CCPA Regulations: Requirements for Privacy Policies and Notices at Collection
In a prior blog post I provided an overview of the regulations associated with the California Consumer Privacy Act (CCPA) that the California Attorney General (AG) submitted to the California Office of Administrative Law (OAL). As a reminder the CCPA is the United States’ most comprehensive consumer privacy law that gives consumers both the “Right to Know” (i.e. you can find what personal information has collected on you) and the “Right to Say No” (you can say no the sale of your personal data). It also holds businesses accountable for safeguarding consumers’ personal information. The CCPA called for the creation of regulations by the Cal AG to primarily “address changes in technology, data collection practices, obstacles to implementation, and privacy concerns” with the law.
The CCPA regulations will likely be approved by the OAL and in turn will become enforceable by law sometime between July 1st and October 1st of 2020 (the CCPA itself kicked in on January 1, 2020). Note an attorney from the AG office said in a recent LinkedIn webcast that the AG office has already begun enforcement on July 1, 2020 of the “four corners of the law” (vs. the stuff explicitly in the regulations) and have already as of July 1st sent out some initial notices to companies to give them fair warning that they may be in violation of the CCPA. So it appears phase 1 of enforcement is the law, with phase 2 being the regulations.
The CCPA regulations are quite prescriptive (you can find them here) in terms of the obligations that businesses must follow. There are in fact over 75 instances in the regulations using the expression a “business shall …”.
In this blog post I am going to focus on Article 2 of the regulations, and more specifically the two mandatory “Notices to Consumers” that businesses must provide to consumers.
Overview of Notices
The CCPA Regulations in Article 2 call outs four notices, with the first two applying to all businesses and the last two only applying in particular scenarios:
1. Privacy Policy.
2. Notice at Collection.
3. Notice of Right to Opt-Out.
4. Notice of Financial Incentive.
As a quick reminder that per the CCPA a “business” is a for profit entity that collects the personal information of “consumers” (i.e. California residents) *and* the business must either (a) have gross revenue greater than $25 million OR (2) buy/sell/share personal information on over 50,000 consumers or households or devices OR (3) derives 50% or more of its revenue from selling consumer personal information. Which means that per the definition of “business,” if an entity is a non-profit and/or below the various thresholds listed above and/or just does not collect personal information, than they don’t have to provide any notices such as a privacy policy.
The regulations require that each notice must (a) be in plain, straightforward language and must avoid technical or legal jargon; (b) use a format that is readable to the consumer, even on smaller screens; (c) is available in languages that a business in ordinary course conducts business in; and (d) be reasonable accessible to consumers with disabilities.
Let’s look at the first two in more detail and will cover the later two in a future blog post. I will also cross-reference the corresponding Section (Section is represented by the”§” symbol) of the CCPA Regulations for each notice.
Privacy Policy [§ 999.308]
Every business must have one of these. The purpose of the Privacy Policy is “to provide consumers with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.” And like all policies mentioned in the CCPA Regulations, as mentioned above it must easy to read and understandable to consumers.
Location
The privacy policy shall be posted on the business’ home page “through a conspicuous link” using the word “privacy”. For mobile apps, it must be on the download or landing page and can also be access through the application’s setting menus. If a business is not applying CCPA rights to all its customers regardless of whether they are a California resident or not, it can have “a California-specific description” privacy rights section in its privacy policy listing on its website. Businesses that don’t operate a website must have a privacy policy conspicuously available to consumers.
What the Privacy Policy Needsto Include
The Privacy Policy must include the following:
(1) Right to Know About Personal Information Collected, Disclosed or Sold — this includes (a) an explanation that a consumer has the right to request that the business disclose what personal information is collected and sells; (b) provide instructions for how to submit a verifiable consumer request to know and provide links to a request form for making the request; (c) describe in general the processes in which the business will verify the consumer request; (d) identify the categories of personal information that the business has collected; (e) identify the categories of sources from which personal information is collected (sources could be from the consumer itself or from data brokers or from social networks); (f) identify the business or commercial purposes for collecting or selling of personal information and (g) disclosure of the sale of personal information including third parties to whom the information was disclosed or sold to.
(2) Right to Request Deletion of Personal Information — this includes (a) an explanation that a consumer has the right to request the deletion of their personal information; (b) provide instructions for how to submit a verifiable consumer request to delete and provide links to a request form for making the request; and (c) provide a description of the process by which the business will verify the consumer request, including any information the consumer must provide.
(3) Right to Opt-Out of the Sale of Personal Information — this includes (a) an explanation that a consumer has a right to opt-out of the sale of their personal information; and (b) whether or not the business actually sells personal information.
(4) Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights — this needs to explain that a consumer has the right to not receive discriminatory treatment if they exercise their CCPA privacy rights.
(5) Instructions on how an Authorized Agent can make requests under the CCPA on the consumer’s behalf.
(6) Contact for More Information — provides consumers with a contact for questions or concerns re: the business’ privacy policies
(7) Date the privacy policy was last updated.
(8) If the business buys and/or receives and/or shares over 10 million consumers’ personal information, then they must publish in the Privacy Policy (or provide a link) to metrics regarding number of CCPA requests (to know, to delete and to opt-out) they have received, complied with and denied in the prior calendar year. Also, it should publish metrics regarding the median or mean number of days which the business responded to those requests.
(9) If a business has knowledge it sells the personal information of minors under 16, it must provide a description of the processes it adheres to for opting-in of the sale of personal information.
Notice at Collection of Personal Information [§ 999.305]
Every business must have one of these. The purpose of the Notice at Collection is to “provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.” And like all policies mentioned in the CCPA Regulations, as mentioned above it must easy to read and understandable to consumers.
Location
The Notice at Collection must appear “at or before the point of collection of any personal information.”
General Principles
A business shall not use a consumer’s personal information for a purpose “materially different than those disclosed in the notice at collection.” Furthermore, a business shall not collect categories of personal information “other than those disclosed in the notice at collection.” Which means if the business intends to collect additional categories of personal information, then the business must provide a new notice.
What the Noticed at Collection Needs to Include
(1) A list of the categories of personal information about consumers to be collected.
(2) The business or commercial purpose(s) for which the categories of personal information will be used.
(3) If the business sells personal information, a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” (or in the case of offline notices, where the webpage can be found online).
(4) A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online.
Misc. Carveouts
There are a few carveouts for the Notice of Collection, namely (a) if a business collects personal information from a consumer online, then the notice at collection may be given to the consumer by providing a link to the section of the business’s privacy policy; (b) any business that does not collect personal information directly from the consumer does not have to provide a notice at collection if it also does not sell the consumer’s personal information; (c) a data broker registered with the does not need to provide a notice at collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out; and (d) a business collecting employment-related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”, nor does the business need to provide a link to its privacy policy.
I will cover the Notice of Right to Opt-Out and Notice of Financial Incentive in a future blog post.