Among the many details to absorb in the draft amendments to the CCPA regulations published by the California Privacy Protection Agency (“CPPA”) on May 27 (the “Draft Regulations”) are new and prescriptive disclosure requirements for notices at collection and privacy policies. While these disclosure provisions (and all of the other provisions of the Draft Regulations) are subject to further changes, it is important that businesses begin to assess carefully these provisions and devise strategies for operationalizing compliance with them, especially since disclosures provide some of the most visible signals of CCPA compliance.
In this post, we summarize the Draft Regulations’ disclosure provisions and provide outline steps for businesses to consider taking to prepare for these requirements.
New Disclosure Requirements
Citing a CCPA provision that authorizes regulations to ensure that notices and information required under the CCPA are provided to consumers at the appropriate time and in a manner that may be “easily understood by the average consumer,” the Draft Regulations would create new disclosure requirements for any business engaged in the collection of consumers’ personal information.
Notice at Collection
The Draft Regulations, citing a declared purpose in the CPRA of enabling consumers to “exercise meaningful control” over businesses’ use of their information, would require businesses to provide additional details about certain aspects of their information practices at or before the point of collection. These provisions include new requirements governing first parties’ and third parties’ notice at collection disclosures.
- Required Content of a Notice at Collection. Building on existing requirements under the CCPA, the Draft Regulations would require a business to include the following information in its notice at collection:
- the categories of personal information collected, including sensitive personal information;
- the purposes for which the categories of personal information are collected and used;
- whether the categories of personal information listed are sold or shared;
- the length of time the business intends to retain each category of personal information listed (or the criteria used to determine the retention period);
- a link to the business’ notice of the right to opt out of the sale/sharing of personal information (or, in the case of an offline notice, where the webpage can be found online);
- if the business allows third parties to control the collection of personal information on its property, the names of all such third parties or information about their business practices; and
- First and Third Party Disclosures. Based on the view that “more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a notice at collection,” Section 7012(g) of the Draft Regulations would require a business to include in its notice at collection extensive information about third parties that “control” the collection of personal information. In particular, the Draft Regulations provide that if a business owns a physical or digital property from which consumers’ personal information is collected (a “first party”) and allows third parties to control the collection of personal information on its property, the business must include in its notice at collection either (i) the name of all such third parties or (ii) details about such third parties’ “business practices” (which the third parties would be required to provide to the first party). Additionally, the Draft Regulations provide that if a third party collects information from the first party’s physical premises, the third-party business must provide a notice at collection “in a conspicuous manner” at the physical location(s) where it collects the information.
The Draft Regulations would also require businesses to include more granular disclosures in their privacy policies. These requirements include:
- a detailed description of the business’ online and offline information handling practices, including a statement indicating whether the business uses or discloses sensitive personal information for purposes other than those enumerated in Section 7027(l);
- details about the rights consumers have with respect to their personal information under the CCPA, as amended by the CPRA (which we will discuss in a subsequent blog post);
- an explanation of how consumers can exercise their rights and what they can expect from the process, including details about how the business processes opt-out preference signals;
- the business’ consumer rights requests metrics for the previous calendar year (or a link to such information), where applicable.
While the CPPA may revise the Draft Regulations before they are finalized, the direction toward more detail in notices at collection and privacy policies – particularly about third parties – seems clear. Satisfying the notice at collection requirements in the Draft Regulations would likely present significant challenges. While the Draft Regulations provide businesses with some flexibility in terms of how they disclose the presence of third parties on their properties, presenting all of the required information in a clear and meaningful manner to consumers could be difficult. Additionally, the need to disclose extensive information about third parties could interfere with consumers’ online experiences.
To prepare for these potential changes, a valuable step for many businesses would be to take stock of the third-party information collection occurring on their sites and in their apps and to consider how to provide more detailed disclosures to consumers in a concise, intelligible, and easily accessible form.
Stay tuned for additional blog posts in which we will summarize how the Draft Regulations contemplate some of the CPRA’s other amendments to the CCPA.
* * * *
Join us today for State Attorneys General 102.