Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

ANALYSIS: Keeping California Privacy Notices Out of Reach

Feb. 16, 2021, 11:00 AM

Undoubtedly, public-facing notices are the low-hanging fruit in the orchard of privacy compliance. A bushel of enforcement letters sent by the California Attorney General’s Office last July reportedly addressed notification-related violations of the California Consumer Privacy Act (CCPA). To ensure that easy enforcement pickings won’t be available when the California Privacy Rights Act (CPRA) becomes operational in 2023, compliance professionals should plan now, before overripe CCPA notices go to seed.

The CPRA, to its credit, does not increase the number of required notices, and it provides a nearly two-year time frame to make each consumer notification peach perfect. Still, the CPRA introduces new permutations to the notice at collection, the notice to opt out, the notice of financial incentives, and the privacy policy.

Let’s examine the notice at collection first, with commentary on the others in articles to come.

Notice at Collection

Whenever a consumer is prompted to enter a name, email address, or other personal information, a notice at collection ought to be close at hand (or, in the words of the CCPA’s regulations, “readily available where consumers will encounter it”). Its purpose is to provide consumers with timely notice―at or before the point of collection―about the categories of personal information to be collected from them and the purposes for which the personal information will be used.

Given that the CPRA introduces a new subcategory of “sensitive personal information” (SPI) (which I discussed here), it’s no surprise that the CPRA amends the notice requirement to specify disclosure of the categories and purposes related to SPI, too.

However, there’s a slight nuance to the amended “purposes” prong. Whereas the CCPA requires timely disclosure of the purposes for which personal information will be “used,” the CPRA requires disclosure of the purposes for which it will be “collected or used.”

When you think about it, the amendment makes sense, because businesses should be able to explain why they intend to collect information in the first instance. If they don’t intend to use personal information for a business or commercial purpose, they should probably refrain from collecting it at the outset.

Indeed, data minimization is a key principle that all businesses should embrace.

Transparency is another, so the CPRA also requires notification of whether the personal information will be sold or shared. As I explained in that same earlier analysis, “sharing” is a new concept introduced by the CPRA. It pertains to the disclosure or dissemination of a consumer’s personal information to a third party for cross-context behavioral advertising.

Of course, up-front disclosure of potential selling and sharing practices should not be interpreted as a way of securing consumer consent to any subsequent transfers. Admittedly, consent is not a prerequisite for most selling and sharing practices under California law (unless you’re dealing with the personal information of consumers under the age of 16), but it’s good to remember that consumers have the right to opt out at any time. So businesses should not assume that updated notices of collection will give them license to sell and share consumer data ad infinitum.

The transparency principle also comes into play with a new requirement to disclose the length of time the business intends to retain personal information or SPI. Businesses unwilling to commit to a pre-set time frame must alternatively disclose the criteria they will use to determine that period. However, a business may not retain personal information or SPI longer than is “reasonably necessary” for each disclosed purpose.

Moving forward, then, the notice at collection must answer the what, where, when, why, and how of collection, but the CPRA is somewhat ambiguous regarding “who.” As mentioned before, the CPRA places the notice-at-collection requirement on a business that “controls the collection” of personal information (as opposed to the CCPA, which places the obligation on a business that simply “collects” personal information).

Because the CPRA does not define “controls the collection,” there appears to be an open question of whether the notice obligation may fall on more than one party (akin to the duties placed on “co-controllers” under the EU’s General Data Protection Regulation).

Oddly, the CPRA does not use the same phraseology when addressing the collection of SPI. In that instance, the obligation applies only to a business that “collects” SPI.

All of these changes are summarized in the following image:

To view a larger image, click here.

Stay tuned for forthcoming articles (and images) on the CPRA’s modifications and mutations to the notice to opt out, the notice of financial incentives, and the privacy policy notice.

Bloomberg Law subscribers can find related content on our In Focus: CCPA page.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.