Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
A big part of compliance with the California Consumer Privacy Act (CCPA), as amended by the CPRA, is providing notice to consumers.
The CCPA/CPRA's "notice at collection" requirement means that before you collect personal information from consumers, you must tell them what categories of personal information you are collecting and your business and commercial purposes for doing so.
This article will walk you through the CCPA/CPRA's requirements in this area, including everything you need to know about the notice at collection requirement.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Notice at Collection Requirements
Rather than focusing on the CCPA itself, we'll be looking to the CCPA/CPRA Regulations (available in full here) to help us understand what's required regarding the CCPA/CPRA's notice at collection.
The California Attorney-General has been accused of failing to provide straight answers regarding businesses' responsibilities in complying with the CCPA (CPRA). However, the CCPA Regulations' "notice at collection" requirements are fairly clear.
Let's break this section of the CCPA (CPRA) down. It states that:
- This only applies where a business is collecting personal information from a consumer online (i.e., via a website or mobile app)
Notice at Collection: Content Requirements
According to the CCPA Regulations § 999.305 (a) (1), your notice at collection must provide information about "the categories of personal information to be collected from them and the purposes for which the personal information will be used."
§ 999.305 (b) lists the full contents required in your notice at collection:
- A list of the categories of personal information you're collecting. You must ensure consumers have "a meaningful understanding of the information being collected"
- The business or commercial purposes for which you will use the personal information
- How long you will retain the data for
- A link to your "Do Not Sell My Personal Information" page, if you have one
Here's an example from Bota Box that would appear to satisfy these requirements:
Notice at Collection: Form Requirements
Now let's consider the rules on the form your notice at collection must take, i.e., how you must present the information provided in your notice at collection.
- Use "plain, straightforward language," and not use "technical or legal jargon"
- Use "a format that draws the consumer's attention" and be "readable, including on smaller screens"
- Be available in whatever languages you provide "contracts, disclaimers, sale announcements, and other information" to consumers
- Be "reasonably accessible" to people with disabilities
What constitutes "plain, straightforward language"? A good starting point is the Federal Plain Language Guidelines (available here), which offers the following rules for writing clearly online:
- Write for your audience: Consider which consumers are likely to be reading your notice at collection, and write with them in mind. This is particularly important if you offer services to children.
- Organize the information: Split your notice at collection into sections and ensure it flows logically.
- Choose your words carefully: Whenever you intend to use a technical or obscure word, consider whether there is a shorter, simpler alternative.
- Be concise: Re-write longer sentences to use fewer words.
- Keep it conversational: Your notice at collection should not feel legalistic. Use a friendly tone.
- Design for reading: Use tables and images where appropriate. Use bold text for key phrases.
- Follow web standards: Use effective links and format for the web.
- Test your assumptions: Don't assume your customers will understand your notice. Ask others to read it before publishing.
The CCPA Regulations require that you make your notice at collection "readable, including on smaller screens."
The CCPA Regulations state that you must provide your notice at collection in whatever languages you provide "contracts, disclaimers, sale announcements, and other information" to consumers.
If you conduct business in multiple languages, consider implementing a "translate" option, such as in the example below, from Unison:
Online notices must follow version 2.1 of the World Wide Web Consortium (W3C)'s Web Content Accessibility Guidelines (WCAG), released June 5, 2018 (available here). In the offline context, businesses must explain "how a consumer with a disability may access the notice in an alternative format."
The WCAG's recommendations consist of four principles and 13 guidelines:
Perceivable: Information and user interface components must be presentable to users in ways they can perceive.
- Text Alternatives: Provide text alternatives for any non-text content (e.g. audio).
- Time-based Media: Provide alternatives to time-based media.
- Adaptable: Create content that can be presented in different ways.
- Distinguishable: Make it easier for users to see and hear content including separating foreground from background.
Operable: User components and navigation must be operable.
- Keyboard Accessible: Make all functionality available from a keyboard.
- Enough Time: Provide users enough time to read and use content.
- Seizures and Physical Reactions: Do not design content in a way that is known to cause seizures or physical reactions.
- Navigable: Provide ways to help users navigate, find content, and determine where they are.
- Input Modalities: Make it easier for users to operate functionality through various inputs.
Understandable: Information and the operation of the user interface must be understandable.
- Readable: Make text content readable and understandable.
- Predictable: Make web pages appear and operate in predictable ways.
- Input Assistance: Help users avoid and correct mistakes.
Robust: Content must be robust enough that it can be interpreted by a wide variety of user agents, including assistive technologies.
- Compatible: Maximize compatibility with current and future user agents, including assistive technologies.
You can also offer consumers with disabilities the opportunity to request your notice at collection in alternative formats. Here's how Standard does this:
Now let's look at how you must present the link to your notice at collection.
Notice at Collection: Presentation Requirements
According to § 999.305 (a) (3) of the CCPA Regulations, your notice at collection must be "readily available where consumers will encounter it at or before the point of collection of any personal information."
The CCPA Regulations provide four "illustrative examples," two of which are relevant to this article.
If you're collecting personal information online, you "may post a conspicuous link to the notice on the introductory page of [your] website and on all webpages where personal information is collected."
Let's take a look at how Citigroup presents its notice at collection on its website:
The above image is the footer on Citigroup's homepage. The link would also need to appear on every page where personal information is collected, including via cookies. For more information on cookies and the CCPA, see our article CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?
Here's another example from TMX Finance:
If you're collecting personal information via a mobile app, you "may provide a link to the notice on the mobile application's download page and within the application, such as through the application's settings menu."
The CCPA Regulations also state that if your mobile app collects personal information "for a purpose that the consumer would not reasonably expect," you must "provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection."
For example, if your app requires location permissions but it's not a map or location-focused app, you'll need to provide a pop-up notification.
Here's an example of a pop-up permission request notification from the Pharmacy & Chemist Finder app for Android:
The notification would also need to include a link to your notice at collection.
Your notice at collection must be:
- Written in plain and straightforward language
- Readable, including on smaller screens
- Available in whatever languages you conduct your usual business operations
- Reasonably accessible to consumers with disabilities
Your notice at collection must include:
- A list of the categories of personal information you collect
- The business or commercial purposes for which you collect personal information
- A link to your "Do Not Sell My Personal Information" page
- How long you retain data for
You must present your notice at collection:
- On your website homepage and any other page on which you collect personal information
- In your mobile app download page and settings menu