Data Privacy Compliance Blog Post Header
Data Privacy Compliance Blog Post Header

For the CCPA, New AG Regulations Are a “How-To” Manual

Stacey Garrett |

Yes, the California Consumer Privacy Act is really happening. As the clock ticks down toward the January 1, 2020 effective dateof the California Consumer Privacy Act, many businesses are coming to grips with the fact that the CCPA is not going away.

In fact, the opposite is true: the CCPA—and the obligations it imposes on covered businesses—just got very, very real.

Businesses have known for more than a year that the CCPA gives consumers the right to know what personal information that businesses collect about them and how that information is used. The CCPA also gives consumers the right to opt out of the sale of their personal information to third parties, and gives consumers the right to request that businesses delete their personal information. Businesses covered by the CCPA also have known that the CCPA would require them to do something to recognize these new rights.

But what, exactly? The California Attorney General’s office attempted to answerthat question on October 10, 2019 when it issued draft regulations for implementing the CCPA (available here). (The draft regulations are subject to a public comment period that ends on December 6, 2019.)

Although the draft regulations do not resolve every issue, they do provide some specific guidance for businesses regarding their compliance obligations. They are, in other words, a “how to” manual for building a compliance program.

eBook: Data Privacy: Why Is It So Big Right Now? Why Should Legal Teams Pay Attention?

The Transparency Obligation:  Notices Are Required

The CCPA requires that businesses inform consumers about the information the business collects, how the business uses the information, and whether the business shares or sells the information with others. The CCPA also requires that businesses inform consumers about the existence of their CCPA rights and how to exercise them. The CCPA accomplishes these objectives by requiring that businesses provide consumers with several written notices:

  • Although the notices each serve a different purpose, they all must use plain, straightforward language and avoid technical or legal jargon.
  • They also must be in a format that draws the consumer’s attention and makes the notices readable, including on smaller screens.
  • The notices must be available in the language(s) in which the business in its ordinary course provides contracts, disclaimers, sale announcements and other information to consumers.
  • The notices must be accessible to consumers with disabilities or, at a minimum, they notices must provide information on how a consumer with a disability may access the notice in an alternative format. (The Web Content Accessibility Guidelines [WCAG] 2.0 are the generally recognized standard for determining website accessibility.)

Is Your Business Subject to the CCPA?

Not all organizations are required to comply with the CCPA. The CCPA applies to for-profit organizations that do business in California, that collect consumers’ personal information and that determine how the information is used and that meet one of the following three thresholds: (1) have annual gross revenues in excess of $25 million; (2) alone or in combination , annually buy, receive, sell or share for a commercial purpose the personal information of 50,000 or more consumers; or (3) derive 50% or more of their annual revenue from selling consumers’ personal information.

Three notices required by the CCPA

The CCPA requires that businesses provide three notices to consumers: (1) a Notice at Collection of Personal Information, (2) a Notice of Right to Opt-Out of Sale of Personal Information, and (3) a Notice of Financial Incentives.

1 • Notice at Collection of Personal Information

The purpose of a Notice at Collection is to inform consumers of the categories of personal information the business will collect from them and the purpose(s) for which the information will be used. The Notice at Collection must be delivered to the consumer at or before the time a business collects personal information.

The Notice at Collection must contain:

(1) A list of the categories of personal information about consumers to be collected;

(2) For each category of personal information, the business or commercial purpose(s) for which the information will be used;

(3) If the business sells personal information, a link titled, “Do Not Sell My Personal Information,” or in offline notices, the web address where the “Do Not Sell” link can be found; and

(4) A link to the business’s privacy policy.

The Notice at Collection must be visible or accessible where consumers will see it before any personal information is collected. When a business collects consumers’ personal information online, it may conspicuously post a link to the Notice at Collection on the business’s website homepage or on the mobile application download page, or on all webpages where personal information is collected.

When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect the information, provide the consumer with a paper version of the Notice at Collection, or post prominent signage directing consumers to the web address where the notice can be found.

CCPA Cybersecurity GRC Sign

There is a lot riding on the Notice at Collection because the CCPA prohibits businesses from collecting categories of personal information other than those disclosed in the Notice at Collection. If the business intends to collect additional categories of personal information, the CCPA requires that the business provide a new Notice at Collection at or before the time it collects the additional information.

If a business fails to give consumers a Notice at Collection as required by the CCPA, the business is prohibited from collecting personal information from the consumer. Importantly, as we discussed in our last post in this series, job applicants, employees, independent contractors and temporary workers all are entitled to Notices at Collection.

2 • Notice of Right to Opt-Out of Sale of Personal Information

The purpose of the notice of right to opt-out of sale of personal information is to inform consumers of their right to direct a business that sells (or may in the future sell) their personal information to stop selling it, and to refrain from selling it in the future.

The Notice of Right to Opt-Out must contain:

(1) A description of the consumer’s right to opt-out of the sale of their personal information;

(2) The webform by which the consumer can submit their request to opt-out online, or if the business does not operate a website, the offline method by which the consumer can submit their request to opt-out;

(3) Instructions for any other method by which the consumer may submit their request to opt-out;

(4) Any proof required when a consumer uses an authorized agent to exercise their right to opt-out; and

(5) A link or the URL to the business’s privacy policy, or the webpage where consumers can access the privacy policy.

Covered businesses that sell Californians’ personal information must provide a clear and conspicuous link on their internet homepage titled, “Do Not Sell My Personal Information”, that enables the consumer to opt-out of the sale of their personal information. The California Attorney General’s office is working on creating a uniform opt-out button or logo that businesses can use.

3 • Notice of Financial Incentive

The purpose of the notice of financial incentive is to explain to the consumer each financial incentive or price or serve difference a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether to participate.

The Notice of Financial Incentive must contain:

(1) A succinct summary of the financial incentive or price of service difference offered;

(2) A description of the material terms of the price incentive, including the categories of personal information that are implicated by the financial incentive or price or service difference;

(3) How the consumer can opt-in to the financial incentive or price or service difference;

(4) Notification of the consumer’s right to withdraw from the financial incentive at any time, and how the consumer may exercise that right; and

(5) An explanation of why the financial incentive or price or service difference is permitted under the CCPA, including:

  • A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and
  • A description of the method the business used to calculate the value of the consumer’s data.

The Notice of Financial Incentive must be available online or other physical location where consumers will see it before opting into the financial incentive, price or service difference. If the business offers the financial incentive online, the Notice of Financial Incentive may be given by providing a link to the section of a business’s privacy policy that contains the required information.

[bctt tweet=”The California AG’s office is working on a uniform CCPA opt-out button or logo for businesses to use on their websites.” via=”yes”]

Next up:  CCPA privacy policies

The transparency train keeps rolling in our next post, where we will discuss the new, numerous, unique and very specific disclosures required for CCPA-compliant privacy policies.

(Spoiler Alert: There is no “one size fits all.”)