News

California Consumer Privacy Act: “Notice at Collection” and Privacy Policy Requirements

May 21, 2020Client Alerts

This alert is the second in our series of Privacy Topics: Practical Guidance from Gunderson Dettmer – a collection of practical privacy and data security guidance and accompanying materials designed to facilitate your company’s compliance efforts. Today’s alert focuses on notices that must be presented to California consumers under the California Consumer Privacy Act (CCPA) as it stands on May 21, 2020. For an overview of the CCPA, including guidance on which companies must comply, click here. Please click here for a questionnaire to help you gather and organize information your attorney will need to create your CCPA-compliant privacy policy.

WHAT NOTICES ARE REQUIRED UNDER THE CCPA?

  • A Notice at Collection, which must be given to consumers at or before collecting their personal information.
  • A Privacy Policy that discloses specific information about the company’s collection, use, sharing and sale of personal information.

NOTICE AT COLLECTION

When and how should the Notice at Collection be presented to consumers?

  • At or Before First Collection: This is to provide timely information to consumers, so it must be presented to the consumer at or before the first time your company collects that consumer’s personal information. Since personal information includes IP addresses and online identifiers, you likely will need to present this notice in a banner or via a conspicuous link that appears when a visitor first arrives at your website. If you currently provide a cookie banner on your website, you will likely want to incorporate your Notice at Collection into that banner.
  • Prior to Collecting Personal Information that Would Not Be Reasonably Expected: If you collect personal information that a consumer is unlikely to reasonably expect, then you also need to provide notice at that time. For example, if your service isn’t location-dependent but your mobile app collects location information, then you should provide conspicuous notice before collecting the location data (and note that other applicable laws and regulations may already require such notices).
  • In a Prominent and Accessible Manner: The Notice at Collection must be shown in a prominent way using a format that draws the consumer’s attention to it. It also must be readable, including on smaller screens, if applicable, and reasonably accessible to consumers with disabilities.
  • Examples of a Compliant Notice at Collection:
    • The March 11, 2020 CA Attorney General’s draft implementing regulations (“March Draft Regulations”) provide examples of how companies can satisfy the Notice at Collection requirement, including:
      • For websites, posting a conspicuous link to the notice on the introductory page of the company website and on all webpages where personal information is collected.
      • For mobile applications, providing a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
      • For telephone or in-person collection, providing the notice orally.
    • Most companies will meet the Notice at Collection requirement by posting a banner that includes a link to the company’s CCPA-compliant privacy policy.

What information is required in the Notice at Collection?

  • The Notice at Collection Must Include:
    • the categories of personal information the company collects;
    • the purposes for which such personal information will be used;
    • a link to the company’s online privacy policy; and
    • if the company sells personal information, the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.”
  • More Limited Notice Option: Per the March Draft Regulations, a company can meet the Notice at Collection requirement by linking to its privacy policy, provided that the privacy policy is CCPA-compliant and contains the required information listed above. The link should take consumers directly to the section of the privacy policy that describes the categories of personal information collected by the company.

PRIVACY POLICY

What are the CCPA’s Privacy Policy requirements?

For most companies, a CCPA-compliant privacy policy will be created by updating their current privacy policy with more granular disclosures around the categories and types of personal information collected, the sources of that information and the company’s use and sharing of such information. Note that if a company does not include the required disclosures in its privacy policy, it may need to obtain explicit consent from the consumer if it wants to use personal information for a materially different purpose than was initially disclosed to the consumer.

Please click here for a questionnaire to help you gather the required information and organize it in a way that enables your Gunderson Dettmer attorney to update your privacy policy for CCPA. This is intended to be a helpful tool for the creation of a CCPA-compliant privacy policy, but it does not replace the need for a comprehensive inventory of your data collection, use and sharing practices as part of your data privacy compliance program.

What information does a CCPA-compliant privacy policy include?

A CCPA-compliant privacy policy must be clear and easy for consumers to understand using plain, straightforward language and avoiding technical or legal jargon. It must include at least the following information:

  • Specific Information About the Personal information that a Company Collects, Uses, Shares and Sells:
    • The categories of personal information the company has collected about consumers in the preceding 12 months. This information needs to be presented in a way that makes the categories easy to understand. Including examples of each category is helpful.
      • Example: “Contact information you provide to us when you create an account, such as your email address.”
    • The categories of sources from which you collect personal information.
      • Example: “Social Networks – if you log into our Services using credentials from one of your social media accounts, information from your social media account may be shared with us.”
    • The business or commercial purpose for collecting the personal information. As noted above, it is important to make sure that this list of purposes is comprehensive, since any use for a materially different purpose requires explicit consent (even if consent wasn’t required for processing that information in the first place).
      • Example: “We use your personal information to respond to correspondence that we receive from you. We also use it to contact you when necessary or requested, and to send you information about the Services.”
    • The categories of personal information that you have shared with third parties for a business purpose (meaning that the third party may only use the personal information to provide services back to you). This must be disclosed on a category by category basis with respect to each category of personal information collected.
    • The categories of personal information that the company has sold to third parties (in exchange for money or anything else of value). This must also be disclosed on a category by category basis with respect to each category of personal information collected.
    • For each category of personal information collected, the categories of third parties that the company shared the personal information with.
      • Example: If the category of personal information collected is “billing information,” then the privacy policy might state: ‘We share billing information with third party payment processors that process transactions on our behalf.”
  • An Explanation of a Consumer’s Rights Under the CCPA: The CCPA grants California consumers certain rights over their personal information, including: the right to know what personal information a company collected about that consumer; the right to request that a company delete all personal information about that consumer; the right to not be discriminated against for exercising privacy rights; and the right to opt-out of the sale of their personal information by that company. The privacy policy must describe these rights and provide information on how consumers may exercise them, including contact information for the company. Please look out for a future Gunderson Dettmer Privacy Topics alert for more on this subject.
  • Other Information: The date the privacy policy was last updated, contact information for more information, an explanation stating how consumers can use authorized agents to exercise their rights and specific information about the collection and sale of personal information from minors.