You Have a Website Privacy Policy, but Does Your Website Comply with U.S. Data Privacy Laws?

Article

Most U.S. businesses are aware that they need to have a Privacy Policy available on their websites. Most businesses also are aware that the generic forms they may obtain from third-party website developers or through general internet searches of comparable companies’ privacy policies are not a substitute for a Privacy Policy tailored to a particular business’s activities and the way its website functions.

However, businesses that are subject to the jurisdiction of various U.S. privacy laws need to equally focus on making sure their websites function in a manner that is consistent with the mandates of applicable U.S. data privacy laws. Regulators are noticing website functionality deficiencies, and they are holding companies accountable for not fully allowing consumers to exercise their data privacy rights.

Below are some reminders of required website functionalities under the California Consumer Privacy Act, Cal. Civ. Code § 1798.100, et seq., as amended by California’s Privacy Rights Act (referred to collectively herein as “CCPA”).

 “Notice at Collection of Personal Information”

Businesses shall provide a “Notice at Collection of Personal Information” at or before the point Personal Information is collected. The “Notice at Collection of Personal Information” shall provide:

  • The categories of Personal Information to be collected;
  • The purposes for which the Personal Information is collected or used; and
  • Whether the Personal Information is sold or shared.

Businesses may post a conspicuous link to the “Notice at Collection of Personal Information” on the introductory page of the business’s website and on all webpages where Personal Information is collected. The “Notice at Collection of Personal Information” may be given to the consumer by providing a link that takes the consumer directly to the specific section of the business’s Privacy Policy that contains the information required in the “Notice at Collection of Personal Information.”

“Notice of Right to Opt-Out of Sale/Sharing”

Businesses that sell or share consumers’ Personal Information shall provide a “Do Not Sell or Share My Personal Information” link on the business’s website homepage that allows consumers to exercise those rights.

Additionally, businesses shall inform consumers of their right to direct a business to stop selling or sharing their Personal Information – “Notice of Right to Opt-Out of Sale/Sharing.” This disclosure includes:

  • A description of the consumer’s right to opt-out of the sale or sharing of their Personal Information;
  • Instructions on how the consumer can submit a request to opt-out of the sale or sharing of Personal Information; and
  • The “Notice of Right to Opt-Out of Sale/Sharing” shall include the interactive form by which the consumer can submit the request to opt-out of sale or sharing online.

 “Limit the Use of My Sensitive Personal Information”

Businesses that use and disclose sensitive personal information of consumers shall provide a “Limit the Use of My Sensitive Personal Information” link on the business’s website homepage that allows consumers to exercise that right.

Additionally, businesses shall inform consumers of their right to limit the use of their sensitive personal information – “Limit the Use of My Sensitive Personal Information.” This disclosure includes:

  • A description of the consumer’s right to limit;
  • Instructions on how the consumer can submit a request to limit; and
  • The “Limit the Use of My Sensitive Personal Information” shall include the interactive form by which the consumer can submit the request to limit online.

The Alternative Opt-Out Link 

In the alternative to providing two separate links to “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information,” businesses may provide consumers with a single, clearly-labeled link that allows consumers to easily exercise both of these rights.

Businesses shall entitle this alternative link, “Your Privacy Choices,” or “Your California Privacy Choices.” This link shall be on the business’s website homepage. It shall be accompanied by the following opt-out icon adjacent to the title:

Privacy Options

The Alternative Opt-Out Link shall direct consumers to a webpage that includes the following information:

  • A description of the consumer’s right to opt-out of the sale or sharing and the right to limit the use and disclosure of sensitive personal information; and
  • The interactive form or mechanism by which the consumer can submit the request to opt-out of the sale or sharing and the right to limit the use and disclosure of sensitive personal information.

The information above is a general summary. The full text of CCPA’s Regulations can be found here. Additionally, on 07/24/2025, the California Privacy Protection Agency (CPPA) Board unanimously approved amendments to the CCPA Regulations, addressing, among other items, (i) mandatory annual cybersecurity audits, (ii) data protection risk assessments, and (iii) regulation of automated decision-making technology (ADMT). See here. These amendments move to the Office of Administrative Law (OAL) for further action.

If you would like more information on whether your business’s website is compliant with current U.S. data privacy laws, please feel free to contact us.

Related Capabilities

Burr
Jump to Page
Arrow icon Top

Contact Us

Cookie Preference Center

Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.