If a company already drafted a privacy notice to comply with other United States laws, does it need to change the notice to comply with the CCPA?


There are a number of laws within the United States that require companies to provide people with a notice concerning the company’s privacy practices – a document that is often interchangeably referred to as  “privacy notice,” “privacy policy,” or “information notice.”  On the federal side these include the Gramm Leach Bliley Act (“GLBA”), which requires financial institutions to provide privacy notices to customers, the Health Insurance Portability and Accountability Act (“HIPAA”), which requires health care plans, health insurers, and health care providers to provide privacy notices to patients, the Family Educational Rights and Privacy Act (“FERPA”), which requires educational institutions that receive federal funding to provide privacy notices to students and parents, and the Children’s Online Privacy Protection Act (“COPPA”), which requires that websites which collect information from children provide a privacy notice to parents.  A small number of states have also enacted statutes that require websites which collect information from state residents to provide a privacy notice concerning their online privacy practices, and companies that collect Social Security Numbers to provide a privacy notice specific to their collection and use of that data.1

While the various statutes that mandate privacy notices in the United States contain a common core of similarities; almost all of them require that a company:

  1. Identify the categories of information collected,
  2. Disclose the process (if any) for individuals to request changes to their information,
  3. Disclose how the organization notifies individuals of material changes to the privacy policy.
  4. Disclose the effective date of the privacy policy.

Beyond this common core the various United States laws have differing requirements.  For example, some state laws require that companies disclose whether or not they honor automated privacy preferences broadcast by users’ browsers, other laws require that companies disclose certain rights of the data subject.  It is worth noting that none of the existing United States privacy laws include all of the substantive components of the CCPA; how far away a company’s existing privacy notice is from the CCPA’s requirement depends upon on the context in which it was drafted, what other United States laws it was intended to satisfy, and whether it incorporated certain “best practices.” That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2

The following chart indicates which requirements of the CCPA are likely, or are not likely, to be found in a United States based privacy notice:

Required Privacy Notice Disclosure CCPA Most other US Privacy Laws
1.    Ability to opt-out of sale of information Y X
2.    Access rights of individuals Y X
3.    Categories of personal information shared with services providers Y X
4.    Categories of personal information sold to third parties Y X
5.    Contact information for company Y Y
6.    Erasure rights of individuals Y X
7.    Identify specific categories of data fields collected Y X
8.    Purpose for which information will be used Y Y
9.    Sources from which personal information was collected Y X
10. Third party recipients of information Y Y
11. Toll free telephone number for submitting requests Y X
12. Types of personal data collected. Y Y