Last updated on 24 December 2020 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
In this article, you'll learn:
We'll also look at some real examples of consumer notices provided by businesses affected by the CCPA.
Below is a brief introduction to the CCPA. If you already understand the basics of the CCPA, you can skip ahead to our guidance on the CCPA's four consumer notices.
The CCPA is a privacy law that places strict rules on businesses worldwide regarding their use of the personal information of California consumers.
The CCPA applies to your business if it does business in California and at least one of the following applies:
The CCPA applies to businesses all over the world. If you want to "do business" in California, and you fall under the CCPA's scope, you must comply with the CCPA.
Doing business in California might include the following:
The CCPA defines a consumer as a "natural person" (i.e. not a "legal person" such as a corporation) who is a California resident. The CCPA takes its definition of "California resident" from another law, 18 CCR § 17014.
This includes not only your customers but any California resident whose personal information your business collects.
Different privacy laws define "personal information" in different ways. The CCPA defines personal information more broadly than any other US privacy law. Here's the definition of personal information in the CCPA:
The CCPA gives many examples of personal information, including:
Try not to think of personal information only as information that describes or identifies a consumer. If a piece of information could be reasonably linked to a consumer, it's personal information.
The California Attorney General's "CCPA Proposed Regulations" (available here) is a key source of information about the CCPA's notice requirements.
The Proposed Regulations set out specific rules and guidance about how businesses should apply parts of the CCPA. The Regulations are still in draft form and may change considerably before they pass into law (April 2020 at the very earliest).
However, the Proposed Regulations will be legally-binding once they come into effect. This means that breaking the rules under the Regulations will leave you open to fines and other penalties.
There are four types of external notices you should be providing to consumers in certain circumstances:
The California Attorney General offers some general principles to follow when you provide notice:
The Regulations go beyond the requirements of the text of the CCPA itself. Remember that some of these requirements might not remain once the Regulations become law.
Information about the right to know:
Disclose your personal information collection practices:
For each category of personal information, disclose:
Disclose how you sell personal information and/or disclose personal information for business purposes:
Information about the right to delete:
Information about the right to opt out:
Information about the right to non-discrimination:
If you buy, sell, receive, or share personal information from more than 4 million consumers per year, you must also disclose:
How many requests you received under the right to opt out
SafeGraph has created a two-column table which covers points 1 (d) (i) and 1 (d) (ii) (1) above.
Note that some of these sources are third parties (e.g. advertising networks) while others are not (e.g. mobile applications).
LiveRamp has created a three-column table that covers points 1 (d) (i), 1 (d) 2 (iii), 1 (e) (ii) above.
Here's how Radisson Hotels covers point 5 by explaining how a consumer can designate an Authorized Agent under the terms of the CCPA:
You should provide a "notice at collection" whenever you collect personal information directly from consumers.
A notice at collection makes consumers aware of what categories of personal information you are collecting and why you are collecting it.
The Proposed Regulations require that your notice of collection contains the following:
Consider the context in which you're collecting personal information when you're providing notice. For example,If you're collecting personal information via a form in the mail, you should provide notice on paper alongside the form.
Here's an excerpt from Master and Dynamic's notice at collection:
You must ensure that your notice at collection is presented to consumers before you collect their personal information. Here's an example from law firm Keesal, Young & Logan:
If you're collecting personal information about the consumer indirectly, i.e. from another source, you don't need to provide notice at collection. However, the Proposed Regulations require that you must:
Contact the source of the personal information to:
If you sell (or you will sell) consumers' personal information, you must provide notice of consumers' right to opt out.
If you sell personal information, you must maintain a clear and conspicuous link on your website's home page stating "Do Not Sell My Personal Information." When consumers click this link, it must lead to your notice of the right to opt out.
You can build your CCPA Opt-Out code by following the steps below:
The Proposed Regulations require that your notice of the right to opt out contains the following:
Oxydata (a trading name of Binary House LLC) provides a great example of how to meet these requirements.
Here's the first part of Oxydata's notice of the right to opt out, which fulfils points 1-2 above.
Here's the final part of Oxydata's notice of the right to opt out, which fulfils points 3-5 above:
Note how Oxydata uses very accessible language, avoiding any legal jargon.
If you operate a "financial incentives scheme," you must provide a notice of financial incentives.
We won't go into detail about the CCPA's financial incentives provisions in this article, but here's a brief explanation.
The CCPA's "right to non-discrimination" forbids businesses from discriminating against consumers who exercise their CCPA consumer rights. This means you cannot, for example, charge a higher price for services to someone who has exercised their "right to opt out."
When the draft CCPA was made available, businesses soon realized that this could forbid them from engaging in legitimate business activities, such as offering coupons to people who sign up to their mailing lists, or running loyalty schemes.
Therefore, there is a provision in the CCPA and the Proposed Regulations that allows businesses to offer incentives to consumers in exchange for their personal information. The incentive must be based on the actual value that the business derives from the personal information.
You must make your notice of financial incentives available to consumers before they opt into any such schemes.
The Proposed Regulations require that your notice of financial incentives contains the following:
An explanation of why the scheme is permitted under the CCPA, including:
Here's an example of a notice of financial incentives from World's Best Cat Litter:
World's Best Cat Litter explains its financial incentive scheme, how consumers can opt in, and how consumers can opt out without being subject to discrimination.
It's not clear whether the last section on this notice would satisfy point 5 of the Proposed Regulations (above). However, remember that the Regulations may change before they come into force.
Note that the CCPA has other notice requirements beyond the consumer notices that you'll need to become familiar with as well. We address these notices in detail in our article: CCPA Notices.
We've looked at the four consumer notices you may need to provide under the CCPA.
Use clear and straightforward language in your notices. Ensure they are easily accessible, and available in alternative formats for consumers with disabilities.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
24 December 2020