CCPA Week Series 2

Last week, the California AG’s office released proposed regulations implementing key provisions of the CCPA (“CCPA Regulations”). In Issue 1, we provided an overview of the themes addressed by the regulations. This Issue 2 explains the requirements of the four types of privacy notices: notice at the point of personal information collection; notice of the right to opt-out; notice of financial incentive; and privacy policy.

Notice at the Point of Personal Information Collection

One well-recognized privacy transparency best practice is telling people at the time that personal information is collected from them, whether online, via a mobile device, over the phone, or in a public place, of what personal information is collected from them and how it will be used and shared. The U.S. Federal Trade Commission (FTC) has described these as “just in time” notices, also known as “contextual notice” or point of “contact notice.” The CCPA Regulations adopt this standard and similar concepts, such as making it easy to read and understand, similar to privacy notice requirements under GDPR, and making it clear, accessible, and set apart from other information presented to a consumer at the same time. The CCPA Regulations prescribe specific information that must be included in this Point of Collection Notice:

  • A list of the categories of personal information collected
  • The business or commercial purposes for which it will be used
  • If the business sells personal information, a link to (or the URL for) the online form where consumers can submit requests to opt-out of the sale of their personal information
  • A link to (or the URL for) the business’s privacy policy

The point of collection notice requirements apply to businesses that collect personal information directly from consumers. If those businesses desire to use the personal information they have collected for a purpose not described in the point of collection notice, they must inform those consumers of their intent and obtain explicit consent from them in order to use the personal information for those secondary purposes. Businesses that do not collect personal information directly from consumers, but rather receive it from a third party source, must either obtain confirmation and an attestation from the source of the data that proper point of collection notice was provided, or comply with the notice of the right to opt-out requirements described below.  

Notice of the Right to Opt-Out

CCPA and the CCPA Regulations introduce a novel form of privacy notice to address the right to opt out of the sale of personal information. While Nevada law provides for a similar right, it does not prescribe the same form of privacy notice.  

The CCPA regulations pertaining to the “Do Not Sell” provision of the CCPA were issued in order to clarify the rules and logistics of complying with the opt-out right regarding the form, content, and how to inform consumers of this right via posting of such notice. Data brokers (i.e. businesses that collect and sell its consumers’ personal information to third parties) are required to provide the opt-out notice in “plain, straightforward language,” in a place that would be noticeable by the consumer, in the languages in which the business operates, and accessible to consumers with a disability. These requirements apply to both businesses that operate primarily via website with its consumers, and businesses that substantially interact with its consumers offline.

Specifically, web-based businesses are required to have a “Do Not Sell My Personal Information” link on their homepage, which, after clicking through, should have either the opt-out notice on that landing page, or a link to the business’s overall privacy policy that would contain the same information. The regulations require that businesses:

  • explain the Do Not Sell opt-out right; 
  • provide an online form for consumers to submit and exercise this opt-out right; 
  • provide any other instructions on how a consumer can exercise their opt-out right, including information on how a consumer may exercise this right via an authorized agent; and 
  • provide a link to the business’s privacy policy.   

The regulations also go as far as to suggest the use of a recommended uniform opt-out button or opt-out logo to be used in conjunction with the posting of the opt-out notice. The latest version of the regulations, however, has reserved this matter subject to subsequent modification and to be available for public comment.

Finally, for businesses that operate or interact with their consumers substantially offline, the new regulations still obligate those businesses to provide the Do Not Sell opt-out notice via an offline method that ensure that consumers are aware of this Do Not Sell right. 

Notably, the relevant portions of the CCPA are silent regarding the obligations for businesses that do not sell their consumers’ personal information. The new regulations, however, do impose new obligations for these exempt businesses. Exempt businesses do not need to provide the Do Not Sell opt-out notice, but are still required to affirmatively state in its privacy policy that “it does not and will not sell personal information.” For more information see. § 999.306. 

Notice of Financial Incentive

As a threshold matter, the CCPA makes explicit that businesses may not discriminate against consumers for exercising their rights under the CCPA. Measures businesses are prohibited from taking against consumers include: 

  • denying goods or services; 
  • charging different prices/rates; 
  • providing different levels or quality of goods or services; and 
  • suggesting to the consumer any of the foregoing could occur.  Cal. Civ. Code § 1798.125. 

The CCPA, however, does not completely foreclose all opportunities to incentivize consumers to consent to providing their personal information to businesses that rely on and value such data.  The exception to the above prohibitions permits businesses to charge a different rate/price or provide a different level/quality of services and goods, where a business can demonstrate that the difference is reasonably related to the value provided to the business by the consumer’ data.

Moreover, the CCPA goes one step further and permits businesses to offer a financial incentive to consumers for the use of their personal information. In addition to direct payments businesses can offer consumers for their personal information, the CCPA points out that financial incentives also include the offering of different price, rate, quality, and level of service or goods. The one caveat is that the difference in price, rate, quality, and level must be directly related to the value the business derives from the consumer’s information.  

In support of the CCPA requirements related to financial incentives, the CCPA Regulations prescribe specific requirements for the Notice of Financial Incentive:

  • It should provide meaningful information that enables a consumer to make an informed decision regarding whether to participate in each financial incentive or price or service difference the business may offer in exchange for the sale or retention of a consumer’s personal information;
  • It must be easy to read and understand, similar to the point of collection notice requirements, and be clear, accessible, and set apart from other information presented to a consumer at the same time;
  • It must include the following information:
    • A brief summary of the financial incentive offered;
    • The material terms and affected categories of personal information;
    • How to opt-in and opt-out; and
    • An explanation of why the financial incentive is permitted under the CCPA.

As described in the notice requirements, the CCPA Regulations also make clear that businesses offering a financial incentive for use of a consumer’s data must obtain opt-in consent by the consumer, and inform the consumer that consent can be revoked freely at any time, and the mechanism by which the consumer may opt-in and opt-out. Finally, while not enumerated in the CCPA, the regulations clarify that the notice of financial incentive must also provide an explanation about how the CCPA permits financial incentives, and a “good faith” estimate and description of the calculation of the value of the consumer’s data forming the basis of the financial incentive program.  

Privacy Policy

The CCPA Regulations set forth the rules and procedures that businesses subject to the CCPA must follow regarding the privacy policies required under California Civil Code section 1798.130, subdivision (a)(5). The regulations clarify that the privacy policy is the statement that a business must make available to consumers describing the business’s practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their own personal information. Although the CCPA refers to an “online privacy policy,”  the regulations stress that the privacy policy must cover the business’s privacy practices, both online and offline. If the business has a website, it has to post the privacy policy online through a conspicuous link using the word “privacy.” For businesses that do not have a website, they have to otherwise make the privacy policy “conspicuously available” to consumers. 

As one of the measures a business must take to render the privacy policy easy to read and understandable to consumers, the regulations require, among other things, that the privacy policy: 

  • use plain, straightforward language, 
  • avoid technical or legal jargon, 
  • be accessible to consumers with disabilities, and 
  • be in a format that permits the policy to be printed out by the consumer.

Further, the privacy policy must include information relating to: 

  1. the consumer’s right to know about their personal information collected, disclosed, or sold (including, for example, to (a) list the categories of personal information collected during the past 12 months and for each category, provide the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information), and to (b) state whether the business has disclosed or sold any personal information for a business or commercial purpose to a third party within the past 12 months, and if so, list the categories of such information), 
  2. the consumer’s right to request deletion of their personal information, 
  3. the consumer’s right to opt-out of the sale of their personal information, 
  4. the consumer’s right to non-discrimination for the exercise of their privacy rights, 
  5. the consumer’s right to designate an authorized agent to make a request under the CCPA on their behalf, 
  6. a person the consumer can contact for more information, and 
  7. the date the privacy policy was last updated, in order to assure the consumer that the privacy policy has been updated within the preceding 12 months, as required by the CCPA. 

Finally, an eighth informational item applies only to a business that (alone or in a combination) annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 4,000,000 or more consumers. A business in this category must provide metrics in its privacy policy on the number of opt-out, deletion and right to know requests the business received, complied with in whole or in part and denied during the previous calendar year, and the median number of days within which the business substantively responded to requests to these requests. The regulations describe these eight informational items in more detail, pulling together requirements from a number of CCPA provisions, but note that they are not meant to prescribe the organization of any business’s privacy policy. 

The regulations clarify that the privacy policy does not need to be personalized for each consumer and should not contain specific pieces of consumers’ personal information.

To learn more, register for the upcoming October 16th webinar “Update Your CCPA Plan with Practical Insights into the Proposed Regulations, 2019 Amendments to the Law, and More.” 

This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform.

Share This

Share this post with your friends!