As we recently reported on this blog, the California Attorney General (AG) released long awaited draft regulations to the California Consumer Privacy Act (CCPA). The regulations provided clarity on several provisions in the law, while also failing to answer some open questions. In a series of upcoming blog posts, we will discuss the regulations most directly relevant to companies as they determine whether they are covered under the law and how to comply. This first post discusses the notices and privacy policies described in detail in the proposed regulations.
Notably, the AG’s regulations clarify an important open question regarding notice: do companies have to notify consumers with whom they have no direct contact? The regulations set a clear and administrable rule that unless a business collects information directly from consumers, it need not provide notice at collection. Third-parties, whose notice obligations are not expressly addressed by the regulations, can presumably rely on this rule as well.
Notices and Privacy Policies
The AG’s regulations set out the form and content of several notices and privacy policies required by the CCPA. Generally, notices and privacy policies required by the CCPA must be easy to read and understandable to the average consumer. To further that goal, the regulations require that notices and policies use plain and straightforward language, use a readable format including for mobile devices, be available in languages that the business uses in its ordinary interactions with its customers, and be accessible to consumers with disabilities.
Notice of Collection
Of note, a business must provide a new notice if it intends to collect additional categories of personal information not included in the original notice. The regulations go even further if a business wants to use consumer information for a new purpose, requiring the business to send out a new notice and obtain explicit consent from the consumer to use the information for this new purpose.
Notice of the Right to Opt-Out of Sale
Notice of Financial Incentive
The notice of financial incentive must explain to consumers the financial incentives and price or service differences that businesses offer in exchange for the consumers’ information. Among other things, the notice must include a good-faith estimate of the value of the consumer data to the business, which forms the basis for the allowable price or service difference or incentive. And the notice must contain a description of the method used by the business to calculate the value of the data.
- an explanation of the consumer’s rights to disclosure, deletion, opt-out of sale, and non-discrimination;
- instructions for submitting consumer requests for disclosure and deletion, the process for verifying those requests, and how to designate an authorized agent to make such requests on a consumer’s behalf;
- the categories of personal information the business has collected, disclosed, or sold in the prior 12 months, as well as the sources of the information, purposes for collecting it, and categories of third parties with which that information is shared; and
- a contact for questions or concerns about the privacy polices using a method normally used by the business to interact with consumers.
We will continue to update you about CCPA developments on this blog.