In a prior blog post I provided an overview of the regulations associated with the California Consumer Privacy Act (CCPA) that the California Attorney General (AG) submitted to the California Office of Administrative Law (OAL). As a reminder the CCPA is the United States’ most comprehensive consumer privacy law that gives consumers both the “Right to Know” (i.e. you can find what personal information has collected on you) and the “Right to Say No” (you can say no the sale of your personal data). It also holds businesses accountable for safeguarding consumers’ personal information. The CCPA called for the creation of regulations by the Cal AG to primarily “address changes in technology, data collection practices, obstacles to implementation, and privacy concerns” with the law.
The CCPA regulations will likely be approved by the OAL and in turn will become enforceable by law sometime between July 1st and October 1st of 2020 (the CCPA itself kicked in on January 1, 2020). Note an attorney from the AG office said in a recent LinkedIn webcast that the AG office has already begun enforcement on July 1, 2020 of the “four corners of the law” (vs. the stuff explicitly in the regulations) and have already as of July 1st sent out some initial notices to companies to give them fair warning that they may be in violation of the CCPA. So it appears phase 1 of enforcement is the law, with phase 2 being the regulations.
The CCPA regulations are quite prescriptive (you can find them here) in terms of the obligations that businesses must follow. There are in fact over 75 instances in the regulations using the expression a “business shall …”.
In this blog post I am going to focus on Article 2 of the regulations, and more specifically the two mandatory “Notices to Consumers” that businesses must provide to consumers.
Overview of Notices
The CCPA Regulations in Article 2 call outs four notices, with the first two applying to all businesses and the last two only applying in particular scenarios:
2. Notice at Collection.
3. Notice of Right to Opt-Out.
4. Notice of Financial Incentive.
The regulations require that each notice must (a) be in plain, straightforward language and must avoid technical or legal jargon; (b) use a format that is readable to the consumer, even on smaller screens; (c) is available in languages that a business in ordinary course conducts business in; and (d) be reasonable accessible to consumers with disabilities.
Let’s look at the first two in more detail and will cover the later two in a future blog post. I will also cross-reference the corresponding Section (Section is represented by the”§” symbol) of the CCPA Regulations for each notice.
(1) Right to Know About Personal Information Collected, Disclosed or Sold — this includes (a) an explanation that a consumer has the right to request that the business disclose what personal information is collected and sells; (b) provide instructions for how to submit a verifiable consumer request to know and provide links to a request form for making the request; (c) describe in general the processes in which the business will verify the consumer request; (d) identify the categories of personal information that the business has collected; (e) identify the categories of sources from which personal information is collected (sources could be from the consumer itself or from data brokers or from social networks); (f) identify the business or commercial purposes for collecting or selling of personal information and (g) disclosure of the sale of personal information including third parties to whom the information was disclosed or sold to.
(2) Right to Request Deletion of Personal Information — this includes (a) an explanation that a consumer has the right to request the deletion of their personal information; (b) provide instructions for how to submit a verifiable consumer request to delete and provide links to a request form for making the request; and (c) provide a description of the process by which the business will verify the consumer request, including any information the consumer must provide.
(3) Right to Opt-Out of the Sale of Personal Information — this includes (a) an explanation that a consumer has a right to opt-out of the sale of their personal information; and (b) whether or not the business actually sells personal information.
(4) Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights — this needs to explain that a consumer has the right to not receive discriminatory treatment if they exercise their CCPA privacy rights.
(5) Instructions on how an Authorized Agent can make requests under the CCPA on the consumer’s behalf.
(6) Contact for More Information — provides consumers with a contact for questions or concerns re: the business’ privacy policies
(9) If a business has knowledge it sells the personal information of minors under 16, it must provide a description of the processes it adheres to for opting-in of the sale of personal information.
Notice at Collection of Personal Information [§ 999.305]
Every business must have one of these. The purpose of the Notice at Collection is to “provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.” And like all policies mentioned in the CCPA Regulations, as mentioned above it must easy to read and understandable to consumers.
The Notice at Collection must appear “at or before the point of collection of any personal information.”
A business shall not use a consumer’s personal information for a purpose “materially different than those disclosed in the notice at collection.” Furthermore, a business shall not collect categories of personal information “other than those disclosed in the notice at collection.” Which means if the business intends to collect additional categories of personal information, then the business must provide a new notice.
What the Noticed at Collection Needs to Include
(1) A list of the categories of personal information about consumers to be collected.
(2) The business or commercial purpose(s) for which the categories of personal information will be used.
(3) If the business sells personal information, a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” (or in the case of offline notices, where the webpage can be found online).
I will cover the Notice of Right to Opt-Out and Notice of Financial Incentive in a future blog post.