In this article, you'll learn:
- How to create each of the CCPA's four notices
- Which of the four notices your business needs to provide
- How and when you need to provide each notice
We'll also look at some real examples of consumer notices provided by businesses affected by the CCPA.
What is the CCPA?
Below is a brief introduction to the CCPA. If you already understand the basics of the CCPA, you can skip ahead to our guidance on the CCPA's four consumer notices.
The CCPA is a privacy law that places strict rules on businesses worldwide regarding their use of the personal information of California consumers.
- Requires businesses to be transparent about how they collect, use, share, and sell California consumers' personal information.
- Provides consumers with more control over how businesses use their personal information, via a powerful set of consumer rights.
Who Has to Comply with the CCPA?
The CCPA applies to your business if it does business in California and at least one of the following applies:
- You have annual gross revenues of over $25 million
- You buy, sell, share for commercial purposes, or receive for commercial purposes, the personal information of more than 50,000 consumers, devices, or households per year
- You derive at least 50 percent of your annual revenues from selling consumers' personal information
What is "Doing Business In California?"
The CCPA applies to businesses all over the world. If you want to "do business" in California, and you fall under the CCPA's scope, you must comply with the CCPA.
Doing business in California might include the following:
- Selling goods or services to California consumers
- Hiring California consumers as contractors or employees
- Buying, selling, sharing, or receiving the personal information of California consumers
What is a "Consumer?"
The CCPA defines a consumer as a "natural person" (i.e. not a "legal person" such as a corporation) who is a California resident. The CCPA takes its definition of "California resident" from another law, 18 CCR § 17014.
This includes not only your customers but any California resident whose personal information your business collects.
What is "Personal Information?"
Different privacy laws define "personal information" in different ways. The CCPA defines personal information more broadly than any other US privacy law. Here's the definition of personal information in the CCPA:
The CCPA gives many examples of personal information, including:
- Full name
- IP address
- Browsing history
Try not to think of personal information only as information that describes or identifies a consumer. If a piece of information could be reasonably linked to a consumer, it's personal information.
The CCPA's Four Consumer Notices
The California Attorney General's "CCPA Proposed Regulations" (available here) is a key source of information about the CCPA's notice requirements.
The Proposed Regulations set out specific rules and guidance about how businesses should apply parts of the CCPA. The Regulations are still in draft form and may change considerably before they pass into law (April 2020 at the very earliest).
However, the Proposed Regulations will be legally-binding once they come into effect. This means that breaking the rules under the Regulations will leave you open to fines and other penalties.
There are four types of external notices you should be providing to consumers in certain circumstances:
- Notice at collection
- Notice of the right to opt out
- Notice of financial incentives
The California Attorney General offers some general principles to follow when you provide notice:
- Use plain language. Avoid "legalese."
- Ensure your notices are clear and conspicuous and that consumers can read them on small screens.
- Provide your notices in the language(s) in which your business normally communicates with consumers.
- Make your notices available to consumers with disabilities. You should inform consumers that they may access your notices in an alternative format if required.
- Their rights under the CCPA
- Your business activities over the preceding 12-month period
The Regulations go beyond the requirements of the text of the CCPA itself. Remember that some of these requirements might not remain once the Regulations become law.
Information about the right to know:
- Explain that consumers may request disclosure of the personal information you collect, use, disclose for business purposes, and sell.
- Explain how consumers can submit a Verifiable Consumer Request and provide a link to a web page which allows them to do this.
- Explain the process you use to verify the identity of consumers and any ID you require.
Disclose your personal information collection practices:
- List the categories of personal information you have collected about consumers in the past 12 months.
For each category of personal information, disclose:
- The categories of sources from which you collected it
- The business or commercial purposes for which you collected it
- The categories of third parties with whom you share it
Disclose how you sell personal information and/or disclose personal information for business purposes:
- State whether you have sold personal information or disclosed personal information for business purposes in the past 12 months.
- List the categories of personal information you have sold or disclosed for businesses in the past 12 months (if any).
- State whether you sell the personal information of minors under the age of 16 without authorization.
Information about the right to delete:
- Explain that consumers may request that you delete any personal information you hold on them.
- Explain how consumers can submit a Verifiable Consumer Request and provide a link to a web page which allows them to do this.
- Explain the process you use to verify the identity of consumers and any ID you require
Information about the right to opt out:
- Explain that consumers may opt out of the sale of their personal information.
- Provide a link to your "Do Not Sell My Personal Information" page.
Information about the right to non-discrimination:
- Explain that consumers will not be discriminated against for exercising their CCPA rights.
- Explain how a consumer can designate an Authorized Agent to make a consumer rights request on their behalf.
- Provide contact details and invite consumers to ask for more information should they require it.
If you buy, sell, receive, or share personal information from more than 4 million consumers per year, you must also disclose:
- How many requests you received under the right to know
- How many requests you received under the right to delete
How many requests you received under the right to opt out
- In each case, how many requests you complied with in whole or in part, how many you denied, and how many days it took, on average, for you to respond.
SafeGraph has created a two-column table which covers points 1 (d) (i) and 1 (d) (ii) (1) above.
- The first column lists the categories of personal information SafeGraph has collected about consumers in the past 12 months.
- The second column lists the categories of sources from which SafeGraph collected each category of personal information.
Note that some of these sources are third parties (e.g. advertising networks) while others are not (e.g. mobile applications).
LiveRamp has created a three-column table that covers points 1 (d) (i), 1 (d) 2 (iii), 1 (e) (ii) above.
- The first column lists the categories of personal information Liveramp has collected over the past 12 months.
- The second column lists the categories of third parties with whom Liveramp has shared each category of personal information.
- The third column discloses whether Liveramp has sold each category of personal information.
Here's how Radisson Hotels covers point 5 by explaining how a consumer can designate an Authorized Agent under the terms of the CCPA:
2. Notice at Collection
You should provide a "notice at collection" whenever you collect personal information directly from consumers.
A notice at collection makes consumers aware of what categories of personal information you are collecting and why you are collecting it.
The Proposed Regulations require that your notice of collection contains the following:
- A list of the categories of personal information you are collecting
- The business or commercial purposes for which you are collecting each category of personal information
- If you sell personal information, a link to your "Do Not Sell My Personal Information" page
Consider the context in which you're collecting personal information when you're providing notice. For example,If you're collecting personal information via a form in the mail, you should provide notice on paper alongside the form.
Here's an excerpt from Master and Dynamic's notice at collection:
You must ensure that your notice at collection is presented to consumers before you collect their personal information. Here's an example from law firm Keesal, Young & Logan:
If you're collecting personal information about the consumer indirectly, i.e. from another source, you don't need to provide notice at collection. However, the Proposed Regulations require that you must:
- Contact the consumer directly to provide notice of the right to opt out
Contact the source of the personal information to:
- Request confirmation that they gave the consumer valid notice at collection
- Obtain a "signed attestation" that they gave notice at collection, together with an example of the notice at collection they gave. You must retain a copy of this attestation for at least two years and provide it to the consumer on request.
3. Notice of the Right to Opt Out
If you sell (or you will sell) consumers' personal information, you must provide notice of consumers' right to opt out.
If you sell personal information, you must maintain a clear and conspicuous link on your website's home page stating "Do Not Sell My Personal Information." When consumers click this link, it must lead to your notice of the right to opt out.
The Proposed Regulations require that your notice of the right to opt out contains the following:
- An explanation of the right to opt out
- A form via which consumers may exercise their right to opt out
- Instructions about any other ways consumers can exercise their right to opt out
- Information about any proof you require from consumers who wish to use an Authorized Agent to exercise their right to opt out
Oxydata (a trading name of Binary House LLC) provides a great example of how to meet these requirements.
Here's the first part of Oxydata's notice of the right to opt out, which fulfils points 1-2 above.
Here's the final part of Oxydata's notice of the right to opt out, which fulfils points 3-5 above:
Note how Oxydata uses very accessible language, avoiding any legal jargon.
4. Notice of Financial Incentives
If you operate a "financial incentives scheme," you must provide a notice of financial incentives.
We won't go into detail about the CCPA's financial incentives provisions in this article, but here's a brief explanation.
The CCPA's "right to non-discrimination" forbids businesses from discriminating against consumers who exercise their CCPA consumer rights. This means you cannot, for example, charge a higher price for services to someone who has exercised their "right to opt out."
When the draft CCPA was made available, businesses soon realized that this could forbid them from engaging in legitimate business activities, such as offering coupons to people who sign up to their mailing lists, or running loyalty schemes.
Therefore, there is a provision in the CCPA and the Proposed Regulations that allows businesses to offer incentives to consumers in exchange for their personal information. The incentive must be based on the actual value that the business derives from the personal information.
You must make your notice of financial incentives available to consumers before they opt into any such schemes.
The Proposed Regulations require that your notice of financial incentives contains the following:
- A summary of your financial incentive scheme
- An explanation of the terms of the scheme, including the categories of personal information involved
- Instructions on how consumers can opt in to the scheme
- Notification of consumers' right to withdraw from the scheme
An explanation of why the scheme is permitted under the CCPA, including:
- An estimate in "good faith" of the value of the consumer's personal information
- A description of the method you used to calculate the value
Here's an example of a notice of financial incentives from World's Best Cat Litter:
World's Best Cat Litter explains its financial incentive scheme, how consumers can opt in, and how consumers can opt out without being subject to discrimination.
It's not clear whether the last section on this notice would satisfy point 5 of the Proposed Regulations (above). However, remember that the Regulations may change before they come into force.
We've looked at the four consumer notices you may need to provide under the CCPA.
- Notice at collection: Required if you collect personal information directly from consumers. Present this notice before you collect personal information directly from a consumer.
- Notice of the right to opt out: Required if you sell personal information. Make this notice available via your "Do Not Sell My Personal Information" link.
- Notice of financial incentives: Required if you operate a financial incentive scheme. Present this notice before you invite consumers to join your scheme.
Use clear and straightforward language in your notices. Ensure they are easily accessible, and available in alternative formats for consumers with disabilities.