CCPA: Does a Privacy Policy Satisfy the "Notice at Collection" Requirement?

A big part of compliance with the California Consumer Privacy Act (CCPA) is providing notice to consumers.

The CCPA's "notice at collection" requirement means that before you collect personal information from consumers, you must tell them what categories of personal information you are collecting and your business and commercial purposes for doing so.

The CCPA allows businesses to include their notice at collection as a section within their Privacy Policy and then provide consumers with a link to that section. This could be a smart way for you to cut down on the number of legal documents you're presenting to consumers.

This article will talk you through the CCPA's requirements in this area, including everything you need to know about the notice at collection requirement.

Notice at Collection Requirements

Rather than focusing on the CCPA itself, we'll be looking to the CCPA Regulations (available in full here) to help us understand what's required regarding the CCPA's notice at collection.

The California Attorney-General has been accused of failing to provide straight answers regarding businesses' responsibilities in complying with the CCPA. However, the CCPA Regulations' "notice at collection" requirements are fairly clear.

A Privacy Policy can serve as a notice at collection. This is clearly explained at § 999.305 (c) of the CCPA Regulations:

Let's break this section of the CCPA Regulations down. It states that:

• A business may use its Privacy Policy to provide consumers with a notice at collection
• This only applies where a business is collecting personal information from a consumer online (i.e., via a website or mobile app)
• The business must provide a link to a section of its Privacy Policy
• That section of the business' Privacy Policy must contain the information required in § 999.305 (b) of the CCPA Proposed Regulations

So, it's clear that you cannot simply provide a link to your entire Privacy Policy when providing notice at collection. You must link to a specific section within the Privacy Policy containing the requisite information.

Now we're going to take a closer look at the CCPA's notice at collection requirements so that you know what information must be included in the relevant section of your Privacy Policy.

Notice at Collection: Content Requirements

According to the CCPA Regulations § 999.305 (a) (1), your notice at collection must provide information about "the categories of personal information to be collected from them and the purposes for which the personal information will be used."

§ 999.305 (b) lists the full contents required in your notice at collection:

1. A list of the categories of personal information you're collecting. You must ensure consumers have "a meaningful understanding of the information being collected"
2. The business or commercial purposes for which you will use the personal information
3. A link to your "Do Not Sell My Personal Information" page, if you have one
4. A link to your Privacy Policy

You can omit items 3 and 4 if you're collecting personal information in the context of employment.

If your notice at collection constitutes a section in your Privacy Policy, it appears that you are still required to provide a link to your full Privacy Policy within this section.

Here's an example from Bota Box that would appear to satisfy these requirements:

Note that even though this notice at collection constitutes part of Bota Box's Privacy Policy, the company still provides a link to the full Privacy Policy at the bottom of the notice, in compliance with § 999.305 (b) (4) of the CCPA Regulations.

Notice at Collection: Form Requirements

Now let's consider the rules on the form your notice at collection must take, i.e., how you must present the information provided in your notice at collection.

According to CCPA Regulations § 999.305 (a) (2), the "notice at collection" section of your Privacy Policy must:

1. Use "plain, straightforward language," and not use "technical or legal jargon"
2. Use "a format that draws the consumer's attention" and be "readable, including on smaller screens"
3. Be available in whatever languages you provide "contracts, disclaimers, sale announcements, and other information" to consumers
4. Be "reasonably accessible" to people with disabilities

Clarity

The CCPA Regulations require that you use "plain, straightforward language" in all CCPA notices, including your notice at collection and Privacy Policy.

What constitutes "plain, straightforward language"? A good starting point is the Federal Plain Language Guidelines (available here), which offers the following rules for writing clearly online:

• Write for your audience: Consider which consumers are likely to be reading your notice at collection, and write with them in mind. This is particularly important if you offer services to children.
• Organize the information: Split your notice at collection into sections and ensure it flows logically.
• Choose your words carefully: Whenever you intend to use a technical or obscure word, consider whether there is a shorter, simpler alternative.
• Be concise: Re-write longer sentences to use fewer words.
• Keep it conversational: Your notice at collection should not feel legalistic. Use a friendly tone.
• Design for reading: Use tables and images where appropriate. Use bold text for key phrases.
• Follow web standards: Use effective links and format for the web.
• Test your assumptions: Don't assume your customers will understand your notice. Ask others to read it before publishing.

Readability

The CCPA Regulations require that you make your notice at collection "readable, including on smaller screens."

This can be achieved by optimizing your notice at collection for mobile. Work with your web developer to ensure your Privacy Policy webpage is easily navigable on mobile and can adapt to different devices, resolutions, and screen sizes.

Languages

The CCPA Regulations state that you must provide your notice at collection in whatever languages you provide "contracts, disclaimers, sale announcements, and other information" to consumers.

If you conduct business in multiple languages, consider implementing a "translate" option, such as in the example below, from Unison:

Accessibility

The CCPA Regulations require that your notice at collection (and Privacy Policy) be "reasonably accessible to consumers with disabilities."

Online notices must follow version 2.1 of the World Wide Web Consortium (W3C)'s Web Content Accessibility Guidelines (WCAG), released June 5, 2018 (available here). In the offline context, businesses must explain "how a consumer with a disability may access the notice in an alternative format."

The WCAG's recommendations consist of four principles and 13 guidelines:

1. Perceivable: Information and user interface components must be presentable to users in ways they can perceive.

   • Text Alternatives: Provide text alternatives for any non-text content (e.g. audio).
   • Time-based Media: Provide alternatives to time-based media.
   • Adaptable: Create content that can be presented in different ways.
   • Distinguishable: Make it easier for users to see and hear content including separating foreground from background.

2. Operable: User components and navigation must be operable.

   • Keyboard Accessible: Make all functionality available from a keyboard.
   • Enough Time: Provide users enough time to read and use content.
   • Seizures and Physical Reactions: Do not design content in a way that is known to cause seizures or physical reactions.
   • Navigable: Provide ways to help users navigate, find content, and determine where they are.
   • Input Modalities: Make it easier for users to operate functionality through various inputs.

3. Understandable: Information and the operation of the user interface must be understandable.

   • Readable: Make text content readable and understandable.
   • Predictable: Make web pages appear and operate in predictable ways.
   • Input Assistance: Help users avoid and correct mistakes.

4. Robust: Content must be robust enough that it can be interpreted by a wide variety of user agents, including assistive technologies.

   • Compatible: Maximize compatibility with current and future user agents, including assistive technologies.

Think about how you can implement these principles and guidelines into your notice at collection and broader Privacy Policy. Not all of them will be directly applicable, but guidelines such as 2.4. (navigability) and 3.1 (readable) are easy to implement.

You can also offer consumers with disabilities the opportunity to request your notice at collection in alternative formats. Here's how Standard does this:

Now let's look at how you must present the link to your notice at collection.

Notice at Collection: Presentation Requirements

According to § 999.305 (a) (3) of the CCPA Regulations, your notice at collection must be "readily available where consumers will encounter it at or before the point of collection of any personal information."

The CCPA Regulations provide four "illustrative examples," two of which are relevant to this article.

If you're collecting personal information online, you "may post a conspicuous link to the notice on the introductory page of [your] website and on all webpages where personal information is collected."

Let's take a look at how Citigroup presents its notice at collection on its website:

The above image is the footer on Citigroup's homepage. The link would also need to appear on every page where personal information is collected, including via cookies. For more information on cookies and the CCPA, see our article CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?

Here's another example from TMX Finance:

If you're collecting personal information via a mobile app, you "may provide a link to the notice on the mobile application's download page and within the application, such as through the application's settings menu."

The CCPA Regulations also state that if your mobile app collects personal information "for a purpose that the consumer would not reasonably expect," you must "provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection."

For example, if your app requires location permissions but it's not a map or location-focused app, you'll need to provide a pop-up notification.

Here's an example of a pop-up permission request notification from the Pharmacy & Chemist Finder app for Android:

The notification would also need to include a link to your notice at collection.

For more information about requesting permissions via a mobile app, see our article GDPR and Mobile Apps and Privacy Policy for Apps With Camera Access.

Summary

The CCPA allows you to provide your notice at collection as a section in your Privacy Policy. All the normal rules around the notice at collection apply, including:

• Your notice at collection must be:

  • Written in plain and straightforward language
  • Readable, including on smaller screens
  • Available in whatever languages you conduct your usual business operations
  • Reasonably accessible to consumers with disabilities

• Your notice at collection must include:

  • A list of the categories of personal information you collect
  • The business or commercial purposes for which you collect personal information
  • A link to your "Do Not Sell My Personal Information" page
  • A link to your full Privacy Policy

• You must present your notice at collection:

  • On your website homepage and any other page on which you collect personal information
  • In your mobile app download page and settings menu