A business must provide a description of the personal information it collected in the preceding 12 months, including:
- the categories of personal information it collected about consumers;
- the categories of sources from which the personal information was collected;
- the business or commercial purposes for which the personal information was collected or sold; and
- the categories of third parties with whom the personal information was shared2.
Under the Draft Regulations, a business must tie each category of personal information to the relevant sources, purposes, and third parties with whom the data was shared3.
If the business sells consumers' personal information or discloses it to third parties for a business purpose, the privacy notice must also include two separate lists of the categories of personal information sold or disclosed about consumers in the preceding 12 months4. If the business has not sold or disclosed for a business purpose consumers' personal information in the preceding 12 months, the business must disclose that fact in the privacy notice5. Under the Draft Regulations, a business must affirmatively state whether it has 'disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months6.' Regardless of whether a business 'sells' personal information, the Draft Regulations also would require the business to disclose whether it sells the personal information of minors under 16 years of age without affirmative authorisation7.
- request that a business provide the consumer with access to and certain details about the consumer's personal information collected by the business9;
- request that a business delete any personal information about the consumer that the business has collected from the consumer10;
- direct a business not to sell the consumer's personal information; and
- not be discriminated against because the consumer exercises any of the consumer's rights under the law11.
Key considerations for businesses
While companies in the US typically draft broad privacy notices to limit the risk of Section 5 liability, the CCPA requires pinpointed disclosures. Crafting these highly specific provisions is not so straightforward, however, given the CCPA's convoluted drafting and the current lack of final implementing regulations. Businesses, therefore, are faced with a number of difficult decisions when drafting privacy policies to comply with the CCPA. These issues are discussed below.
In preparing CCPA-compliant provisions, businesses need to decide whether to incorporate the disclosures into the main body of the existing policy or address them in a separate CCPA-specific section or addendum. There are benefits and drawbacks to each approach.
Should the Draft Regulations be addressed?
Other requirements introduced in the Draft Regulations are more difficult to implement. In particular, the requirement to tie each category of personal information to the relevant sources of the data, purposes of use, and third parties with whom the data was shared, is extremely cumbersome. These obligatory provisions lend themselves to use of a chart format, but such a chart can look awkward and detract from the policy's readability. In addition, many companies undertook significant due diligence in the months following the CCPA's enactment, and those immediate efforts were not designed to elicit information that would allow this type of data matching. Regardless, companies should be prepared to comply with these obligations in the event they remain in the final regulations.
One silver lining that emerged from the Draft Regulations is the concept of providing consumers with a 'meaningful understanding' of the personal information maintained by the business26. A stark contrast remains, however, between the prescriptive language of the statute and the requirement to provide a meaningful understanding. Many companies may choose to adhere to the CCPA's literal disclosure requirements rather than try to address the more abstract 'meaningful understanding' principle.
Should consumers be proactively notified of the CCPA revisions?
1. §1798.130(a)(5), §135(a)(2) of the California Civil Code ('Cal. Civ. Code').
2. Id. §1798.110(c) of the Cal. Civ. Code.
3. Proposed California Code of Regulations ('Cal. Code Regs.'). tit. 11, § 999.308(b)(1)(d)(2).
4. §1798.130(a)(5)(C) of the Cal. Civ. Code.
6. Proposed Cal. Code Regs. tit. 11, § 999.308(b)(1)(e)(1).
7. Id. § 999.308(b)(1)(e)(3).
8. § 1798.130(a)(5)(A); § 1798.135(a)(2) of the Cal. Civ. Code.
9. Id. §§ 1798.110(a); 1798.115(a).
10. Id. § 1798.105(a).
11. Id. § 1798.125(a)(1).
12. Id. § 1798.130(a)(5)(A).
13. Id. § 1798.135(a)(2).
14. Id. § 1798.115(b)(3).
15. Proposed Cal. Code Regs. tit. 11, § 999.307.
16. Id. §§ 999.308(b)(1)(c); 999.308(b)(2)(c).
17. Id. § 999.308(b)(5)(a).
18. Id. § 999.308(a)(2)(d).
19. Id. § 999.308(b)(6).
20. Id. § 999.308(b)(7).
21. §1798.130(a)(5) Cal. Civ. Code.
22. 15 U.S.C. §45(a) (2012).
23. §1798.130(c) of the Cal. Civ. Code.
24. Proposed Cal. Code Regs. tit. 11, § 999.308(b)(6).
25. Id. § 999.308(b)(7).
26. Id. § 999.308(b)(1)(d).