBER Risk & Law offers compliance services that help you to 1) prepare for CCPA requests and investigations, 2) respond to consumer requests and investigations and 3) demonstrate your due diligence to implement and maintain reasonable security procedures.