California regulates consumer privacy via the California Consumer Privacy Act (CCPA), an expansive legislation reminiscent of the European Union’s General Data Protection Regulation (GDPR). CCPA imposes obligations on covered businesses to (1) give consumers notice of what personal data it collects, how the data is used or shared and whether the data is being sold, and (2) set forth the rights that consumers have with respect to the data collected from them.
Notice Applicable to Methods of Collection of Personal Data
Notably, the CCPA applies not only to online data collection but also to collection on mobile, offline by use of forms or exchange of documents, over the phone or in person. Cal. Code Regs. Tit. 11, § 999.305(a)(3).
A business that collects personal information from a consumer must provide such notice at the time of collection in accordance with the CCPA and the regulations promulgated in accordance with the law. Cal. Code Regs. Tit. 11, § 999.304(b). This means the privacy notice must be made readily available where consumers will encounter it at or before the collection of any of their personal information. If a business collects personal data from a consumer in person but their privacy notice is posted only on the business’s website, this will likely not be deemed a sufficient notice at the time of the collection.
Enforcement Actions
Recent enforcement actions issued by the California Attorney General (CA AG) illustrate this point and remind businesses of the importance of apprising their consumers of their privacy policies not only online but also offline. Specifically, the AG reports that it initiated an enforcement action against an automotive business that collected information from consumers test driving vehicles at the business. Although the business had a written privacy policy, it failed to provide a notice of it at collection. The CA AG notified the business of alleged noncompliance, and the business implemented a notice at collection for personal information received in connection with test drives, whether collected online or in person.
Examples of Timely Notices
CCPA regulations (Cal. Code Regs. Tit. 11, § 999.305(a)(3)) provide illustrative examples of how a timely notice may be given to consumers:
-
Online collection – A business may post a conspicuous link to the notice on the introductory page of the business’s website and on all web pages where personal information is collected.
-
Mobile application – A business may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
-
Offline collection – A business may provide a printed version of the privacy notice or post prominent signage directing consumers to a notice that may be found online.
-
Telephone or in-person collection – A business may give its privacy notice verbally.