08 February 2021
A big part of compliance with the California Consumer Privacy Act (CCPA) is providing notice to consumers.
The CCPA's "notice at collection" requirement means that before you collect personal information from consumers, you must tell them what categories of personal information you are collecting and your business and commercial purposes for doing so.
The CCPA allows businesses to include their notice at collection as a section within their Privacy Policy and then provide consumers with a link to that section. This could be a smart way for you to cut down on the number of legal documents you're presenting to consumers.
This article will talk you through the CCPA's requirements in this area, including everything you need to know about the notice at collection requirement.
Rather than focusing on the CCPA itself, we'll be looking to the CCPA Regulations (available in full here) to help us understand what's required regarding the CCPA's notice at collection.
The California Attorney-General has been accused of failing to provide straight answers regarding businesses' responsibilities in complying with the CCPA. However, the CCPA Regulations' "notice at collection" requirements are fairly clear.
A Privacy Policy can serve as a notice at collection. This is clearly explained at § 999.305 (c) of the CCPA Regulations:
Let's break this section of the CCPA Regulations down. It states that:
So, it's clear that you cannot simply provide a link to your entire Privacy Policy when providing notice at collection. You must link to a specific section within the Privacy Policy containing the requisite information.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
Now we're going to take a closer look at the CCPA's notice at collection requirements so that you know what information must be included in the relevant section of your Privacy Policy.
According to the CCPA Regulations § 999.305 (a) (1), your notice at collection must provide information about "the categories of personal information to be collected from them and the purposes for which the personal information will be used."
§ 999.305 (b) lists the full contents required in your notice at collection:
You can omit items 3 and 4 if you're collecting personal information in the context of employment.
If your notice at collection constitutes a section in your Privacy Policy, it appears that you are still required to provide a link to your full Privacy Policy within this section.
Here's an example from Bota Box that would appear to satisfy these requirements:
Note that even though this notice at collection constitutes part of Bota Box's Privacy Policy, the company still provides a link to the full Privacy Policy at the bottom of the notice, in compliance with § 999.305 (b) (4) of the CCPA Regulations.
Now let's consider the rules on the form your notice at collection must take, i.e., how you must present the information provided in your notice at collection.
According to CCPA Regulations § 999.305 (a) (2), the "notice at collection" section of your Privacy Policy must:
The CCPA Regulations require that you use "plain, straightforward language" in all CCPA notices, including your notice at collection and Privacy Policy.
What constitutes "plain, straightforward language"? A good starting point is the Federal Plain Language Guidelines (available here), which offers the following rules for writing clearly online:
The CCPA Regulations require that you make your notice at collection "readable, including on smaller screens."
This can be achieved by optimizing your notice at collection for mobile. Work with your web developer to ensure your Privacy Policy webpage is easily navigable on mobile and can adapt to different devices, resolutions, and screen sizes.
The CCPA Regulations state that you must provide your notice at collection in whatever languages you provide "contracts, disclaimers, sale announcements, and other information" to consumers.
If you conduct business in multiple languages, consider implementing a "translate" option, such as in the example below, from Unison:
The CCPA Regulations require that your notice at collection (and Privacy Policy) be "reasonably accessible to consumers with disabilities."
Online notices must follow version 2.1 of the World Wide Web Consortium (W3C)'s Web Content Accessibility Guidelines (WCAG), released June 5, 2018 (available here). In the offline context, businesses must explain "how a consumer with a disability may access the notice in an alternative format."
The WCAG's recommendations consist of four principles and 13 guidelines:
Perceivable: Information and user interface components must be presentable to users in ways they can perceive.
Operable: User components and navigation must be operable.
Understandable: Information and the operation of the user interface must be understandable.
Robust: Content must be robust enough that it can be interpreted by a wide variety of user agents, including assistive technologies.
Think about how you can implement these principles and guidelines into your notice at collection and broader Privacy Policy. Not all of them will be directly applicable, but guidelines such as 2.4. (navigability) and 3.1 (readable) are easy to implement.
You can also offer consumers with disabilities the opportunity to request your notice at collection in alternative formats. Here's how Standard does this:
Now let's look at how you must present the link to your notice at collection.
According to § 999.305 (a) (3) of the CCPA Regulations, your notice at collection must be "readily available where consumers will encounter it at or before the point of collection of any personal information."
The CCPA Regulations provide four "illustrative examples," two of which are relevant to this article.
If you're collecting personal information online, you "may post a conspicuous link to the notice on the introductory page of [your] website and on all webpages where personal information is collected."
Let's take a look at how Citigroup presents its notice at collection on its website:
The above image is the footer on Citigroup's homepage. The link would also need to appear on every page where personal information is collected, including via cookies. For more information on cookies and the CCPA, see our article CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?
Here's another example from TMX Finance:
If you're collecting personal information via a mobile app, you "may provide a link to the notice on the mobile application's download page and within the application, such as through the application's settings menu."
The CCPA Regulations also state that if your mobile app collects personal information "for a purpose that the consumer would not reasonably expect," you must "provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection."
For example, if your app requires location permissions but it's not a map or location-focused app, you'll need to provide a pop-up notification.
Here's an example of a pop-up permission request notification from the Pharmacy & Chemist Finder app for Android:
The notification would also need to include a link to your notice at collection.
For more information about requesting permissions via a mobile app, see our article GDPR and Mobile Apps and Privacy Policy for Apps With Camera Access.
The CCPA allows you to provide your notice at collection as a section in your Privacy Policy. All the normal rules around the notice at collection apply, including:
Your notice at collection must be:
Your notice at collection must include:
You must present your notice at collection:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.