|Types of personal data collected/used:||Specify the “categories of personal information,” each “written in a manner that provides consumers a meaningful understanding of the information being collected.” Draft reg. § 999.308(b)(1).|
|Purposes for processing personal data:||For each category of personal information collected, specify|
- the “business or commercial purpose” for the collection. Draft reg. § 999.308(b)(1)(d)(2).
|Third parties:||For each category of personal information collected, specify|
- the “categories of sources” from which it is collected;
- and the categories of third parties with whom the business shares personal information. Draft reg. § 999.308(b)(1)(d)(2).
Must also state whether or not the business “has disclosed or sold any personal information for a business or commercial purpose in the preceding 12 months” and whether or not “the business sells the personal information of minors under 16 years of age without affirmative authorization.” Draft reg. § 999.308(b)(1)(e).
If business “sells” personal data, must specify the categories of personal information that are sold. Draft reg. § 999.308(b)(1)(e).
|Choices:||If business “sells” personal data, must provide a link labeled “Do Not Sell My Personal Information,” directing to a notice that describes the right to opt-out of sale. Draft reg. § 999.306.|
|Data subject rights:||Describe how California consumers can exercise their rights under CCPA, and the process the business uses to verify requests (including information the consumer will need to provide during verification), plus “how a consumer can designate an authorized agent to make a request under CCPA on the consumer’s behalf.” |
This includes the right to:
- Know about personal information collected, disclosed, or sold. Draft reg. § 999.308(b)(1).
- Request deletion of their personal information. Draft reg. § 999.308(b)(2).
- Right to opt-out of sale, if business “sells” personal information. Draft reg. § 999.308(b)(3).
- Right to non-discrimination for the exercise of a consumer’s privacy rights. Draft Rule § 999.308(b)(4).
|Contact information:||Specify a contact for questions or concerns “using a method reflecting the manner in which the business primarily interacts with the customer.” Draft reg. § 308(b)(6). |
Plus at least two methods for submitting requests to know/delete, including a toll-free number and an interactive webform. Draft reg. § 999.312.
|Last updated date:||Specify the last updated date. Draft reg. § 999.308(b)(7).|
Notice at Collection
Just how clear should this notice be? The draft regulations take great care to describe a gold standard of accessibility. A CCPA notice should be “easy to read and understandable to the average consumer” using “plain, straightforward language and avoiding technical or legal jargon,” using a format that is conspicuous and “draws the consumer’s attention to the notice,” available in any language(s) in which the business operates, and “accessible to consumers with disabilities.” Draft rule § 999.305(a)(2).
Other Notice Obligations
*References to “CCPA” refer to the law as amended. References to “Draft reg.” refer to the draft implementing regulations. Although some uncertainty remains, the California Attorney General has indicated that the draft regulations, which interpret and clarify the CCPA, are unlikely to be substantially revised.
The BBB EU Privacy Shield program provides compliance assistance for U.S. businesses preparing for self-certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as well as ongoing review of the Privacy Shield notices and certifications of participating businesses and up-to-date guidance on privacy compliance. At its core, BBB EU Privacy Shield operates an independent third-party dispute resolution mechanism enabling European Union and Swiss individuals to resolve Privacy Shield complaints against participating businesses.