Satisfying the CCPA/CPRA's "Notice at Collection" Requirement With Your Privacy Policy

Satisfying the CCPA/CPRA's "Notice at Collection" Requirement With Your Privacy Policy

The California Consumer Privacy Act of 2018 (CCPA) gives state residents significant protections in regard to the privacy of their personal information. It was amended by the CPRA, which expanded its requirements.

The CCPA (CPRA) states that businesses are required to have a Notice at Collection to disclose each category of personal information they collect.

Below we'll take a look at what Notice of Collections are, and how businesses can comply with this CCPA (CPRA) requirement using their Privacy Policy.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.



What is a Privacy Policy?

A Privacy Policy is a written statement detailing a company's practices for collecting, using, sharing, and selling consumers' personal data, both on and offline.

The CCPA (CPRA) requires Privacy Policies to include specific information on consumer privacy rights, but thankfully, complying may be as easy as updating an existing policy to include the necessary provisions.

What is a Notice at Collection?

What is a Notice at Collection?

As mandated by the CCPA (CPRA), a Notice at Collection is a means by which businesses must disclose to consumers what personal information they collect, and how it will be used, shared, and/or sold.

According to California's Attorney General, this is how a notice at collection is defined and what it must include:

California Office of the Attorney General: CCPA - Required Notices - What is a notice at collection section

The Act also states that businesses selling consumers' personal information must include a link in their Notice of Collection to a "Sell My Personal Information" page, and that it must also contain a separate link to their Privacy Policy where visitors can view it in its entirety.

Here's an example of a link to this page displayed on T-Mobile's website:

T-Mobile website footer with Do Not Sell My Personal Information link highlighted

In short, even if your business doesn't sell products or services, but instead engages in the collection, dissemination or sale of consumers' personal information, you must take extra steps to ensure compliance under the CCPA (CPRA).

Can a Notice at Collection be Within a Privacy Policy?

Can a Notice at Collection be Within a Privacy Policy?

Yes, and in many respects it's best that it is.

In fact, the CCPA (CPRA) regulations specifically recognize the practice as acceptable for online transactions and collections, by stating that "the notice at collection may be given to the consumer by providing a link to the section of the business's privacy policy that contains the information required."

However, if you take this common approach, your Notice at Collection should be clearly marked and easy to find.

In addition, the CCPA (CPRA) requires that Notices of Collection be placed at or before the point at which data is collected.

Notices of Collection must include:

  • What types of personal information will be collected
  • The purpose(s) of the collection
  • The business' sales practices
  • Where the business' Privacy Policy can be found

Since the information must all be made available to consumers, and because most are generally more familiar with Privacy Policies, it's wise to include them together.

Hence, many businesses satisfy this obligation by doing just that.

Hearst goes as far as naming its legal agreement to reflect that it's both the Privacy Notice as well as the Notice at Collection:

Hearst Privacy Notice and Notice at Collection agreement title

You can include a section in your Privacy Policy that notes the Notice at Collection requirement and provides further information, as well as the CCPA/CPRA's requirement that you include the notice.

In the second paragraph of The Hartford's Privacy Policy, it includes a section about the CCPA (CPRA) Notice and what its purpose is:

The Hartford CCPA Privacy Policy and Notice at the Time of Collection: Notice of Collection clause

This is a great way to incorporate the Notice into a standard Privacy Policy in a way that is quickly noticeable early on in the policy. Consumers will now know that the rest of the document is working, in essence, as the required details of a Notice of Collection.

While you can place it in your Privacy Policy as seen above, it isn't your only option. Let's take a look at more ways to display your notice.

Where Else Should I Place My Notice at Collection?

Where Else Should I Place My Notice at Collection?

Again, according to the terms of the CCPA (CPRA):

"Business owners must place their Notice at Collection at or before the point where data collection occurs."

If you're a business owner, placing a Notice of Collection link on your website's homepage and where customers enter their personal information before placing an order would fulfill this requirement in redundancy, leaving little room for claims of non-compliance down the road.

For non web-based commerce in brick and mortar stores, Notices at Collection may alternately be included on a printed form used for personal information collection.

For mobile apps, Notices at Collection may be linked to in Settings-type menus within the apps themselves.

Below is a particularly good example of a Notice at Collection from AGCO's website. First, there's a direct link to the Notice at Collection linked to the website footer:

AGCO website footer with California Notice at Collection link highlighted

This placement means that the notice will be visible from every page of the website and always available if a customer wants to view it. Once clicked on, the link takes you to a separate website exclusively for the CCPA (CPRA) Notice at Collection:

AGCO CCPA Notice at Collection

In large, bold, red capital letters at the top of the page, and highlighted in red just to the left of the main text, AGCO has chosen to place it's CCPA Notice at Collection in plain view instead of burying it inside its Privacy Policy.

This might be the most preferred way to display your Notice at Collection, especially if you do a lot of business in California. This is because consumers know to look in website footers for important legal information, including the Notice at Collection.

While the information will all be in your Privacy Policy, some consumers may assume that you don't have a Notice at Collection if you don't have a link to it in your footer. This will become more true if more businesses start to use separate web pages for their notices, and consumers become used to seeing these notice links.

Ideally, the best approach may be a combination of including a separate link to a separate webpage for your Notice of Collection, while also including the notice details and information in your Privacy Policy.

When it comes to displaying the information within the notice itself, remember to be concise, accurate and make things as easy to understand as possible.

Here's a great example of this, from Banc of California:

Banc of California Notice at Collection chart excerpt

The chart format makes the content easy to digest and understand. The bullet lists also help with readability. Even the color differences from one chart row to another helps things be more clear.

Farmers and Merchants Bank even includes examples of information for each category to make it even more clear to consumers what types of personal information might be used by the company:

Farmers and Merchants Bank: CCPA Notice at Collection chart excerpt with Examples highlighted

As with all legal agreements, consider your audience and what will be most well-received. In this case, it's clear, easy-to-read breakdowns of information.

What Businesses Does the CCPA (CPRA) Apply to?

According to The National Law Review, under the terms of the CCPA (CPRA), a "business" is defined as a "Sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners."

By this definition, not-for-profit and government entities don't fall under its purview, a fact which is confirmed by the office of California's Attorney General.

However, the CCPA (CPRA) does apply to for-profit entities that conduct business with California residents, if the business:

  • Has gross annual revenue in excess of $25 million,
  • Buys, receives or sells the personal data of at least 100,000 California residents or individual households or devices, or
  • Derives more than half of its annual revenue from selling or sharing the personal information of California residents

How is Personal Information Defined in the CCPA (CPRA)?

Personal Information is defined as any information that:

  • Identifies,
  • Relates to, or
  • Could reasonably be linked to a particular person or household

Therefore, personal information includes names, Social Security numbers, email addresses, phone numbers, geolocation, biometric data, account numbers and internet browsing history.

It's important to note that public information, like real estate and professional licensing records from local, state and federal governments isn't considered personal.

Who Has Rights Under the CCPA (CPRA)?

Only residents of California have rights under the CCPA (CPRA).

A California resident is defined as a natural person (not a corporation or other business entity) who resides in the state, even if they're outside of the state temporarily.

Liability For Compliance Violations

As a business owner, you can't be sued for most CCPA (CPRA) violations.

In the case of a data breach, for example, you can only be sued if the information stolen included unencrypted or unredacted data.

In most cases however, before filing a suit for statutory damages, a party must give you written notice of which CCPA (CPRA) section(s) they claim you've violated.

From that point you'll have 30 days to respond that you've cured the violation(s), if any existed.

In other words, you cannot be sued for statutory damages for a CCPA (CPRA) violation if you've remedied the violation and provided a written statement to that effect.

Summary

A Privacy Policy is a written statement by which businesses give customers a broad picture of its on and offline practices for the collection of personal information, and should include the following sections:

  • Right to Know
  • Right to Delete
  • Right to Opt-Out of Sale
  • Right to Non-Discrimination

The CCPA (CPRA) also requires that businesses give consumers certain information in a Notice at Collection before or at the point where data collection occurs.

This stipulation is usually satisfied by placing a link to the Notice at Collection on a website's homepage, and/or where customers place an order, request services, or enter their personal information.

Some businesses include the notice information within a Privacy Policy instead of a separately-linked web page. However, the best approach is to provide both a separate link to a webpage dedicated exclusively to the Notice at Collection, as well as noting the notice within a Privacy Policy.

To recap, a Notice of Collection must list the categories of personal information the business collects and the purposes for which it will be used. Make sure to write out this information in a way that's easy to read and understand. Use charts, bullet points and other formatting techniques to break down blocks of text and large groups of information.

In addition, businesses that sell consumers' personal information must have a "Do Not Sell My Personal Information" page link.

Remember too, that the notice must also contain a link to the business' Privacy Policy where consumers can get a complete description of their rights and the business' practices regarding collecting, sharing and selling personal information.