Data Security Law Blog

CCPA Update: Key Proposed Notice and Privacy Policy Regulations

As we recently reported on this blog, the California Attorney General (AG) released long awaited draft regulations to the California Consumer Privacy Act (CCPA). The regulations provided clarity on several provisions in the law, while also failing to answer some open questions. In a series of upcoming blog posts, we will discuss the regulations most directly relevant to companies as they determine whether they are covered under the law and how to comply. This first post discusses the notices and privacy policies described in detail in the proposed regulations.

Notably, the AG’s regulations clarify an important open question regarding notice: do companies have to notify consumers with whom they have no direct contact? The regulations set a clear and administrable rule that unless a business collects information directly from consumers, it need not provide notice at collection. Third-parties, whose notice obligations are not expressly addressed by the regulations, can presumably rely on this rule as well.

The regulations also attempt to reduce the burden for online businesses by allowing their privacy policies to act as notice of collection and financial incentive, as long as the privacy policies are accessible and contain specific requisite information. In addition, the required opt-out of sale links—either “Do Not Sell My Personal Information” or “Do Not Sell My Info” —can link to the privacy policy in lieu of a separate notice. However, no opt-out notice is required if a business does not and will not sell the information being collected and the business states this in its privacy policy.

Notices and Privacy Policies

The AG’s regulations set out the form and content of several notices and privacy policies required by the CCPA. Generally, notices and privacy policies required by the CCPA must be easy to read and understandable to the average consumer. To further that goal, the regulations require that notices and policies use plain and straightforward language, use a readable format including for mobile devices, be available in languages that the business uses in its ordinary interactions with its customers, and be accessible to consumers with disabilities.

Notice of Collection

For notice of collection of personal information, businesses must make the notice accessible to consumers where they will see it before their information is collected. This notice should describe the categories of personal information being collected and the purpose for collecting them, as well as links to the business’s privacy policy and opt-out of sale webpage. Businesses are limited to using the categories of information disclosed in that notice, and must limit their usage to the purposes provided in that notice.

Of note, a business must provide a new notice if it intends to collect additional categories of personal information not included in the original notice. The regulations go even further if a business wants to use consumer information for a new purpose, requiring the business to send out a new notice and obtain explicit consent from the consumer to use the information for this new purpose.

Notice of the Right to Opt-Out of Sale

The regulations also provide detailed requirements for notice to consumers that they may opt-out of the sale of their information, and specifications for the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link required on a business’s website. Specifically, the link must be on the homepage of the website or landing page of a mobile site. The notice must include: a description of the right to opt-out; a webform for submitting the opt-out request; and a link to the privacy policy, among other things.

Notice of Financial Incentive

The notice of financial incentive must explain to consumers the financial incentives and price or service differences that businesses offer in exchange for the consumers’ information. Among other things, the notice must include a good-faith estimate of the value of the consumer data to the business, which forms the basis for the allowable price or service difference or incentive. And the notice must contain a description of the method used by the business to calculate the value of the data.

Privacy Policy

As mentioned above, the regulations would permit a privacy policy to substitute for detailed notices if the privacy policy contains all of the content required for those notices and the relevant portions of the privacy policy are available at the proper time for each notice. At all times, the privacy policy must be conspicuously posted through a link using the word “privacy” on a business’s homepage.

The privacy policy must include, among other things, the following information:

  • an explanation of the consumer’s rights to disclosure, deletion, opt-out of sale, and non-discrimination;
  • instructions for submitting consumer requests for disclosure and deletion, the process for verifying those requests, and how to designate an authorized agent to make such requests on a consumer’s behalf;
  • the categories of personal information the business has collected, disclosed, or sold in the prior 12 months, as well as the sources of the information, purposes for collecting it, and categories of third parties with which that information is shared; and
  • a contact for questions or concerns about the privacy polices using a method normally used by the business to interact with consumers.

We will continue to update you about CCPA developments on this blog.