08 February 2021
A big part of compliance with the California Consumer Privacy Act (CCPA) is providing notice to consumers.
The CCPA's "notice at collection" requirement means that before you collect personal information from consumers, you must tell them what categories of personal information you are collecting and your business and commercial purposes for doing so.
This article will talk you through the CCPA's requirements in this area, including everything you need to know about the notice at collection requirement.
The California Attorney-General has been accused of failing to provide straight answers regarding businesses' responsibilities in complying with the CCPA. However, the CCPA Regulations' "notice at collection" requirements are fairly clear.
Let's break this section of the CCPA Regulations down. It states that:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
According to the CCPA Regulations § 999.305 (a) (1), your notice at collection must provide information about "the categories of personal information to be collected from them and the purposes for which the personal information will be used."
§ 999.305 (b) lists the full contents required in your notice at collection:
You can omit items 3 and 4 if you're collecting personal information in the context of employment.
Here's an example from Bota Box that would appear to satisfy these requirements:
Now let's consider the rules on the form your notice at collection must take, i.e., how you must present the information provided in your notice at collection.
What constitutes "plain, straightforward language"? A good starting point is the Federal Plain Language Guidelines (available here), which offers the following rules for writing clearly online:
The CCPA Regulations require that you make your notice at collection "readable, including on smaller screens."
The CCPA Regulations state that you must provide your notice at collection in whatever languages you provide "contracts, disclaimers, sale announcements, and other information" to consumers.
If you conduct business in multiple languages, consider implementing a "translate" option, such as in the example below, from Unison:
Online notices must follow version 2.1 of the World Wide Web Consortium (W3C)'s Web Content Accessibility Guidelines (WCAG), released June 5, 2018 (available here). In the offline context, businesses must explain "how a consumer with a disability may access the notice in an alternative format."
The WCAG's recommendations consist of four principles and 13 guidelines:
Perceivable: Information and user interface components must be presentable to users in ways they can perceive.
Operable: User components and navigation must be operable.
Understandable: Information and the operation of the user interface must be understandable.
Robust: Content must be robust enough that it can be interpreted by a wide variety of user agents, including assistive technologies.
You can also offer consumers with disabilities the opportunity to request your notice at collection in alternative formats. Here's how Standard does this:
Now let's look at how you must present the link to your notice at collection.
According to § 999.305 (a) (3) of the CCPA Regulations, your notice at collection must be "readily available where consumers will encounter it at or before the point of collection of any personal information."
The CCPA Regulations provide four "illustrative examples," two of which are relevant to this article.
If you're collecting personal information online, you "may post a conspicuous link to the notice on the introductory page of [your] website and on all webpages where personal information is collected."
Let's take a look at how Citigroup presents its notice at collection on its website:
The above image is the footer on Citigroup's homepage. The link would also need to appear on every page where personal information is collected, including via cookies. For more information on cookies and the CCPA, see our article CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?
Here's another example from TMX Finance:
If you're collecting personal information via a mobile app, you "may provide a link to the notice on the mobile application's download page and within the application, such as through the application's settings menu."
The CCPA Regulations also state that if your mobile app collects personal information "for a purpose that the consumer would not reasonably expect," you must "provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection."
For example, if your app requires location permissions but it's not a map or location-focused app, you'll need to provide a pop-up notification.
Here's an example of a pop-up permission request notification from the Pharmacy & Chemist Finder app for Android:
The notification would also need to include a link to your notice at collection.
Your notice at collection must be:
Your notice at collection must include:
You must present your notice at collection: