California: Privacy Notices under the CCPA spotlight
Transparency is considered to be one of the most fundamental aspects of the California Consumer Privacy Act (CCPA). The new regulation, due to come into effect in January 2020, introduces vital new consumer rights, as well as strict obligations for businesses to disclose their data gathering operations.
Once the CCPA becomes law, there will be increased scrutiny of privacy notices - with a particular focus on the details of a business’s data collection and processing practices.
California’s new law is considered to be the most comprehensive privacy law in the U.S. It sets a higher standard in consumer privacy regulation, driven by California residents’ deepening concerns over the collection and use of personal information by the tech industry.
California residents’ rights
Under the CPA, California residents are granted the following rights:
Right to know, at or prior to collection, the purpose of collection and the categories of personal information collected
Right to request certain additional information, including specific pieces of personal information collected
Right to request deletion of their personal information in certain instances and subject to several exceptions
Right to know whether their personal information is sold or disclosed and to whom
Right to say no to the sale of personal information
Right to equal service and price, even if they exercise their privacy rights
Affected organizations are legally obliged to notify consumers of their rights, and they cannot discriminate against a consumer, for exercising their rights.
The CCPA gives the above consumer rights in respect to the personal information businesses collect and/or sell about them. Personal information is broadly defined as follows;
information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Subject to the above definition, personal information includes (but is not limited to) the following:
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
Characteristics of protected classifications under California or federal law
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement
Audio, electronic, visual, thermal, olfactory, or similar information
Professional or employment-related information
Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
The above list represents the CCPA’s designated categories of personal information.
CCPA requirements for Privacy Notices
The CCPA requires effected companies to comply with transparency rules, by disclosure or notice in three settings:
at or before the point of disclosure;
in response to a “verifiable consumer request,”; and,
specifically, on a company’s website.
Many businesses already have a privacy notice that may partially comply with the law. However, most companies will need to adapt existing procedures and policies, represented in their privacy notice to ensure compliance.
As mentioned above, the CCPA requires notice of data collection and processing in two situations. These are; “at or before the point of collection”, and “upon receipt of a verifiable consumer request.”
Disclosure “at or before the point of collection” requires that disclosure be made in your privacy notice.
(Disclosure when responding to a “verifiable consumer request” is outside of the scope of this article.)
Your privacy notice must include:
The categories of personal information being collected.
When disclosing the types of personal data you collect, these should align with the CCPA’s designated categories of personal information.
The purpose for the use of such data.
The consumer’s right to ask for deletion of their personal information.
If your business has sold personal information about consumers:
A list of the categories of personal information about consumers it has sold in the preceding 12 months that most closely describe the personal information sold.
If your business has not sold personal information about consumers:
Disclose this fact.
If your business has disclosed personal information about consumers:
A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months that most closely describe the personal information disclosed.
If your business has not disclosed personal information about consumers.
The CCPA represents a landmark privacy bill in the U.S. and will have a wide-ranging impact on companies conducting business in the state of California. The need to be fully prepared in time for January 2020 and able to respond to the new rights afforded to consumers is vital.
There is little doubt that privacy professionals will continue to grapple with the requirements imposed by the CCPA over the course of the next 6-12 months. Internal processes will need to be re-engineered to respond to consumer requests, and many updates to website content will be required. Some of the CCPA’s requirements will be onerous for businesses. However, other aspects such as the new disclosure requirements may not be too far away from current practices.