Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

ANALYSIS: The Gap in CCPA-Compliant Privacy Notices

Jan. 31, 2020, 6:27 PM

With the dawn of a new year, the California Consumer Privacy Act (CCPA) entered into effect, requiring updated notices about consumer privacy rights and new mechanisms for the exercise of those rights. Companies still struggling with CCPA compliance challenges may wish to compare notes with the largest consumer retailer based in California—The Gap, Inc.—which has incorporated CCPA notification standards into its consumer-facing website.

Generally speaking, the CCPA mandates two distinct types of notices: one at the point of collection (POC), and the other in the company’s privacy policy. While the requirements are mind-numbingly complex—see Bloomberg Law’s roadmap setting forth CCPA notice obligations—Gap’s execution not only fulfills (most of) the statutory requirements, but more importantly satisfies the legislative intent by making it understandable to the average consumer.

Point of Collection

The POC notice, which must be given “at or before” the collection of personal information (Cal. Civ. Code § 1798.100(b)), requires businesses to inform consumers of the categories of personal information to be collected and the purposes for which each category will be used.

Significantly, the POC notice is not limited to online collection efforts. Indeed, the California Attorney General’s proposed regulations (11 CCR § 999.300 et seq.) specifically provide an example of an “offline” POC notice: “When a business collects consumers’ personal information offline, it may, for example, include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to the web address where the notice can be found.” See 11 CCR § 999.305(a)(2)(e).

While I’m unaware if Gap is providing offline notices in its California stores, the fulfillment of its duties in the web environment appears to be spot-on.

To its credit, Gap has embedded a consumer-friendly “Feedback” tab on the right rail of every webpage. When clicked, the tab opens an easy-to-use form for consumers to submit comments about three general components of Gap’s business: its website, its brick-and-mortar stores, and its products. After a topic is picked, the form expands to provide fields for providing additional information, including fields for the collection of personal information (such as name, phone number, and email address). However, Gap displays a simple, 11-word POC notice before any of those fields appear: “Your responses will be used in accordance with our privacy policy.”

Even though Gap’s notice sets forth neither the categories of personal information to be collected nor the express purposes for which it will be used (see Cal. Civ. Code § 1798.100(b)), it nevertheless passes muster under the AG’s proposed regs. Why? Because it contains a link to the privacy policy (highlighted in the screenshot above).

As proposed, 11 CCR § 999.305(c) says: “If a business collects personal information from a consumer online, the notice at collection may be given to the consumer by providing a link to the section of the business’s privacy policy that contains the information required in subsection (b).” (Emphasis added.)

Subsection (b), in turn, specifies four elements:

(1) a list of the categories of personal information collected;
(2) the business or commercial purpose for which each category will be used;
(3) the “do not sell” link; and
(4) the link to the privacy policy.

While Gap’s POC notice sends users to the top of the privacy policy and not directly to “the section … that contains the information required in subsection (b),” by doing so, it satisfies another requirement of the proposed regulations: namely, the requirement to “[b]e available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers.” 11 CCR § 999.305(a)(2)(c).

The top of the privacy policy contains links to the text of the policy in English, Español, Français Canada, Français France, Italiano, and Deutsch. (Yes, two versions in French!)

Moreover, Gap’s 11-word POC notice undoubtedly satisfies the “easy to read and understandable to an average consumer” requirement, and it avoids the use of “technical or legal jargon.” 11 CCR § 999.305(a)(2)(a). Furthermore, the clean interface arguably uses a format “that draws the consumer’s attention to the notice ….” 11 CCR § 999.305(a)(2)(b).

Well done, Gap!

Gap uses a similar interface to provide a POC notice before collecting email addresses from consumers seeking a discount. As highlighted in the screenshot below, a simple hyperlink to the privacy policy suffices.

Given the simplicity of linking to the privacy policy, it’s somewhat surprising to find a solicitation for consumer email addresses on the website of Old Navy—an affiliate brand of Gap, Inc.—that lacks a link to the privacy policy:

A similar sign-up solicitation—i.e., sans privacy policy—also appears on the homepage of affiliate brand Banana Republic. The affiliated sports-apparel brands Athleta and Hill City display links to “Terms & Conditions” and “Details,” respectively, in their email sign-ups, but curiously, neither of those links takes the user to the privacy policy.

Each of the affiliate brands, however, employs the same “Feedback” tab as Gap’s homepage, with the attendant link the corporate privacy policy. And each affiliate also uses nearly identical footer information, again with corresponding links to “Privacy Policy” and “Your California Privacy Rights.”

Aside from the inconsistencies on the affiliate sites, Gap’s POC notices should be able to satisfy the demands of the AG.

Privacy Policy Notice

The CCPA’s separate privacy policy notice requirement is two-tiered: It must appear in a company’s online privacy policy (if it has one) and in “any California-specific description of consumers’ privacy rights.” Cal. Civ. Code § 1798.130(a)(5)(A). Since the same content—namely, a description of consumers’ privacy rights and the methods by which consumers may exercise their rights—must be conveyed in both documents, it makes sense to fold the California-specific notice into the general privacy policy.

And that’s exactly what Gap has done.

While I have some reservations about the design and presentation of Gap’s privacy policy, it nevertheless appears to fulfill the majority of the CCPA’s requirements.

My principal beef is that the policy lacks navigation. There’s no table of contents providing jump links to pertinent sections. While the text itself is not particularly long—fewer than 2,000 words—users must scroll down to locate relevant headings, such as “YOUR RIGHT TO CONTROL HOW YOUR PERSONAL INFORMATION IS USED” and “TYPES OF INFORMATION WE COLLECT.”

Admittedly, the CCPA does not specifically require navigation, but such a feature would have provided an easier way to ensure that each of the requirements has been addressed.

And those requirements are many.

On the “description of a consumer’s rights” side of the equation, Cal. Civ. Code § 1798.130(a)(5)(A), the CCPA requires an explanation of six distinct consumer rights:

1. Right to request disclosure of personal information (PI) collected (Cal. Civ. Code §1798.100);
2. Right to request disclosure of PI disclosed or sold (Cal. Civ. Code §1798.115);
3. Right to request deletion of PI (Cal. Civ. Code §1798.105);
4. Right to non-discrimination for the exercise of rights (Cal. Civ. Code §1798.125);
5. Right to opt-out of the sale of PI (Cal. Civ. Code §1798.120);
6. Right for minors to opt-in to the sale of their PI (Cal. Civ. Code §1798.120(c)).

As for “designated methods for submitting requests,” Cal. Civ. Code § 1798.130(a)(5)(A), the CCPA requires:

1. a description of “one or more” methods for submitting requests (Cal. Civ. Code § 1798.130(a)(5)(A)); and
2. a “do not sell” link (Cal. Civ. Code §1798.135(a)).

Gap’s privacy policy doesn’t track the structure of the CCPA—which is a good thing! Rather, it takes the elements and presents them in a way that makes sense to consumers, whether those consumers are in California or the European Union.

The policy itself is only eight sections long. Despite the lack of a table of contents, the headings are displayed in a large, 30-point font, and they highlight what consumers would want to know, such as “TYPES OF INFORMATION WE COLLECT” and “HOW WE USE YOUR INFORMATION.”

Each section is brief, with a “learn more” hyperlink for consumers seeking more detailed information. The “learn more” link under “YOUR RIGHT TO CONTROL HOW YOUR PERSONAL INFORMATION IS USED” expressly addresses California Privacy Rights. Surprisingly, the text pertaining to the CCPA is only five sentences long!

Brevity may be the soul of wit, but how could it ever satisfy the requirements of the CCPA? Indeed, the AG’s proposed regs emphasize that the “purpose of the privacy policy is to provide the consumer with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.” 11 CCR 999.309(a)(1) (emphasis added).

Guess what? Gap’s privacy policy is comprehensive.

Pithy clauses and succinct sentences are peppered throughout the policy. They contain references to the rights to disclosure, deletion, and opt out. They list what is collected and why. They explain how personal information is used. They include a toll-free number. And all is communicated in vocabulary devoid of legalese.

The only CCPA requirement I found missing was an explanation of the right to non-discrimination.

And while neither the policy nor Gap’s homepage contains a “do not sell my personal information” link, that’s because the policy expressly states: “Gap Inc. does not currently sell personal information about its customers who reside in California.” Use of the word “currently” may raise some eyebrows, since the CCPA’s look-back provision extends 12 months into the past. Perhaps Gap should revise that to say “does not currently sell and has not sold in the past 12 months ….”

Still, despite that oversight and the omission of the non-discrimination right, that’s a pretty narrow ‘gap’ for Gap to fill. Now’s the time for you to perform your own “Gap Analysis”—using Gap as a guide!

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.