The the world’s fifth largest economy) or collect the personal information of California’s 40 million residents. Among other things, the CCPA guarantees Californians the rights: to know what personal information is being collected about them; to know whether their personal information is sold or disclosed and to whom; and to access their personal information. These rights create significant operational responsibilities for businesses falling into the law’s scope.
This second installment in a five-part series exploring the operational impacts of the CCPA addresses the law’s transparency and notice obligations.
The CCPA creates specific transparency obligations relating to collected and sold personal information. In particular, a business must disclose in its online privacy notice, and in any California-specific description of consumers’ privacy rights (or, if the business does not actually have a privacy notice, it still has to put the information somewhere on its web site), the following, pursuant to Sections 1798.130(a)(5)(A) and 1798.105(b):
- A description of consumers’ rights under Section 1798.110 to request:
- The categories of personal information the business has collected about the consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose of collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information the business has collected about the consumer.
- A description of consumers’ rights under Section 1798.115 to request:
- The categories of personal information that business collected about the consumer.
- The categories of personal information that the business sold about the consumer.
- The categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
- The categories of personal information about the consumer that the business disclosed for a business purpose.
- A description of consumers’ rights under Section 1798.125 not to be discriminated against for exercising any the CCPA rights.
- One or more designated means for consumers to submit requests, including (at minimum) a toll-free number.
- The right to deletion of personal information.
Section 1798.130(a)(5)(A) does not make it clear whether businesses that collect but do not sell consumers’ personal information must nonetheless include a description of consumers’ rights vis-à-vis sellers of personal information. Absent guidance on the matter from the California Attorney General, non-sellers updating their privacy policies should likely err on the side of inclusion.
Collectors of personal information
The CCPA defines “collectors” and “sellers” of consumers’ personal information in Sections 1798.140(e) and (t)(1). While not all “collectors” are “sellers,” a seller is most likely a collector. The CCPA applies the obligations outlined below to all businesses that collect personal information. These provisions often reference one another and can occasionally be written in a confusing or contradictory fashion; we’ve tried to break down what the statute requires, with the understanding that any or all provisions referenced may be subject to amendment or clarification before January 1, 2020.
Section 1798.100(b) requires a business that collects a consumer’s information to, “at or before the point of collection”:
- Inform consumers of the categories of personal information to be collected.
- Inform consumers of the purposes for which the categories of personal information shall be used.
- Provide notice of the collection of any additional categories of information or use of collected information for any additional purposes taking place after initial disclosures have been made.
Section 1798.105(b) requires any business collecting personal information about consumers to “disclose … the consumer’s rights to request deletion of the consumer’s personal information.” Operationally, businesses should make sure that disclosures of this right to request deletion also include its limitations, set forth in Section 1798.105(d). Those limitations consist of nine enumerated exemptions.
Section 1798.110(c) requires, “pursuant to Section 1798.130(a)(5)(B),” that a business that collects personal information about a consumer disclose:
- The categories of personal information it has collected about the consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose of collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information the business has collected about the consumer.
Section 1798.110(c) is identical to Section 1798.110(a), which describes consumers’ right to request information, with the addition of a reference to Section 1798.130(a)(5)(B), which clarifies that “the list of categories of personal information” that must be disclosed means categories of personal information collected by the business about consumers in the preceding 12 months, “by reference to the enumerated category or categories in subdivision (c) of Section 1798.130 that most closely describe the personal information collected.” Section 1798.130(c) likely refers to Section 1798.140’s definition of personal information, which includes 11 enumerated subcategories.
Categories of personal information will be discussed further in part three of this series.
All disclosures must be “in a form that is reasonably accessible to consumers” and updated “at least once every 12 months.” The use of the word “and” in Section 1798.130(a) may require identical disclosures in multiple written policies. Aside from the specific disclosures discussed above that must be included in a business’ online privacy policy or California-specific description of rights, the statute is silent on the specifics of how disclosures must take place.
Transfers to third parties
Some businesses, in addition to acquiring information from or about consumers, also transmit that information onward. Businesses that sell personal information about consumers or disclose it “for a business purpose” are a subcategory of businesses that collect personal information and have additional disclosure obligations. Per Section 1798.115(c) and Section 1798.130(a)(5)(C) these businesses must release two specific lists:
- The category or categories of personal information sold in the last 12 months, or if information has not been sold in the preceding 12 months, that fact.
- The category or categories of personal information disclosed for a business purpose in the last 12 months, or if no such disclosure has occurred in the preceding 12 months, that fact.
Businesses that sell consumer information to third parties are further obligated, per Section 1798.120(b), to disclose that:
- Consumer information may be sold.
- Consumers have the right to opt out of the sale of their personal information.
Section 1798.135 adds that businesses who sell personal information must disclose the above information in a form readily accessible to consumers, and:
- Provide a “clear and conspicuous” link on the business’ homepage, titled “Do Not Sell My Personal Information.”
- Not require the creation of an account in order to direct a business not to sell a consumer’s personal information.
- Include a description of a consumer’s rights under Section 1798.120, and a separate link to the “Do Not Sell My Personal Information” page, in:
- Its online privacy policy or policies, if the business maintains them.
- Any California-specific description of consumer privacy rights.
As mentioned above, businesses that sell personal information will need to comply with the obligations of those that collect personal information as well.
Ambiguities in the Law
Section 1798.110(c)(5) will likely need to be amended for clarity. As written, the CCPA requires businesses that collect personal information to disclose “the specific pieces of personal information the business has collected about that consumer.” This disclosure obligation is separate from the obligation to respond to a verified request for from a consumer exercising their rights under Section 1798.110(a) and (b) and seems to require any business collecting personal information to proactively disclose granular information essentially identical to what can be obtained through the “right to request.” How this could be done on an individual basis is unclear.
Takeaways
Identifying what personal information a business has, where it comes from, where it is stored, and where it is transferred are the first steps in complying with the CCPA’s notice and transparency requirements. Without good data mapping and inventory, no business can hope to accurately make the category-centric disclosures emphasized by the statute, let alone comply with verified requests from consumers for specific pieces of personal information.
As both collectors and sellers of personal information are required to disclose the categories of information collected, based on the enumerated list located in Section 1798.140, all businesses covered by the CCPA should pay careful attention to any regulations ultimately adopted by the California Attorney General’s office under Section 1798.185(a)(1). The AG must “solicit broad public participation” on or before January 1, 2020, to adopt regulations that, among other things, will “[update] as needed additional categories of personal information to those enumerated” in Section 1798.130(c) and Section 1798.140(o) “in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.”
Businesses that sell or “transfer for a business purpose” should quickly ensure they have a complete inventory of all parties receiving their data. Businesses that do not sell data for cash but do transfer it to third parties may yet qualify as sellers; they should pay careful attention to the requirements that attach to “business purpose” transfers, including the duty to inform consumers when such transfers have not taken place.
Only after completing thorough data mapping and inventory should businesses begin updating privacy policies, California-specific rights pages, and putting in place (if necessary) “Do Not Sell My Information” apparatus.
Photo credit: Makaristos [Public domain], from Wikimedia Commons