Overview:
Article 2 (see pages 3 through 10) of the California Attorney General’s CCPA draft regulations specify certain notices that must be given to consumers at the time of collection of their personal information, including consumers’ rights to opt-out of the sale of their personal information, and notices of financial incentives a business may offer in exchange for consumers’ personal information. Article 2 also provides specific CCPA requirements for company privacy policies.
Key Elements:
ALL notices given to consumers must meet the following requirements:
-
Easy to read language that is understandable to an average consumer, and avoid technical or legal jargon
-
Available in all languages that business provides contracts, disclaimers, etc.
-
Accessible to consumers with disabilities
-
Include all required information, or link to the section of the privacy policy that contains the required information
Notice at Collection of Personal Information (Section 999.305)
Businesses must inform consumers about the categories or personal information to be collected from them, and the purposes for collection. Businesses should note the following:
-
Personal information cannot be used for any other purpose other than those disclosed in notice at collection. Use for other purposes requires new notice and explicit consent
-
Businesses cannot collect categories of personal information other than those specified in the notice at collection
-
Businesses must provide notice for offline collection of personal information
-
Timing – the notice must be provided at or before the time of collection. Consider how your business collects information and where/when this notice will be provided to consumers.
Notice Requirements:
-
List categories of personal information to be collected
-
Business or commercial purpose(s) for each category of personal information collected
-
“Do Not Sell My Personal Information” link if business sells personal information
-
Link to privacy policy
Businesses that do not collect information directly from consumers are not required to provide notice at the time of collection, however, prior to selling a consumer’s personal information, businesses must:
-
Contact consumer directly to provide notice of sale of personal information, and provide consumer with notice of right to opt-out; or
-
Contact source of personal information to: i) confirm that the source provided proper notice at collection; and ii) obtain signed attestations from source, describing how source gave notice at collection, with an example of notice
Notice of Right to Opt-Out of Sale of Personal Information (Section 999.306)
Businesses must inform consumers of their right to direct a business that sells their personal information (or may sell it in the future) to stop selling their personal information. Businesses should note the following:
-
Must be provided to consumers after clicking “Do Not Sell My Personal Information” or “Do Not Sell My Info” link
-
Offline notice is required if business substantially interacts with consumers offline
-
Businesses that do not operate a website must establish and document another manner to comply
-
Exemption: Businesses that do not, and will not, sell personal information and state in their privacy policy that they do not, and will not, sell personal information.
-
A consumer whose personal information is collected while a business has not provided notice of a right to opt-out shall be deemed to have opted-out
Notice Requirements:
-
Description of right to opt-out of sale of personal information
-
Webform for consumers to submit opt-out request online, or other method for businesses that do not operate a website
-
Instructions for any other method to submit opt-out requests
-
Description of any proof required when consumer uses an authorized agent to exercise their opt-out right
-
Link to privacy policy
Opt-Out Button or Logo:
-
Further guidance from Attorney General is forthcoming
-
Opt-out button or logo shall link to a webpage containing information required by the regulations, or to the section of the privacy policy with such information
Notice of Financial Incentive (Section 999.307)
Businesses must explain to consumers each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information.
Notice Requirements:
-
Summary of the financial incentive or privacy difference
-
Description of material terms, including categories of personal information implicated by the financial incentive
-
How consumers can opt-in and their right to withdraw at any time
-
Explanation of why the financial incentive is permitted under the CCPA, including, i) estimate of the value of the consumer’s data; and ii) description of the method used to calculate the value of the consumer’s data
Privacy Policy (Section 999.308)
Businesses must provide consumers with a comprehensive description of their online and offline practices regarding collection, use, disclosure, and sale of personal information, and of the rights of consumers of their personal information.
Privacy Policy Requirements:
“Right to Know” about Personal Information Collected, Disclosed, or Sold
-
Explain right to request that the business disclose what personal information it collects, uses, discloses, and sells
-
Instructions to submit a “request to know”
-
Describe process business will use to verify requests, including any information consumers must provide
-
List categories of personal information the business has collected about consumer in the preceding 12 months, and for each category, provide: i) the categories of sources; ii) the business or commercial purpose(s) for which the information was collected; and iii) the third parties with whom the business shares personal information
-
Disclosure or Sale of Personal Information
-
Whether business has disclosed or sold personal information to third parties for a business or commercial purpose in preceding 12 months
-
Categories of personal information disclosed or sold
-
Whether business sells personal information of minors under age 16 without affirmative authorization
-
Right to Request Deletion
- Provide instructions for submitting a verifiable consumer request
- Describe process, and any information consumers must provide
Right to Opt-Out of the Sale of Personal Information
-
Include contents of notice of right to opt-out or a link to it
Right to non-discrimination for Exercise of Consumer’s Privacy rights – explain that consumers cannot receive discriminatory treatment for exercise of their rights
Authorized Agent – explain how consumers can designate an authorized agent to make a CCPA request on their behalf
Contact for More Information – provide consumers with contact information for questions or concerns using a method reflecting the manner in which the business primarily interacts with consumers
Date privacy policy last updated
Information about large-scale collection or use of personal information under 999.317(g), if applicable
Key Takeaways:
The draft regulations contain highly-specific requirements that must be reviewed carefully. Businesses are required to not only provide specific notices and mechanisms as outlined in the regulations, but also to describe those notices and mechanisms in the business’s privacy policy as well. The “plain English” and format requirements will require many businesses to re-write privacy policies and CCPA-related notices in order to comply. Finally, the regulations make clear that the CCPA applies to online and offline collection, use and disclosure of personal information, with specific requirements on businesses to establish parallel offline notice procedures.
Recommendations:
Businesses should consider the following in connection with their CCPA consumer notice compliance:
-
Review existing privacy policies and CCPA draft notices to ensure they are easy to understand, use “plain English” language, and do not contain legal or technical jargon.
-
Establish a framework for “offline” CCPA compliance.
-
Closely review requirements in the regulations with respect to specific privacy policy and CCPA notice content.
-
Provide links to specific sections in your company’s privacy policy, not just a link to the overall policy.
-
If your business does not sell personal information, state so in your privacy policy.
-
If your business offers a financial incentive for retention or sale of consumer information, your business must calculate the value of that information and disclose the value and your method for calculation of that value. See our discussion of Article 6 for illustrative methods of computing the value of consumer data (§999.337).
-
Make your privacy policy available to be printed out by consumers as a separate document.