The California Consumer Privacy Act of 2018 (CCPA) gives state residents significant protections in regard to the privacy of their personal information. It was amended by the CPRA, which expanded its requirements.
The CCPA (CPRA) states that businesses are required to have a Notice at Collection to disclose each category of personal information they collect.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 2. What is a Notice at Collection?
- 4. Where Else Should I Place My Notice at Collection?
- 5. What Businesses Does the CCPA (CPRA) Apply to?
- 6. How is Personal Information Defined in the CCPA (CPRA)?
- 7. Who Has Rights Under the CCPA (CPRA)?
- 8. Liability For Compliance Violations
- 9. Summary
The CCPA (CPRA) requires Privacy Policies to include specific information on consumer privacy rights, but thankfully, complying may be as easy as updating an existing policy to include the necessary provisions.
What is a Notice at Collection?
As mandated by the CCPA (CPRA), a Notice at Collection is a means by which businesses must disclose to consumers what personal information they collect, and how it will be used, shared, and/or sold.
According to California's Attorney General, this is how a notice at collection is defined and what it must include:
Here's an example of a link to this page displayed on T-Mobile's website:
In short, even if your business doesn't sell products or services, but instead engages in the collection, dissemination or sale of consumers' personal information, you must take extra steps to ensure compliance under the CCPA (CPRA).
Yes, and in many respects it's best that it is.
However, if you take this common approach, your Notice at Collection should be clearly marked and easy to find.
In addition, the CCPA (CPRA) requires that Notices of Collection be placed at or before the point at which data is collected.
Notices of Collection must include:
- What types of personal information will be collected
- The purpose(s) of the collection
- The business' sales practices
Since the information must all be made available to consumers, and because most are generally more familiar with Privacy Policies, it's wise to include them together.
Hence, many businesses satisfy this obligation by doing just that.
Hearst goes as far as naming its legal agreement to reflect that it's both the Privacy Notice as well as the Notice at Collection:
Where Else Should I Place My Notice at Collection?
Again, according to the terms of the CCPA (CPRA):
"Business owners must place their Notice at Collection at or before the point where data collection occurs."
If you're a business owner, placing a Notice of Collection link on your website's homepage and where customers enter their personal information before placing an order would fulfill this requirement in redundancy, leaving little room for claims of non-compliance down the road.
For non web-based commerce in brick and mortar stores, Notices at Collection may alternately be included on a printed form used for personal information collection.
For mobile apps, Notices at Collection may be linked to in Settings-type menus within the apps themselves.
Below is a particularly good example of a Notice at Collection from AGCO's website. First, there's a direct link to the Notice at Collection linked to the website footer:
This placement means that the notice will be visible from every page of the website and always available if a customer wants to view it. Once clicked on, the link takes you to a separate website exclusively for the CCPA (CPRA) Notice at Collection:
This might be the most preferred way to display your Notice at Collection, especially if you do a lot of business in California. This is because consumers know to look in website footers for important legal information, including the Notice at Collection.
When it comes to displaying the information within the notice itself, remember to be concise, accurate and make things as easy to understand as possible.
Here's a great example of this, from Banc of California:
The chart format makes the content easy to digest and understand. The bullet lists also help with readability. Even the color differences from one chart row to another helps things be more clear.
Farmers and Merchants Bank even includes examples of information for each category to make it even more clear to consumers what types of personal information might be used by the company:
As with all legal agreements, consider your audience and what will be most well-received. In this case, it's clear, easy-to-read breakdowns of information.
What Businesses Does the CCPA (CPRA) Apply to?
According to The National Law Review, under the terms of the CCPA (CPRA), a "business" is defined as a "Sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners."
By this definition, not-for-profit and government entities don't fall under its purview, a fact which is confirmed by the office of California's Attorney General.
However, the CCPA (CPRA) does apply to for-profit entities that conduct business with California residents, if the business:
- Has gross annual revenue in excess of $25 million,
- Buys, receives or sells the personal data of at least 100,000 California residents or individual households or devices, or
- Derives more than half of its annual revenue from selling or sharing the personal information of California residents
How is Personal Information Defined in the CCPA (CPRA)?
Personal Information is defined as any information that:
- Relates to, or
- Could reasonably be linked to a particular person or household
Therefore, personal information includes names, Social Security numbers, email addresses, phone numbers, geolocation, biometric data, account numbers and internet browsing history.
It's important to note that public information, like real estate and professional licensing records from local, state and federal governments isn't considered personal.
Who Has Rights Under the CCPA (CPRA)?
Only residents of California have rights under the CCPA (CPRA).
A California resident is defined as a natural person (not a corporation or other business entity) who resides in the state, even if they're outside of the state temporarily.
Liability For Compliance Violations
As a business owner, you can't be sued for most CCPA (CPRA) violations.
In the case of a data breach, for example, you can only be sued if the information stolen included unencrypted or unredacted data.
In most cases however, before filing a suit for statutory damages, a party must give you written notice of which CCPA (CPRA) section(s) they claim you've violated.
From that point you'll have 30 days to respond that you've cured the violation(s), if any existed.
In other words, you cannot be sued for statutory damages for a CCPA (CPRA) violation if you've remedied the violation and provided a written statement to that effect.
- Right to Know
- Right to Delete
- Right to Opt-Out of Sale
- Right to Non-Discrimination
The CCPA (CPRA) also requires that businesses give consumers certain information in a Notice at Collection before or at the point where data collection occurs.
This stipulation is usually satisfied by placing a link to the Notice at Collection on a website's homepage, and/or where customers place an order, request services, or enter their personal information.
To recap, a Notice of Collection must list the categories of personal information the business collects and the purposes for which it will be used. Make sure to write out this information in a way that's easy to read and understand. Use charts, bullet points and other formatting techniques to break down blocks of text and large groups of information.
In addition, businesses that sell consumers' personal information must have a "Do Not Sell My Personal Information" page link.