What the Draft CCPA Regs Could Mean for Your Privacy Shield-Compliant Notice

May 20, 2020, 09:00 AM by BBB National Programs

On October 10, 2019 the California Attorney General released the long-awaited draft regulations under the California Consumer Protection Act (CCPA). CCPA goes into effect on January 1, 2020. The draft regulations interpret and clarify the CCPA. Among these clarifications are detailed descriptions of the requirements of the privacy notices that should be provided to California consumers.

The draft rules are subject to change, although some aspects directly reflect the requirements of the CCPA. The California AG is actively engaging with the public as part of the rulemaking process. Comments on the proposed rules are due on December 6, 2019.

The Notice principle under the Privacy Shield Framework specifies the elements of Privacy Shield that must be included in a notice to data subjects. At a minimum, organizations include these elements in their privacy policy, to which they link at relevant points of data collection. Some organizations may also provide additional up-front notices at other points of contact with the data subject.

The AG’s draft regulations on notice provide insight into enhancements that may be appropriate to the timing of notice delivery and the format of the notice. Notices under CCPA may be part of the business’s privacy policy (appropriately linked) and/or delivered as separate up-front notices.


Privacy ShieldCCPA (subject to change)
Timing of the notice:At the time individuals are first asked to provide personal information to the organization “or as soon thereafter as is practicable.”At or before the time of collection. CCPA § 1798.100.
Must be “visible or accessible where consumers will see it before any personal information is collected.” Draft reg. § 999.305(a)(2)(e).
Format of the notice:“clear and conspicuous language”“Easy to read and understandable to the average consumer” using “plain, straightforward language and avoiding technical or legal jargon,” using a format that “draws the consumer’s attention to the notice,” available in any language(s) in which the business operates, and “accessible to consumers with disabilities.” Draft reg. § 999.305(a)(2)(a-d).
Last updated date:Required by Department of Commerce FAQDraft reg. § 999.308(b)(7).
Contact information:“how to contact the organization with any inquiries or complaints” plus contact information for your Independent Recourse Mechanism
“Contact for More Information” Draft reg. § 308(b)(6). Plus at least two methods for submitting requests to know/delete, including a toll-free number and an interactive webform. Draft reg. § 999.312.


The draft regulations also provide clarity on the elements that a business is expected to include in its notice for California consumers. In practice, Privacy Shield organizations that wish to align their privacy policy with CCPA, may wish to consider including enhanced details about the correspondence between types of personal data collected, purposes for which it is collected, and the purposes for which it is shared with categories of third parties.


Privacy ShieldCCPA (subject to change)
Types of personal data:“types of personal data collected”“categories of personal information,” each “written in a manner that provides consumers a meaningful understanding of the information being collected” Draft reg. § 999.308(b)(1), 305(a)
Purposes for processing:“purposes for which it collects and uses personal information about them”
purposes for which it discloses personal information to third parties
Notice at collection: business or commercial purposes for which each category of personal information “will be used” Draft reg. § 999.305(b)(2).
(More detail by request, see below).
Third parties:“type or identity of third parties to which it discloses personal information”Must inform consumers if personal information will be sold. Plus the categories of third parties (by request, see below).
Choices:Choices and means for limiting the use and disclosure of personal dataIf business “sells” personal data, must provide a link labeled “Do Not Sell My Info,” directing to a notice that describes the right to opt-out of sale. Draft reg. § 999.306.
Data subject rights:Right to access personal information, plus ability to correct/amend/delete if incorrect or processed in violation of Privacy Shield.- Right to know about personal information collected, disclosed, or sold. Draft reg. § 999.308(b)(1).
- Right to request deletion. Draft reg. § 999.308(b)(2).
- Right to opt-out of sale, if business “sells” personal information. Draft reg. § 999.308(b)(3). 
- Right to non-discrimination for the exercise of a consumer’s privacy rights. Draft reg. § 999.308(b)(4).


Finally, the draft regulations elaborate on the elements that businesses are expected to provide to consumers who assert their “Right to know about personal information collected, disclosed, or sold”. Draft reg. § 999.308(b). This provision requires that when a business receives such a request, it provide the consumer with additional details about the actual data collection and disclosure practices that the business has engaged in over the previous 12 months. This includes the purposes for collection and sharing, the categories of third parties shared with, and “the categories of sources from which that information was collected.” Although this level of detail may not need to be included in a privacy notice, it will need to be tracked closely in order be disclosed upon request.

Suggested Articles


Unpacking Misleading Advertising Claims in the Children’s Space

Advertisements may seem simple on the surface, but certain aspects of the ad business, including advertising law, are complex. The role of monitoring ads directed to children is especially complex. It seems straightforward: advertisers are not allowed to lie in their advertisements, but an advertiser is also responsible for all reasonable interpretations of the claims it makes and not just the messages it intended to convey. This blog outlines how to make sure your advertising passes the truthfulness test.
Read more

A Beginner's Guide to Reading Privacy Policies

Privacy policies are complicated and can be frustrating to read, especially when you are trying to learn about your child's data privacy online. The Children’s Advertising Review Unit (CARU) reviews child-directed online environments to ensure that children’s data is collected and handled responsibly. As a parent, follow these steps to take a proactive role in your child’s data privacy, using privacy policies as your guide to better understand an online service’s data collection practices.
Read more

Q&A: What is an SRO? A Beginner’s Guide to International Advertising Self-Regulation

Advertising is a cutting-edge industry, so it is no surprise that the ad business has been at the forefront of a global trend building for almost 60 years – independent industry self-regulation. In the U.S., the National Advertising Division is the industry’s widely recognized “truth-in-advertising” body, an independent third party that enables competitors to resolve disputes outside the courtroom. It is the self-regulatory organization (SRO) of the U.S. In this Q&A with Mary Engle, Executive Vice President, Policy, here at BBB National Programs, we dig into what industry self-regulation looks like in other parts of the world.
Read more

Substantiating Advertising Claims in Three Steps: A How-To Checklist for Advertisers

Substantiating advertising claims is important, both to comply with the law and to avoid regulatory scrutiny or a potential challenge from a competitor in court or in a proceeding before the National Advertising Division (NAD). NAD examines the fit between challenged claims and the substantiation provided. What follows is not legal advice but a basic one-two-three checklist for advertisers concerned about substantiating their advertising claims.
Read more