Notice at the Point of Personal Information Collection
One well-recognized privacy transparency best practice is telling people at the time that personal information is collected from them, whether online, via a mobile device, over the phone, or in a public place, of what personal information is collected from them and how it will be used and shared. The U.S. Federal Trade Commission (FTC) has described these as “just in time” notices, also known as “contextual notice” or point of “contact notice.” The CCPA Regulations adopt this standard and similar concepts, such as making it easy to read and understand, similar to privacy notice requirements under GDPR, and making it clear, accessible, and set apart from other information presented to a consumer at the same time. The CCPA Regulations prescribe specific information that must be included in this Point of Collection Notice:
- A list of the categories of personal information collected
- The business or commercial purposes for which it will be used
- If the business sells personal information, a link to (or the URL for) the online form where consumers can submit requests to opt-out of the sale of their personal information
The point of collection notice requirements apply to businesses that collect personal information directly from consumers. If those businesses desire to use the personal information they have collected for a purpose not described in the point of collection notice, they must inform those consumers of their intent and obtain explicit consent from them in order to use the personal information for those secondary purposes. Businesses that do not collect personal information directly from consumers, but rather receive it from a third party source, must either obtain confirmation and an attestation from the source of the data that proper point of collection notice was provided, or comply with the notice of the right to opt-out requirements described below.
Notice of the Right to Opt-Out
CCPA and the CCPA Regulations introduce a novel form of privacy notice to address the right to opt out of the sale of personal information. While Nevada law provides for a similar right, it does not prescribe the same form of privacy notice.
The CCPA regulations pertaining to the “Do Not Sell” provision of the CCPA were issued in order to clarify the rules and logistics of complying with the opt-out right regarding the form, content, and how to inform consumers of this right via posting of such notice. Data brokers (i.e. businesses that collect and sell its consumers’ personal information to third parties) are required to provide the opt-out notice in “plain, straightforward language,” in a place that would be noticeable by the consumer, in the languages in which the business operates, and accessible to consumers with a disability. These requirements apply to both businesses that operate primarily via website with its consumers, and businesses that substantially interact with its consumers offline.
- explain the Do Not Sell opt-out right;
- provide an online form for consumers to submit and exercise this opt-out right;
- provide any other instructions on how a consumer can exercise their opt-out right, including information on how a consumer may exercise this right via an authorized agent; and
The regulations also go as far as to suggest the use of a recommended uniform opt-out button or opt-out logo to be used in conjunction with the posting of the opt-out notice. The latest version of the regulations, however, has reserved this matter subject to subsequent modification and to be available for public comment.
Finally, for businesses that operate or interact with their consumers substantially offline, the new regulations still obligate those businesses to provide the Do Not Sell opt-out notice via an offline method that ensure that consumers are aware of this Do Not Sell right.
Notice of Financial Incentive
As a threshold matter, the CCPA makes explicit that businesses may not discriminate against consumers for exercising their rights under the CCPA. Measures businesses are prohibited from taking against consumers include:
- denying goods or services;
- charging different prices/rates;
- providing different levels or quality of goods or services; and
- suggesting to the consumer any of the foregoing could occur. Cal. Civ. Code § 1798.125.
The CCPA, however, does not completely foreclose all opportunities to incentivize consumers to consent to providing their personal information to businesses that rely on and value such data. The exception to the above prohibitions permits businesses to charge a different rate/price or provide a different level/quality of services and goods, where a business can demonstrate that the difference is reasonably related to the value provided to the business by the consumer’ data.
Moreover, the CCPA goes one step further and permits businesses to offer a financial incentive to consumers for the use of their personal information. In addition to direct payments businesses can offer consumers for their personal information, the CCPA points out that financial incentives also include the offering of different price, rate, quality, and level of service or goods. The one caveat is that the difference in price, rate, quality, and level must be directly related to the value the business derives from the consumer’s information.
In support of the CCPA requirements related to financial incentives, the CCPA Regulations prescribe specific requirements for the Notice of Financial Incentive:
- It should provide meaningful information that enables a consumer to make an informed decision regarding whether to participate in each financial incentive or price or service difference the business may offer in exchange for the sale or retention of a consumer’s personal information;
- It must be easy to read and understand, similar to the point of collection notice requirements, and be clear, accessible, and set apart from other information presented to a consumer at the same time;
- It must include the following information:
- A brief summary of the financial incentive offered;
- The material terms and affected categories of personal information;
- How to opt-in and opt-out; and
- An explanation of why the financial incentive is permitted under the CCPA.
As described in the notice requirements, the CCPA Regulations also make clear that businesses offering a financial incentive for use of a consumer’s data must obtain opt-in consent by the consumer, and inform the consumer that consent can be revoked freely at any time, and the mechanism by which the consumer may opt-in and opt-out. Finally, while not enumerated in the CCPA, the regulations clarify that the notice of financial incentive must also provide an explanation about how the CCPA permits financial incentives, and a “good faith” estimate and description of the calculation of the value of the consumer’s data forming the basis of the financial incentive program.
- use plain, straightforward language,
- avoid technical or legal jargon,
- be accessible to consumers with disabilities, and
- be in a format that permits the policy to be printed out by the consumer.
- the consumer’s right to know about their personal information collected, disclosed, or sold (including, for example, to (a) list the categories of personal information collected during the past 12 months and for each category, provide the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information), and to (b) state whether the business has disclosed or sold any personal information for a business or commercial purpose to a third party within the past 12 months, and if so, list the categories of such information),
- the consumer’s right to request deletion of their personal information,
- the consumer’s right to opt-out of the sale of their personal information,
- the consumer’s right to non-discrimination for the exercise of their privacy rights,
- the consumer’s right to designate an authorized agent to make a request under the CCPA on their behalf,
- a person the consumer can contact for more information, and
To learn more, register for the upcoming October 16th webinar “Update Your CCPA Plan with Practical Insights into the Proposed Regulations, 2019 Amendments to the Law, and More.”
This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform.