With the dawn of a new year, the California Consumer Privacy Act (CCPA) entered into effect, requiring updated notices about consumer privacy rights and new mechanisms for the exercise of those rights. Companies still struggling with CCPA compliance challenges may wish to compare notes with the largest consumer retailer based in California—The Gap, Inc.—which has incorporated CCPA notification standards into its consumer-facing website.
Point of Collection
The POC notice, which must be given “at or before” the collection of personal information (Cal. Civ. Code § 1798.100(b)), requires businesses to inform consumers of the categories of personal information to be collected and the purposes for which each category will be used.
Significantly, the POC notice is not limited to online collection efforts. Indeed, the California Attorney General’s proposed regulations (11 CCR § 999.300 et seq.) specifically provide an example of an “offline” POC notice: “When a business collects consumers’ personal information offline, it may, for example, include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to the web address where the notice can be found.” See 11 CCR § 999.305(a)(2)(e).
While I’m unaware if Gap is providing offline notices in its California stores, the fulfillment of its duties in the web environment appears to be spot-on.
Subsection (b), in turn, specifies four elements:
(1) a list of the categories of personal information collected;
(2) the business or commercial purpose for which each category will be used;
(3) the “do not sell” link; and
Moreover, Gap’s 11-word POC notice undoubtedly satisfies the “easy to read and understandable to an average consumer” requirement, and it avoids the use of “technical or legal jargon.” 11 CCR § 999.305(a)(2)(a). Furthermore, the clean interface arguably uses a format “that draws the consumer’s attention to the notice ….” 11 CCR § 999.305(a)(2)(b).
Well done, Gap!
Aside from the inconsistencies on the affiliate sites, Gap’s POC notices should be able to satisfy the demands of the AG.
And that’s exactly what Gap has done.
My principal beef is that the policy lacks navigation. There’s no table of contents providing jump links to pertinent sections. While the text itself is not particularly long—fewer than 2,000 words—users must scroll down to locate relevant headings, such as “YOUR RIGHT TO CONTROL HOW YOUR PERSONAL INFORMATION IS USED” and “TYPES OF INFORMATION WE COLLECT.”
Admittedly, the CCPA does not specifically require navigation, but such a feature would have provided an easier way to ensure that each of the requirements has been addressed.
And those requirements are many.
On the “description of a consumer’s rights” side of the equation, Cal. Civ. Code § 1798.130(a)(5)(A), the CCPA requires an explanation of six distinct consumer rights:
1. Right to request disclosure of personal information (PI) collected (Cal. Civ. Code §1798.100);
2. Right to request disclosure of PI disclosed or sold (Cal. Civ. Code §1798.115);
3. Right to request deletion of PI (Cal. Civ. Code §1798.105);
4. Right to non-discrimination for the exercise of rights (Cal. Civ. Code §1798.125);
5. Right to opt-out of the sale of PI (Cal. Civ. Code §1798.120);
6. Right for minors to opt-in to the sale of their PI (Cal. Civ. Code §1798.120(c)).
As for “designated methods for submitting requests,” Cal. Civ. Code § 1798.130(a)(5)(A), the CCPA requires:
The policy itself is only eight sections long. Despite the lack of a table of contents, the headings are displayed in a large, 30-point font, and they highlight what consumers would want to know, such as “TYPES OF INFORMATION WE COLLECT” and “HOW WE USE YOUR INFORMATION.”
Each section is brief, with a “learn more” hyperlink for consumers seeking more detailed information. The “learn more” link under “YOUR RIGHT TO CONTROL HOW YOUR PERSONAL INFORMATION IS USED” expressly addresses California Privacy Rights. Surprisingly, the text pertaining to the CCPA is only five sentences long!
Pithy clauses and succinct sentences are peppered throughout the policy. They contain references to the rights to disclosure, deletion, and opt out. They list what is collected and why. They explain how personal information is used. They include a toll-free number. And all is communicated in vocabulary devoid of legalese.
The only CCPA requirement I found missing was an explanation of the right to non-discrimination.
And while neither the policy nor Gap’s homepage contains a “do not sell my personal information” link, that’s because the policy expressly states: “Gap Inc. does not currently sell personal information about its customers who reside in California.” Use of the word “currently” may raise some eyebrows, since the CCPA’s look-back provision extends 12 months into the past. Perhaps Gap should revise that to say “does not currently sell and has not sold in the past 12 months ….”
Still, despite that oversight and the omission of the non-discrimination right, that’s a pretty narrow ‘gap’ for Gap to fill. Now’s the time for you to perform your own “Gap Analysis”—using Gap as a guide!
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.