Last updated on 10 August 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The California Consumer Privacy Act (CCPA) requires businesses under its scope to provide a number of notices addressing a variety of issues.
In this article, we're going to look at what the CCPA specifically requires, how businesses are providing CCPA-compliant notice and how you can create your own notices to stay compliant with the CCPA.
Since the CCPA passed in 2018, businesses have been working hard to provide appropriate notice to consumers regarding the collection and use of their personal information.
But the definition of "consumer" in the CCPA is broader than many people realize. Any California resident can be a consumer: not just the public (e.g. your customers and users of your website), but also your employees.
Let's look more specifically at this and at some other relvant terminology under the CCPA.
The CCPA applies if a business is "doing business in California" (regardless of where the business itself is located), and one or more of the following characteristics apply to it:
There is one exception: the CCPA does not apply to "service providers." Service providers are businesses that operate on behalf of other businesses.
The CCPA applies to businesses all over the world. If you want to "do business" in California, and you fall under the CCPA's scope, you must comply with the CCPA.
Doing business in California might include the following:
The CCPA defines a consumer as a "natural person" (i.e. not a "legal person" such as a corporation) who is a California resident. The CCPA takes its definition of "California resident" from another law, 18 CCR § 17014.
This includes not only your customers but any California resident whose personal information your business collects, including employees.
Different privacy laws define "personal information" in different ways. The CCPA defines personal information more broadly than any other U.S. privacy law. Here's the definition of personal information in the CCPA:
The CCPA gives many examples of personal information, including:
Try not to think of personal information only as information that describes or identifies a consumer. If a piece of information could be reasonably linked to a consumer, it's personal information.
Under the CCPA, consumers have a "right to notice." This means they have the right to a variety of information, including information about what personal information your business collects, uses, shares, and sells, and what their other rights are regarding this.
The following principles apply when you are creating your consumer notices:
Let's look at what notices you must provide under the CCPA.
You must ensure that your notice at collection is presented to consumers before you collect their personal information.
Your Notice at Collection must:
Here's an excerpt from a Notice at Collection created by Central Valley Community Bank:
The table shows a list of categories of personal information that the business collects, together with its intended uses of the personal information.
Here's an excerpt from Master and Dynamic's notice at collection:
The same applies for employee notices.
Here's an example of a Notice at Collection that Pyrotek provides to job applicants:
We've broken this requirement down into seven sections and provided some examples from businesses that are meeting these requirements.
Here's how Technicolor's CCPA Privacy Notice explains the right to know:
You'll also need to:
Explain how you have processed personal information over the past 12 months:
For each category of personal information on the list, explain:
Here's an example from Weatherbit, disclosing the categories of personal information the business has collected over the past 12 months:
Note that Weatherbit discloses that it has not collected personal information from category "B." This is not necessary under the CCPA.
Explain how you have disclosed and/or sold personal information over the past 12 months:
Here's how Oreck covers the first two points above:
You must provide Notice of the Right to Opt Out (also known as a "Do Not Sell My Personal Information" page) if you sell consumers' personal information.
Here's how Thomson Reuters does this:
You'll need to do the following to facilitate the right to opt out:
You should provide Notice of the Right to Opt Out via a clear and conspicuous link that reads "Do Not Sell My Personal Information" or "Do Not Sell My Info."
Here's an excerpt from a Notice of the Right to Opt Out from Publisher's Clearing House (PCH):
Note that PCH allows consumers to provide their account number, but does not require them to do so. This is good. You must not require consumers to create an account with your business in order for them to be able to exercise their CCPA rights.
Explain the right to non-discrimination.
Here's how CooperSurgical does this:
Note that you may not need to go into this much detail to comply with the CCPA. In particular, the section about financial incentive schemes (in the red box) is not required unless you operate such a scheme.
Explain how an authorized agent can make a CCPA request on a consumer's behalf.
Here's how Ironwood Pharmaceuticals does this:
Note how the business uses clear and straightforward language in its explanation.
Provide contact details via which a consumer can request further information.
Here's an example from eHealthInsurance:
Note how this business provides a broad range of contact options for consumers.
Here's how Salt Edge does this:
You only need to provide a Notice of Financial Incentive if you operate a financial incentive scheme.
The CCPA allows a business to offer consumers discounts or other benefits in exchange for their personal information, so long as the business meets certain conditions.
Your Notice of Financial Incentive must:
Here's an extract of a Notice of Financial Incentive from Prodege:
In this excerpt, Prodege sets out the terms of its scheme and explains how consumers can opt in and opt out. It is not clear whether the opt-out method Prodege provides would be satisfactory under the CCPA but it seems promising.
For more information about this notice, please see our "CCPA Notice of Financial Incentives" article.
You only need to provide this information if your business buys, sells, receives, and/or shares the personal information of more than 4 million consumers per year.
With respect to the past 12 months, disclose:
For each item above, disclose:
To fulfill the right to notice, all businesses covered by the CCPA must provide up to four types of consumer notice:
Each of these types of notices have more nuanced requirements, but the key is being transparent and disclosing your privacy practices as well as the rights that consumers have.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
10 August 2022