The CCPA has many implications for businesses operating in California. For example, as most affected businesses know, it requires you to provide notice to consumers about your personal information practices via your Privacy Policy.
But your Privacy Policy is just one of four types of external notice that the CCPA requires. The California Attorney General's Proposed Regulations explain these four consumer notices in detail, including guidance about how to structure your Privacy Policy.
In this article, you'll learn:
We'll also look at some real examples of consumer notices provided by businesses affected by the CCPA.
Below is a brief introduction to the CCPA. If you already understand the basics of the CCPA, you can skip ahead to our guidance on the CCPA's four consumer notices.
The CCPA is a privacy law that places strict rules on businesses worldwide regarding their use of the personal information of California consumers.
The CCPA:
The CCPA applies to your business if it does business in California and at least one of the following applies:
The California Attorney General's "CCPA Proposed Regulations" (available here) is a key source of information about the CCPA's notice requirements.
The Proposed Regulations set out specific rules and guidance about how businesses should apply parts of the CCPA. The Regulations are still in draft form and may change considerably before they pass into law (April 2020 at the very earliest).
However, the Proposed Regulations will be legally-binding once they come into effect. This means that breaking the rules under the Regulations will leave you open to fines and other penalties.
There are four types of external notices you should be providing to consumers in certain circumstances:
The California Attorney General offers some general principles to follow when you provide notice:
A Privacy Policy is mandatory for all businesses under the CCPA.
Your Privacy Policy gives consumers notice about:
The Proposed Regulations provide a particular format for your CCPA Privacy Policy.
The Regulations go beyond the requirements of the text of the CCPA itself. Remember that some of these requirements might not remain once the Regulations become law.
Information about the right to know:
Disclose your personal information collection practices:
For each category of personal information, disclose:
Disclose how you sell personal information and/or disclose personal information for business purposes:
Information about the right to delete:
Information about the right to opt out:
Information about the right to non-discrimination:
If you buy, sell, receive, or share personal information from more than 4 million consumers per year, you must also disclose:
How many requests you received under the right to opt out
You must update your Privacy Policy every 12 months.
Here are some examples of businesses that are implementing the CCPA's Privacy Policy obligations.
SafeGraph has created a two-column table which covers points 1 (d) (i) and 1 (d) (ii) (1) above.
Note that some of these sources are third parties (e.g. advertising networks) while others are not (e.g. mobile applications).
You should provide a "notice at collection" whenever you collect personal information directly from consumers.
A notice at collection makes consumers aware of what categories of personal information you are collecting and why you are collecting it.
The Proposed Regulations require that your notice of collection contains the following:
You can include the information above as a section in your Privacy Policy and provide a link to that section. Under the Proposed Regulations, this would be an acceptable way to provide notice at collection.
Consider the context in which you're collecting personal information when you're providing notice. For example,If you're collecting personal information via a form in the mail, you should provide notice on paper alongside the form.
If you're collecting personal information about the consumer indirectly, i.e. from another source, you don't need to provide notice at collection. However, the Proposed Regulations require that you must:
Contact the source of the personal information to:
If you sell (or you will sell) consumers' personal information, you must provide notice of consumers' right to opt out.
If you sell personal information, you must maintain a clear and conspicuous link on your website's home page stating "Do Not Sell My Personal Information." When consumers click this link, it must lead to your notice of the right to opt out.
The Proposed Regulations require that your notice of the right to opt out contains the following:
If you operate a "financial incentives scheme," you must provide a notice of financial incentives.
We won't go into detail about the CCPA's financial incentives provisions in this article, but here's a brief explanation.
The CCPA's "right to non-discrimination" forbids businesses from discriminating against consumers who exercise their CCPA consumer rights. This means you cannot, for example, charge a higher price for services to someone who has exercised their "right to opt out."
When the draft CCPA was made available, businesses soon realized that this could forbid them from engaging in legitimate business activities, such as offering coupons to people who sign up to their mailing lists, or running loyalty schemes.
Therefore, there is a provision in the CCPA and the Proposed Regulations that allows businesses to offer incentives to consumers in exchange for their personal information. The incentive must be based on the actual value that the business derives from the personal information.
You must make your notice of financial incentives available to consumers before they opt into any such schemes.
The Proposed Regulations require that your notice of financial incentives contains the following:
An explanation of why the scheme is permitted under the CCPA, including:
You can include the information above as a section in your Privacy Policy and provide a link to that section. Under the Proposed Regulations, this would be an acceptable way to provide notice of financial incentives.
Here's an example of a notice of financial incentives from World's Best Cat Litter:
World's Best Cat Litter explains its financial incentive scheme, how consumers can opt in, and how consumers can opt out without being subject to discrimination.
It's not clear whether the last section on this notice would satisfy point 5 of the Proposed Regulations (above). However, remember that the Regulations may change before they come into force.
Note that the CCPA has other notice requirements beyond the consumer notices that you'll need to become familiar with as well.
We've looked at the four consumer notices you may need to provide under the CCPA.
Use clear and straightforward language in your notices. Ensure they are easily accessible, and available in alternative formats for consumers with disabilities.