CCPA Consumer Notices


The CCPA has many implications for businesses operating in California. For example, as most affected businesses know, it requires you to provide notice to consumers about your personal information practices via your Privacy Policy.

But your Privacy Policy is just one of four types of external notice that the CCPA requires. The California Attorney General's Proposed Regulations explain these four consumer notices in detail, including guidance about how to structure your Privacy Policy.

In this article, you'll learn:

  • How to create each of the CCPA's four notices
  • Which of the four notices your business needs to provide
  • How and when you need to provide each notice

We'll also look at some real examples of consumer notices provided by businesses affected by the CCPA.

What is the CCPA?

Below is a brief introduction to the CCPA. If you already understand the basics of the CCPA, you can skip ahead to our guidance on the CCPA's four consumer notices.

The CCPA is a privacy law that places strict rules on businesses worldwide regarding their use of the personal information of California consumers.

The CCPA:

  • Requires businesses to be transparent about how they collect, use, share, and sell California consumers' personal information.
  • Provides consumers with more control over how businesses use their personal information, via a powerful set of consumer rights.

Who Has to Comply with the CCPA?

The CCPA applies to your business if it does business in California and at least one of the following applies:

  • You have annual gross revenues of over $25 million
  • You buy, sell, share for commercial purposes, or receive for commercial purposes, the personal information of more than 50,000 consumers, devices, or households per year
  • You derive at least 50 percent of your annual revenues from selling consumers' personal information

The CCPA's Four Consumer Notices

The California Attorney General's "CCPA Proposed Regulations" (available here) is a key source of information about the CCPA's notice requirements.

The Proposed Regulations set out specific rules and guidance about how businesses should apply parts of the CCPA. The Regulations are still in draft form and may change considerably before they pass into law (April 2020 at the very earliest).

However, the Proposed Regulations will be legally-binding once they come into effect. This means that breaking the rules under the Regulations will leave you open to fines and other penalties.

There are four types of external notices you should be providing to consumers in certain circumstances:

  1. Privacy Policy
  2. Notice at collection
  3. Notice of the right to opt out
  4. Notice of financial incentives

The California Attorney General offers some general principles to follow when you provide notice:

  • Use plain language. Avoid "legalese."
  • Ensure your notices are clear and conspicuous and that consumers can read them on small screens.
  • Provide your notices in the language(s) in which your business normally communicates with consumers.
  • Make your notices available to consumers with disabilities. You should inform consumers that they may access your notices in an alternative format if required.

1. Privacy Policy

A Privacy Policy is mandatory for all businesses under the CCPA.

Your Privacy Policy gives consumers notice about:

  • Their rights under the CCPA
  • Your business activities over the preceding 12-month period

The Proposed Regulations provide a particular format for your CCPA Privacy Policy.

The Regulations go beyond the requirements of the text of the CCPA itself. Remember that some of these requirements might not remain once the Regulations become law.

  1. Information about the right to know:

    1. Explain that consumers may request disclosure of the personal information you collect, use, disclose for business purposes, and sell.
    2. Explain how consumers can submit a Verifiable Consumer Request and provide a link to a web page which allows them to do this.
    3. Explain the process you use to verify the identity of consumers and any ID you require.
    4. Disclose your personal information collection practices:

      1. List the categories of personal information you have collected about consumers in the past 12 months.
      2. For each category of personal information, disclose:

        1. The categories of sources from which you collected it
        2. The business or commercial purposes for which you collected it
        3. The categories of third parties with whom you share it
    5. Disclose how you sell personal information and/or disclose personal information for business purposes:

      1. State whether you have sold personal information or disclosed personal information for business purposes in the past 12 months.
      2. List the categories of personal information you have sold or disclosed for businesses in the past 12 months (if any).
      3. State whether you sell the personal information of minors under the age of 16 without authorization.
  2. Information about the right to delete:

    1. Explain that consumers may request that you delete any personal information you hold on them.
    2. Explain how consumers can submit a Verifiable Consumer Request and provide a link to a web page which allows them to do this.
    3. Explain the process you use to verify the identity of consumers and any ID you require
  3. Information about the right to opt out:

    1. Explain that consumers may opt out of the sale of their personal information.
    2. Provide a link to your "Do Not Sell My Personal Information" page.
  4. Information about the right to non-discrimination:

    1. Explain that consumers will not be discriminated against for exercising their CCPA rights.
  5. Explain how a consumer can designate an Authorized Agent to make a consumer rights request on their behalf.
  6. Provide contact details and invite consumers to ask for more information should they require it.
  7. Provide the date the Privacy Policy was last updated.
  8. If you buy, sell, receive, or share personal information from more than 4 million consumers per year, you must also disclose:

    1. How many requests you received under the right to know
    2. How many requests you received under the right to delete
    3. How many requests you received under the right to opt out

      1. In each case, how many requests you complied with in whole or in part, how many you denied, and how many days it took, on average, for you to respond.

You must update your Privacy Policy every 12 months.

Here are some examples of businesses that are implementing the CCPA's Privacy Policy obligations.

SafeGraph has created a two-column table which covers points 1 (d) (i) and 1 (d) (ii) (1) above.

  • The first column lists the categories of personal information SafeGraph has collected about consumers in the past 12 months.
  • The second column lists the categories of sources from which SafeGraph collected each category of personal information.

SafeGraph CCPA Privacy Policy: Category and Sources Categories of collected personal information

Note that some of these sources are third parties (e.g. advertising networks) while others are not (e.g. mobile applications).

2. Notice at Collection

You should provide a "notice at collection" whenever you collect personal information directly from consumers.

A notice at collection makes consumers aware of what categories of personal information you are collecting and why you are collecting it.

The Proposed Regulations require that your notice of collection contains the following:

  1. A list of the categories of personal information you are collecting
  2. The business or commercial purposes for which you are collecting each category of personal information
  3. If you sell personal information, a link to your "Do Not Sell My Personal Information" page
  4. A link to your Privacy Policy

You can include the information above as a section in your Privacy Policy and provide a link to that section. Under the Proposed Regulations, this would be an acceptable way to provide notice at collection.

Consider the context in which you're collecting personal information when you're providing notice. For example,If you're collecting personal information via a form in the mail, you should provide notice on paper alongside the form.

If you're collecting personal information about the consumer indirectly, i.e. from another source, you don't need to provide notice at collection. However, the Proposed Regulations require that you must:

  1. Contact the consumer directly to provide notice of the right to opt out
  2. Contact the source of the personal information to:

    1. Request confirmation that they gave the consumer valid notice at collection
    2. Obtain a "signed attestation" that they gave notice at collection, together with an example of the notice at collection they gave. You must retain a copy of this attestation for at least two years and provide it to the consumer on request.

3. Notice of the Right to Opt Out

If you sell (or you will sell) consumers' personal information, you must provide notice of consumers' right to opt out.

If you sell personal information, you must maintain a clear and conspicuous link on your website's home page stating "Do Not Sell My Personal Information." When consumers click this link, it must lead to your notice of the right to opt out.

The Proposed Regulations require that your notice of the right to opt out contains the following:

  1. An explanation of the right to opt out
  2. A form via which consumers may exercise their right to opt out
  3. Instructions about any other ways consumers can exercise their right to opt out
  4. Information about any proof you require from consumers who wish to use an Authorized Agent to exercise their right to opt out
  5. A link to your Privacy Policy

4. Notice of Financial Incentives

If you operate a "financial incentives scheme," you must provide a notice of financial incentives.

We won't go into detail about the CCPA's financial incentives provisions in this article, but here's a brief explanation.

The CCPA's "right to non-discrimination" forbids businesses from discriminating against consumers who exercise their CCPA consumer rights. This means you cannot, for example, charge a higher price for services to someone who has exercised their "right to opt out."

When the draft CCPA was made available, businesses soon realized that this could forbid them from engaging in legitimate business activities, such as offering coupons to people who sign up to their mailing lists, or running loyalty schemes.

Therefore, there is a provision in the CCPA and the Proposed Regulations that allows businesses to offer incentives to consumers in exchange for their personal information. The incentive must be based on the actual value that the business derives from the personal information.

You must make your notice of financial incentives available to consumers before they opt into any such schemes.

The Proposed Regulations require that your notice of financial incentives contains the following:

  1. A summary of your financial incentive scheme
  2. An explanation of the terms of the scheme, including the categories of personal information involved
  3. Instructions on how consumers can opt in to the scheme
  4. Notification of consumers' right to withdraw from the scheme
  5. An explanation of why the scheme is permitted under the CCPA, including:

    1. An estimate in "good faith" of the value of the consumer's personal information
    2. A description of the method you used to calculate the value

You can include the information above as a section in your Privacy Policy and provide a link to that section. Under the Proposed Regulations, this would be an acceptable way to provide notice of financial incentives.

Here's an example of a notice of financial incentives from World's Best Cat Litter:

Worlds Best Cat Litter: Notice of Financial Incentive

World's Best Cat Litter explains its financial incentive scheme, how consumers can opt in, and how consumers can opt out without being subject to discrimination.

It's not clear whether the last section on this notice would satisfy point 5 of the Proposed Regulations (above). However, remember that the Regulations may change before they come into force.

Note that the CCPA has other notice requirements beyond the consumer notices that you'll need to become familiar with as well.

Summary

We've looked at the four consumer notices you may need to provide under the CCPA.

  1. Privacy Policy: Required for all businesses.
  2. Notice at collection: Required if you collect personal information directly from consumers. Present this notice before you collect personal information directly from a consumer.
  3. Notice of the right to opt out: Required if you sell personal information. Make this notice available via your "Do Not Sell My Personal Information" link.
  4. Notice of financial incentives: Required if you operate a financial incentive scheme. Present this notice before you invite consumers to join your scheme.

Use clear and straightforward language in your notices. Ensure they are easily accessible, and available in alternative formats for consumers with disabilities.