Subscribe to Our Newsletter
One way to protect your privacy is to learn what personal information a business collects and how it will use that information. Today most businesses, both brick-and-mortar and online, are required to provide information on their privacy practices. These businesses do so by posting their privacy policy at their store, on their website homepage(s), or on the download or landing page of a mobile application. The business’s privacy policy should be updated at least once a year.
If you are not happy with the policy's terms — or if a business has no written privacy policy —STOP. Consider looking for another business that properly discloses its privacy practices and uses your personal information appropriately. A privacy policy should answer at least the following basic questions.
The privacy policy must list the categories of personal information that the business collects about you. Personal information that businesses collect about you may include the following: name, home address, phone number, email address, Social Security number, driver's license number, financial information (such as credit card numbers, bank account numbers, and household income), biometric information, medical information (such as health insurance plan, diseases or physical conditions, and prescription drugs used), education and work experience, date of birth, the names and ages of spouse or children, and hobbies. Businesses may also collect personal information generated by your computer or mobile device such as geolocation, IP address, and advertising ID.
The privacy policy must list the categories of sources from which the business collects personal information about consumers. A business may collect personal information about a consumer using different methods. A business may ask you to provide your personal information. A business may also collect personal information automatically generated by your computer or mobile device. A business may also buy your personal information from another business.
A privacy policy should describe the specific purpose for collecting personal information from consumers. Is the personal information that the business asked for seem reasonable to you? For example, your name, home address, phone number, and credit card number may be necessary for making and shipping your purchase. Your household income and hobbies are not. Pay attention if a business asks for information beyond what is needed for the transaction. The purpose for the extra information should be clearly stated. Look for an opportunity to opt out of, or say no to, giving extra information. Consider going somewhere else if you can't complete the transaction without giving up personal information you think is unnecessary.
A privacy policy should explain how the business collecting the personal information uses it. Will it be used just to complete the transaction you requested? If additional uses are intended, you might have the right to opt out of them. For example, if a merchant plans to sell your information to another business, or share your information in order to send you targeted ads, you should be given an easy way to opt-out of the selling or sharing of your information.
The privacy policy must identify the categories of third parties to whom the business has disclosed personal information. The privacy policy must also list the categories of third parties to whom personal information was sold or shared. Does the business disclose personal information to other businesses? Does the business sell customer information or share it for targeted advertising? Does it share information with its service providers, affiliates or companies in the same "corporate family"?
Look for opportunities to opt out of the sale of your information or the use of your information for targeted advertising. There should be an easy way to opt out, such as clicking on a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link, calling a toll-free phone number, or sending an email.
Some businesses must include an explanation of the rights that California law gives consumers regarding their personal information. A consumer can request that a business tell them the personal information the business keeps about the consumer. A consumer can request that a business delete personal information the business has collected from the consumer. A consumer can ask the business to correct inaccurate personal information the business keeps about the consumer. In addition, these businesses should include an explanation of how a consumer can make a request to know, delete, or correct personal information the business keeps about the consumer.
The privacy policy should give a general description of the security measures the business uses to keep customers' and visitors' personal information safe. It should also cover security safeguards that the organization requires its business partners and vendors to use.
Web sites requesting personal information should use Secure Socket Layers (SSL), the industry standard for protecting private information sent over the Internet. The information is encrypted, or scrambled, into a code. This means that your information can't be read during transmission. Look for signs of security on web pages where you enter personal information. Look for "https," rather than the usual "http," in the address window. Look for a closed lock icon in the lower right or left corner of your screen. These signs mean the connection is secure. You should remain in this secure zone for the entire checkout process.
Someone in the organization should be responsible for its privacy policy and practices1. Does the policy give you someone to contact with questions or concerns? Is there an easy way to contact the right person by email or by a toll-free phone number?
Center for Democracy and Technology, "CDT’s Guide to Online Privacy: Tips".
Privacy Rights Clearinghouse, "Financial Privacy".
1 The tips here discuss how to read a privacy policy that a business is required to post because of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA), Civil Code §§ 1798.100 et seq. Other laws may also require an organization to have a privacy policy. The federal Financial Services Modernization Act (also called the Gramm-Leach-Bliley Act) requires financial institutions and insurance companies to send a privacy notice to customers every year. See the FTC’s webpage for the Gramm-Leach-Bliley Act for more information. The federal Health Insurance Portability and Accountability Act (HIPAA) requires health care providers, health plans, and health insurers to provide patients with notice of the patient's privacy rights and the privacy practices of the covered entity. See the Department of Health & Human Services’s webpage for HIPAA for more information. The California Online Privacy Protection Act of 2003 (CalOPPA), Business and Professions Code §§ 22575-22579, requires operators of commercial Web sites that collect “personally identifiable” information on California consumers to “conspicuously post” its privacy policy on its Web site. CalOPPA also applies to operators of “online services” that collect personal information on California consumers.
This fact sheet is for informational purposes and should not be construed as legal advice or as policy of the State of California. If you want advice on a particular case, you should consult an attorney or other expert. The fact sheet may be copied, if (1) the meaning of the copied text is not changed or misrepresented, (2) credit is given to the California Department of Justice, and (3) all copies are distributed free of charge.
This fact sheet is for informational purposes and should not be construed as legal advice or as policy of the State of California. If you want advice on a particular case, you should consult an attorney or other expert. The fact sheet may be copied, if (1) the meaning of the copied text is not changed or misrepresented, (2) credit is given to the California Department of Justice, and (3) all copies are distributed free of charge.