Analysis of Attorney General Regulations to the CCPA– Part 1: Notices to Consumers
Article 2 (see pages 3 through 10) of the California Attorney General’s CCPA draft regulations specify certain notices that must be given to consumers at the time of collection of their personal information, including consumers’ rights to opt-out of the sale of their personal information, and notices of financial incentives a business may offer in exchange for consumers’ personal information. Article 2 also provides specific CCPA requirements for company privacy policies.
ALL notices given to consumers must meet the following requirements:
- Easy to read language that is understandable to an average consumer, and avoid technical or legal jargon
- Available in all languages that business provides contracts, disclaimers, etc.
- Accessible to consumers with disabilities
Notice at Collection of Personal Information (Section 999.305)
Businesses must inform consumers about the categories or personal information to be collected from them, and the purposes for collection. Businesses should note the following:
- Personal information cannot be used for any other purpose other than those disclosed in notice at collection. Use for other purposes requires new notice and explicit consent
- Businesses cannot collect categories of personal information other than those specified in the notice at collection
- Businesses must provide notice for offline collection of personal information
- Timing – the notice must be provided at or before the time of collection. Consider how your business collects information and where/when this notice will be provided to consumers.
- List categories of personal information to be collected
- Business or commercial purpose(s) for each category of personal information collected
- “Do Not Sell My Personal Information” link if business sells personal information
Businesses that do not collect information directly from consumers are not required to provide notice at the time of collection, however, prior to selling a consumer’s personal information, businesses must:
- Contact consumer directly to provide notice of sale of personal information, and provide consumer with notice of right to opt-out; or
- Contact source of personal information to: i) confirm that the source provided proper notice at collection; and ii) obtain signed attestations from source, describing how source gave notice at collection, with an example of notice
Notice of Right to Opt-Out of Sale of Personal Information (Section 999.306)
Businesses must inform consumers of their right to direct a business that sells their personal information (or may sell it in the future) to stop selling their personal information. Businesses should note the following:
- Must be provided to consumers after clicking “Do Not Sell My Personal Information” or “Do Not Sell My Info” link
- Offline notice is required if business substantially interacts with consumers offline
- Businesses that do not operate a website must establish and document another manner to comply
- A consumer whose personal information is collected while a business has not provided notice of a right to opt-out shall be deemed to have opted-out
- Description of right to opt-out of sale of personal information
- Webform for consumers to submit opt-out request online, or other method for businesses that do not operate a website
- Instructions for any other method to submit opt-out requests
- Description of any proof required when consumer uses an authorized agent to exercise their opt-out right
Opt-Out Button or Logo:
- Further guidance from Attorney General is forthcoming
Notice of Financial Incentive (Section 999.307)
Businesses must explain to consumers each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information.
- Summary of the financial incentive or privacy difference
- Description of material terms, including categories of personal information implicated by the financial incentive
- How consumers can opt-in and their right to withdraw at any time
- Explanation of why the financial incentive is permitted under the CCPA, including, i) estimate of the value of the consumer’s data; and ii) description of the method used to calculate the value of the consumer’s data
Businesses must provide consumers with a comprehensive description of their online and offline practices regarding collection, use, disclosure, and sale of personal information, and of the rights of consumers of their personal information.
“Right to Know” about Personal Information Collected, Disclosed, or Sold
- Explain right to request that the business disclose what personal information it collects, uses, discloses, and sells
- Instructions to submit a “request to know”
- Describe process business will use to verify requests, including any information consumers must provide
- List categories of personal information the business has collected about consumer in the preceding 12 months, and for each category, provide: i) the categories of sources; ii) the business or commercial purpose(s) for which the information was collected; and iii) the third parties with whom the business shares personal information
- Disclosure or Sale of Personal Information
- Whether business has disclosed or sold personal information to third parties for a business or commercial purpose in preceding 12 months
- Categories of personal information disclosed or sold
- Whether business sells personal information of minors under age 16 without affirmative authorization
Right to Request Deletion
- Provide instructions for submitting a verifiable consumer request
- Describe process, and any information consumers must provide
Right to Opt-Out of the Sale of Personal Information
- Include contents of notice of right to opt-out or a link to it
Right to non-discrimination for Exercise of Consumer’s Privacy rights – explain that consumers cannot receive discriminatory treatment for exercise of their rights
Authorized Agent – explain how consumers can designate an authorized agent to make a CCPA request on their behalf
Contact for More Information – provide consumers with contact information for questions or concerns using a method reflecting the manner in which the business primarily interacts with consumers
Information about large-scale collection or use of personal information under 999.317(g), if applicable
Businesses should consider the following in connection with their CCPA consumer notice compliance:
- Review existing privacy policies and CCPA draft notices to ensure they are easy to understand, use “plain English” language, and do not contain legal or technical jargon.
- Establish a framework for “offline” CCPA compliance.
- If your business offers a financial incentive for retention or sale of consumer information, your business must calculate the value of that information and disclose the value and your method for calculation of that value. See our discussion of Article 6 for illustrative methods of computing the value of consumer data (§999.337).
Tomorrow, we’ll take a detailed look at Article 3 – Business Practices for Handling Consumer Requests.