CCPA Notices

Since the California Consumer Privacy Act (CCPA) passed in 2018, businesses have been working hard to provide appropriate notice to consumers regarding the collection and use of their personal information.

But the definition of "consumer" in the CCPA is broader than many people realize. Any California resident can be a consumer: not just the public (e.g. your customers and users of your website), but also your employees.

In this article, we're going to look at how businesses are providing CCPA-compliant notice to both their employees and the public.

CCPA: A Brief Introduction

Here's a very brief introduction to the CCPA and the CCPA's consumer notices.

Which Businesses are Covered By the CCPA?

The CCPA applies to any for-profit company operating in California (based anywhere in the world) if one or more of the following characteristics apply to it:

• It has annual gross revenues of $25 million or more
• It buys, sells, shares for commercial purposes, or receives for commercial purposes, the personal information of more than 50,000 California consumers, devices, or households per year
• It derives at least 50 percent of its annual revenues from the sale of consumers' personal information

There is one exception: the CCPA does not apply to "service providers." Service providers are businesses that operate on behalf of other businesses.

What are the CCPA Consumer Notices?

Under the CCPA, consumers have a "right to notice." This means they have the right to information about what personal information your business collects, uses, shares, and sells.

To fulfill the right to notice, all businesses covered by the CCPA must provide up to four types of consumer notice:

• Notice at Collection
• Privacy Policy
• Notice of the Right to Opt Out
• Notice of Financial Incentive

The following principles apply when you are creating your consumer notices:

• Use clear and plain language.
• Make your notices clear and conspicuous, even on small screens.
• Use whatever language you normally use to communicate with consumers.
• Provide your notices in alternative formats for consumers with disabilities.
• If you're collecting personal information on paper, you must provide a hard copy of your notices.

We're going to look at how to create these consumer notices in respect of two types of consumers: the public and your employees.

Public CCPA Notices

At least until 2021, the CCPA distinguishes between two types of consumers:

• People working for your business, including job applicants, employees, owners, directors, officers, medical staff, and contractors. We'll call these consumers "employees."
• All other California residents. For most businesses, this means their customers and users of their website and/or app.

First, we're going to look at how to provide the four consumer notices for that second group of consumers: the general public, who interact with your business but do not work for it.

Notice at Collection

You should provide a Notice at Collection whenever you collect personal information from consumers.

Your Notice at Collection must:

• Identify the categories of personal information you're collecting
• Explain the business or commercial purposes for which you collect personal information
• Provide a link to your "Do Not Sell My Personal Information" page (if you have one)
• Provide a link to your Privacy Policy

Here's an excerpt from a Notice at Collection created by Central Valley Community Bank:

The table shows a list of categories of personal information that the business collects, together with its intended uses of the personal information.

Further down, the business offers to provide the notice in alternative formats and provides a link to its Privacy Policy:

Privacy Policy

Amending your Privacy Policy is one of the most important parts of CCPA compliance. A Privacy Policy is mandatory for all businesses that collect personal information.

In the CCPA Proposed Regulations (available here), the California Attorney-General provides a model Privacy Policy. We've broken this model down into eight sections and provided some examples from businesses that are already meeting these requirements.

1. The Right to Know

In the first section of your CCPA Privacy Policy, you should:

• Explain the right to know, including that consumers may ask what personal information you collect, use, disclose for business purposes, and/or sell.
• Explain how consumers can make a request. If you provide a web form that enables them to make a request, provide a link to this form.
• Explain your process for verifying a consumer's identity, including any information you will ask them for.

Here's part of Moving Picture Company's Privacy Policy where the business explains the right to know:

You'll also need to:

• Explain how you have processed personal information over the past 12 months:

  • Provide a list of each category of personal information you have collected.

  • For each category of personal information on the list, explain:

    • Where you obtained it (the "categories of sources")
    • Your business or commercial purposes for collecting it
    • Any third parties with whom you share it

Here's an example from Weatherbit, disclosing the categories of personal information the business has collected over the past 12 months:

Note that Weatherbit discloses that it has not collected personal information from category "B." This is not necessary under the CCPA.

• Explain how you have disclosed and/or sold personal information over the past 12 months:

  • Disclose whether you have sold or disclosed personal information for business purposes.
  • Provide a list of each category of personal information you have sold or disclosed for business purposes.
  • State whether your business has "actual knowledge" of having sold the personal information of minors.

Here's part of the Privacy Policy of IrvingGQ. It explains the categories of personal information that the company has disclosed for business purposes and the categories of recipients to whom the business disclosed it:

Note that this Privacy Policy actually goes further than the Proposed Regulations require.

2. The Right to Delete

• Explain the right to delete: That consumers may request that you delete personal information you have collected about them.
• Explain how consumers can make a request under the right to delete. If you provide a web form that enables them to make a request, provide a link to this form.
• Explain your process for verifying a consumer's identity, including any information you will ask them for.

Here's how Oreck covers the first two points above:

3. The Right to Opt Out

• Explain the right to opt out: That consumers may instruct your business not to sell their personal information.
• Provide a link to your "Do Not Sell My Personal Information" page, if you have one.

Here's how Thomson Reuters does this:

4. The Right to Non-Discrimination

Explain the right to non-discrimination.

Here's how CooperSurgical does this:

Note that you may not need to go into this much detail to comply with the CCPA. In particular, the section about financial incentive schemes (in the red box) is not required unless you operate such a scheme.

5. Authorized Agent

Explain how an authorized agent can make a CCPA request on a consumer's behalf.

Here's how Ironwood Pharmaceuticals does this:

Note how the business uses clear and straightforward language in its explanation.

6. Contact Information

Provide contact details via which a consumer can request further information.

Here's an example from eHealthInsurance:

Note how this business provides a broad range of contact options for consumers.

7. Date of Last Update

Disclose the date you last updated your Privacy Policy.

Here's how Salt Edge does this:

8. Additional Requirements

You only need to provide this information if your business buys, sells, receives, and/or shares the personal information of more than 4 million consumers per year.

• With respect to the past 12 months, disclose:

  • The number of "right to know" requests you received
  • The number of "right to delete" requests you received
  • The number of "right to opt out" requests you received

• For each item above, disclose:

  • How many requests you fulfilled (in whole or in part), how many requests you rejected, and your average response time (the median number of days)

Notice of the Right to Opt Out (for Non-Employees)

You must provide Notice of the Right to Opt Out (also known as a "Do Not Sell My Personal Information" page) if you sell consumers' personal information.

The CCPA Proposed Regulations require that you do the following in your Notice of the Right to Opt Out:

• Explain the right to opt out
• Provide an opt out form
• Inform consumers of any alternative opt-out methods
• Describe any verification requirements you have for authorized agents
• Display a link to your Privacy Policy

You should provide Notice of the Right to Opt Out via a clear and conspicuous link that reads "Do Not Sell My Personal Information" or "Do Not Sell My Info."

Here's an excerpt from a Notice of the Right to Opt Out from Publisher's Clearing House (PCH):

Note that PCH allows consumers to provide their account number, but does not require them to do so. This is good. You must not require consumers to create an account with your business in order for them to be able to exercise their CCPA rights.

Notice of Financial Incentive (for Non-Employees)

You only need to provide a Notice of Financial Incentive if you operate a financial incentive scheme.

We won't fully explain the CCPA's financial incentive provisions in this article. Briefly, the CCPA allows a business to offer consumers discounts or other benefits in exchange for their personal information, so long as the business meets certain conditions.

Your Notice of Financial Incentive must:

1. Summarize the scheme
2. Provide the terms of the scheme and the categories of personal information you collect
3. Explain how to opt in
4. Explain how to withdraw

5. Provide:

   1. An estimate of the value of participating consumers' personal information
   2. An explanation of how you calculated this value

Here's an extract of a Notice of Financial Incentive from Prodege:

In this excerpt, Prodege sets out the terms of its scheme and explains how consumers can opt in and opt out. It is not clear whether the opt-out method Prodege provides would be satisfactory under the CCPA but it seems promising.

Employee CCPA Notices

Employees also have a right to notice under the CCPA. As noted, the CCPA's definition of "consumer" covers all California residents, meaning:

• Any individual who is located in California for anything other than a "temporary or transitory" purpose (e.g. visitors, tourists)
• Any individual who is domiciled in California, but who is currently outside of the state for a "temporary or transitory" purpose (e.g. California residents who are on vacation)

While we normally think of "consumers" as "customers" or "potential customers," this definition of "consumer" includes employees of your business.

Extending all the CCPA's provision to all employees will require a lot of work. Accordingly, in October 2019, that State of California enacted Assembly Bill 25 (AB-25, available here) in order to give businesses some breathing space.

Here's the relevant part of AB-25:

AB-25 states that until January 1st, 2021, a business will not have to comply with the CCPA in respect of its:

• Job applicants
• Employees
• Owners
• Directors
• Officers
• Medical staff
• Contractors

However, there is one provision of the CCPA that businesses must comply with in respect of their employees even before 2021 (i.e. now): providing Notice at Collection for employees.

Notice at Collection for Employees

The CCPA's Notice at Collection requirements are mostly the same in respect of your employees as they are in respect of all other consumers.

Your Notice at Collection for employees must:

• Identify the categories of personal information you're collecting
• Explain the business or commercial purposes for which you'll be using the personal information

At least until the CCPA is finalized in 2021, there are two differences between a Notice at Collection for employees and a Notice at Collection for non-employees. In your Notice at Collection for employees:

• You may provide a link to your Privacy Policy for employees (if you have one), rather than your main Privacy Policy
• You do not need to include a link to your "Do Not Sell My Personal Information" page (if you have one)

Here's an example of a Notice at Collection that Pyrotek provides to job applicants:

This small excerpt provides a lot of useful information, including:

• The relevant categories of personal information Pyrotek collects
• Examples of the types of personal information in that category
• The purposes for which the personal information is collected

You should provide Notice at Collection for employees whenever you collect employees' personal information. Consider including a Notice at Collection with employee handbooks, terms of employment, internal policies, etc.

Privacy Policy for Employees

Until at least 2021, there's no need to provide a Privacy Policy for employees. However, some businesses have already created such a document.

Here's an excerpt from a Privacy Policy for employees produced by Cohn Restaurant Group:

Most businesses currently providing a Privacy Policy for employees have created a document that effectively serves as a Notice at Collection for employees, i.e. it explains what categories of personal information the business collects for what purposes.

Here's an example from Trendmaker Homes:

For now, this is acceptable. From 2021 onwards, your Privacy Policy for employees could look very different. For example, unless the CCPA changes, your Privacy Policy for employees will need to provide information about how your employees can exercise their CCPA rights.

Other Notices for Employees

For now, there is no need to provide Notice of the Right to Opt Out or Notice of Financial Incentive to your employees.

There had been concern among businesses that certain practices involving the collection and sharing of employment data would be considered a "sale." For example, sharing employee data with third-party providers for the purpose of providing benefits.

However, the Proposed Regulations released in February 2020 (available here) clarify that the collection and use of employment-related information for providing benefits constitutes a "business purpose" rather than a sale.

Therefore, for most employers, there should be no need to provide Notice of the Right to Opt Out for employees. A Notice of Financial Incentive also does not apply to employment-related activities.

Summary Chart of Required CCPA Notices

The table below explains which notices you must provide to which types of consumers:

	Public	Employees
Notice at Collection	Provide now	Provide now
Privacy Policy	Provide now	Provide after Jan 1st, 2020
Notice of the Right to Opt Out	Provide now	N/A
Notice of Financial Incentives	Provide now	N/A