CCPA Compliance: 4 Things You Should Know - Part 2

Regulation ¦ June 24th, 2020, 10:00 pm

The California Consumer Privacy Act (CCPA) enforcement deadline of July 1st, 2020, is coming closer by the day. With that, it’s time to ask yourself whether your business is ticking all of the CCPA’s boxes. In this short 4-part series, we will look at the key topics to address and how to tackle them.

You can find part 1 of this series here, focused on the privacy policy.

The Notice at Collection and Opt-in Requirements for New Purposes

The CCPA first mentions the mandatory ‘notice at collection’ in par. 1798.100, stating:“

A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

What does this practically mean for your business? Below we will provide you with a quick outline of what to display to your customers at what time, and provide you with a list of common pitfalls to avoid. 

When should the notice be presented?

The CCPA tells you to inform your customers of the categories of information to be collected and the usage-purposes for this information at or before the point of collection. Two questions are essential:

  • When does information become ‘personal information’?

  • What should be considered the point of collection?

The first question is a complex one and has been the subject of a heated public debate. Personal information is defined as information that ‘identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household’. It’s not relevant whether you actually are associating information with a consumer; it’s sufficient if you, or anyone else, theoretically could. The CCPA provides a non-exhaustive list of examples of personal information-categories, and includes IP addresses and ‘internet or other electronic network activity information’, such as cookies. 

This means that it is very possible that you are already collecting personal information, before you are asking a consumer to actively provide you with information, for instance during a checkout process. It’s wise to display the CCPA notice at collection as soon as the consumer enters your website.

What should be included in the notice?

The notice should contain information about the categories of information you are collecting, and the purposes for which this information will be used. In some cases, providing this information in a notice could lead to long-winded, overly wordy banners or pop-ups, which could disrupt the experience of your customer and actually end up harming consumers, instead of benefiting them. The final regulations proposed by the Attorney General mitigate this problem by allowing businesses to refer to the specific section in their privacy policy, where the information about data-categories and usage-purposes is described. 

You are also obligated to state whether or not you are selling personal information and to provide a link to the Do Not Sell-page, in case you are. 

Below are two examples of notice-at-collection texts, which are both allowed by the CCPA (AB-375) and the regulations. 

What should it look like?

The notice at collection should be designed and presented in a way that is easy to read and understandable to consumers. It should be

  • In plain language

  • Use a format which draws a consumer’s attention to the notice and makes it easy to read, even on smaller screens

  • Available in the languages in which your business usually provides contracts, disclaimers, sale announcements, and other information to consumers in California

  • Reasonably accessible to consumers with disabilities. For online-notices, you should follow the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.

You can draw inspiration from the best practices we have seen popping up over the past months, which smoothly integrate the CCPA notice-banner with pre-existing cookie-banners.

Example 1:

New purposes for historic data

The CCPA does not only introduce the notice-banner, but also forces businesses to get affirmative consent if they intend to use historically collected personal information for a purpose, which was not disclosed to the consumer at or before the point of collection. 

The regulations by the Attorney General clarify this in §999.305: ‘If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.’ 

It is essential to maintain an accurate, up-to-date internal data map or data inventory to make sure that you are aware at all times of exactly how personal information is being used.

Common mistakes

#1: Hyperlinking to the top of the privacy policy

As described above, the final regulations allow businesses to refer consumers to the specific section of their privacy policy, where the collected data-categories and the purposes for data-usage are described. Many businesses seem to have taken a bit more freedom than warranted here, and are instead sending their customers to the top of the privacy policy. 

Example: Amazon

#2 Reusing a GDPR cookie banner as a CCPA notice banner

Unfortunately many GDPR-compliant businesses still seem to believe that their previous investments made in GDPR-compliance automatically makes them ready for the CCPA. Even though the EU-GDPR and the CCPA bear some similarities, there are also key differences between the two. The attorney general’s regulations provide businesses who are handling the personal information of California residents with clear guidelines on how to implement the CCPA. The GDPR has been made more concrete through jurisprudence, but it does not have such regulations to explain the letter of the law. The GDPR cookie banner does not tick the boxes of the CCPA notice-at-collection banner, and can therefore not be repurposed. 

#3 Not drawing proper attention to the notice

The best practices displayed above (Pitchfork, Conde Nast) show conspicuous banners that immediately jump into the eyesight of the consumer. The question is, whether merely displaying a reference to a ‘California collection notice’ in the footer of the website sufficiently draws the consumer’s attention in the eyes of the attorney general. 

Example: Justin’s

Still struggling with the CCPA collection-notice banner? Datawallet offers a 100% compliant banner which can be implemented in your website in under a minute. With us consumer-trust comes first, so we made sure that our wording and UX is thoroughly tested to garner the best results. Contact us here for more information.

Disclaimer: The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational and marketing purposes only.

Get the Data Digest in your inbox