Will a Privacy Policy Satisfy the CCPA's Notice at Collection Requirement?

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 01 July 2022.

Will a Privacy Policy Satisfy the CCPA's Notice at Collection Requirement?

The California Consumer Privacy Act (CCPA) requires affected businesses to take several actions, including publishing particular information in particular forms.

This includes a narrow list of information when collecting personal data and a wider list of information commonly known as a Privacy Policy.

In principle, and in short, there's no reason why a Privacy Policy can't satisfy this requirement, though you'll need to be clear about how you display and highlight it.

This article will discuss whether a Privacy Policy will satisfy the CCPA's notice at collection requirement and what you need to know about the topic.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Who's Covered by the CCPA

The CCPA has been fully enforced since 1 July 2020. It affects the way you handle personal data about California residents if you are a business and meet any of three criteria:

  • Your annual revenue is more than $25 million
  • The number of California consumers whose personal data you buy, share or sell within any one-year period exceeds 50,000. (This threshold also applies to the number of households or devices, though these situations are much rarer.)
  • At least half of your annual revenue comes from selling personal data about California consumers

The CCPA's Principles and Broad Requirements

The CCPA's Principles and Broad Requirements

The CCPA upholds five consumer rights. It's important to know and understand these as they could affect any legal or regulatory dispute about your CCPA compliance and how to interpret the law:

  • To know what data you collect about them
  • To know if you sell or disclose their data
  • To stop you selling the data
  • To access the data you hold about them
  • To exercise these rights without you discriminating against them on price or service

Unlike some data privacy laws, the CCPA doesn't require that you get consent before collecting data.

Instead, its main rules are about you giving clear information about the data you collect and how you use it. This makes the consumer rights meaningful and allows them to make relevant decisions or exercise the rights

Categories of Personal Information Under the CCPA

Categories of Personal Information Under the CCPA

Naturally, the information you collect about each consumer (both the specific detail and the type of information) will vary immensely from case to case.

To make the notification requirements practical, the CCPA groups personal information into 11 categories. You'll refer to these categories when making the mandatory privacy notifications:

The categories are defined in full in section 1798.140.(o) of the CCPA's legislative text, but broadly they are as follows:

  1. Identifiers such as names, addresses and numbers, particularly government-issued numbers
  2. Personal information covered by subdivision (e) of Section 1798.80 of the California Code. In simple terms, this means anything that identifies an individual and isn't already public knowledge.
  3. Information about protected classifications. This means details of characteristics that you are not allowed to use for discrimination under California or federal law. Examples include age, marital status, race, religion and sexual orientation.
  4. Any commercial information such as past purchases
  5. Biometric information
  6. Information about online activity such as search and browsing history and whether the person viewed or clicked on a particular site, app or ad
  7. Geolocation data
  8. Audio, electronic, visual, thermal, olfactory, or similar information. This is mainly about covering images, audio and video content that involves personal information.
  9. Professional and employment information.
  10. Educational information, specifically anything that's not publicly available but does directly or indirectly relate to or identify a student
  11. Inferences drawn from any information in the other categories to profile somebody. This could include trying to build up a picture of their preferences, personalities, beliefs or purchasing habits.

Notice at Collection

The first requirement for telling consumers about your data practices is a specific one. You must make this notification at the time of collection, before you collect the data.

The notification must say which category or categories the data falls into. You must then give a category-by-category breakdown of:

  • How you will use the data
  • Why you will use the data
  • Whether you intend to pass on the data to a third party (whether sold or shared)
  • If you will pass on the data, who will receive it

This advance notification covers your intentions when you collect the data.

If you later want to do anything not covered in the notification, such as using it for a new purpose or sharing it with somebody, you do not need new consent, but you must notify the person the data relates to.

As we'll detail later, consumers can demand that you stop selling their personal data.

Notice at Collection via a Privacy Policy?

Notice at Collection via a Privacy Policy?

In principle, you could combine the notification before collection and the Privacy Policy. You can do this where the data you are about to collect, for example through an account sign-up, falls into the same categories in which you've collected data in the past 12 months. If you intend to sell the data, it would need to be in a category in which you've sold the data in the past 12 months.

Indeed, the CCPA specifically says this is acceptable: "...the notice at collection may be given to the consumer by providing a link to the section of the business's privacy policy that contains the information required."

The logic behind this approach is that if the consumer knows that you have used/sold/disclosed data from a particular category before, they can reasonably conclude you will do so with the data you are about to collect

Just remember that:

  • The details of the data you are collecting now (including the category and your intended use) must match what you have listed for the past 12 months. If you're doing something new (including collecting data in a different category), you will need to cover this in a standalone advance notification.
  • If you work with a lot of data in different categories, simply pointing somebody to your Privacy Policy could be overwhelming and deter them from providing the data. A standalone advance notification may work better in cases where you are only collecting limited data or plan to use it in limited ways.

Some businesses, particularly those serving national audiences, produce a standalone section or separate page detailing the privacy rights of consumers in California.

This is allowed under the CPRA, but you must make sure that:

  • You conspicuously highlight it so California consumers know to read the section

    Rutan clearly signposts such a dedicated page next to the link to its main Privacy Policy:

  • Rutan website footer with California Privacy Rights policy link highlighted

  • You are confident that California consumers can see all relevant information about their rights and your practices before you collect data

Privacy Policy Compliance with the CCPA

Privacy Policy Compliance with the CCPA

As well as advanced notification for collecting specific data, the CCPA also says you must have a document detailing particular information about your overall privacy practices. This is normally known as your Privacy Policy.

You must list the consumers rights under CCPA (which we covered earlier) and give at least one way a consumer can exercise these rights, for example a mailing address, email address or online form.

BusinessOL does this clearly:

BusinessOL CCPA Notice at Collection: Exercising Your Rights clause

You also need to list a category-by-category breakdown of whether you have collected, sold or disclosed (shared without payment) any personal information in the past 12 months. This covers all consumer data rather than that of a specific customer.

For each of the three activities (collect, sell, disclose) you need to list all the categories which the data falls into, or state that you have not collected/sold/disclosed any data.

Different businesses take different approaches to this requirement.

Some simply produce a list of relevant categories for each activity. Others find it easier to produce a single chart that shows each category and then whether the business has collected/sold/disclosed data in that category.

Which is best may depend on how much data you have used in this way and how many categories it involves.

Here's an example of how you can use separate charts for each type of use (collect/sell/disclose). It goes beyond the minimum compliance by listing in detail what each category covers:

iCIMS CCPA Privacy  Notice: Data categories chart excerpt

Refinitiv opts for a list of the relevant categories:

Refinitiv CCPA Privacy Notice: Sale of Personal Information clause excerpt

Now let's take a look at what else the CCPA requires that you need to be aware of.

Other Required Notifications Under the CCPA

Other Required Notifications Under the CCPA

As noted, the CCPA gives people the right to stop you from selling their personal information. Once they do so, you must comply within 10 days and cannot resume sales until the person gives permission. You cannot ask for permission for at least one year.

As well as your pre-collection notification and your Privacy Policy, the CCPA says you must have a specific page on your website that lets people exercise this right. For example, this could be an online form or a direct email address link.

You must include a link from your home page to this dedicated page, and the link must use the text "Do Not Sell My Personal Information."

The Los Angeles Times does this in its home page footer:

Los Angeles Times website footer with Do Not Sell My Personal Information link highlighted

Note that this opt-out principle doesn't apply where the person the data is about is under 16 (whether you know their age for sure, or you should have known). In these cases, you need advance consent to sell the data and simply notifying in advance isn't enough.

If the child is aged 13 to 16 you need their consent. If they are under 13, you need a parent or guardian's consent.

Combining Required Notifications Under the CCPA

You may feel it would be easier for you and consumers if you combined the various pieces of information the CCPA requires you to provide.

The first thing to understand on this point is that you cannot do this with the "Do Not Sell" page. The CCPA specifically says you need a dedicated page for exercising the opt-out.

Upcoming Changes to CCPA Notifications

Upcoming Changes to CCPA Notifications

A new law, the California Privacy Rights Act (CPRA), takes legal effect on 1 January 2023. Officials plan to begin enforcing the CPRA from 1 July 2023.

For all practical purposes, the CPRA will replace the CCPA. The main effects are to narrow the number of businesses covered by the law but keep in place all the existing requirements for covered businesses and add new ones.

The new scope will be that businesses are covered in any of three cases:

  • Annual revenue above $25 million (Unchanged)
  • At least 50% of annual revenue comes from selling personal data about Californian consumers (Unchanged)
  • Buying, selling or sharing personal data about more than 100,000 California consumers or households in a 12-month period (Threshold doubled and devices no longer counted)

The main change the CPRA introduces for notifications is a new 12th category covering sensitive personal information. You need to include this whenever you list information about the existing 11 categories.

The sensitive data category covers any of the following that isn't already public knowledge:

  • A combination of financial details that could get access to an account, for example card number and online password
  • Biometric data that you process to identify someone
  • Communications between the consumer and a third party (in other words, not your business)
  • Ethnic or racial origin
  • Genetic data
  • Geolocation (but only where it is "precise")
  • Health data
  • Membership of a union
  • Numbers issued by the government such as Social Security or driver license number
  • Religious or philosophical detail
  • Sexual orientation or data about sex life

Consumers have the right to limit the way you use data in this category. If they exercise this right, you must only use this information to provide goods or services the customer requested. You can't use it for marketing.

The CPRA says you must do one of two things to allow people to exercise this new right:

  • Have a dedicated webpage and link to it from your homepage with the wording "Limit the Use of My Sensitive Personal Information"
  • Combine it with the dedicated page for opting out of data sales. In this case you must still link from the homepage, but you can use any appropriate wording. (For example "Exercise my CPRA rights" would likely be suitable.)

Summary

Let's recap what you need to know about notifications under the CCPA:

  • The CCPA applies if you handle data about California residents and meet criteria on revenue, the number of Californians whose data you collect, or the proportion of your revenue that comes from selling California consumers' data.
  • The CCPA upholds five key rights: know about data collection; know about data disclosure; object to data sales; access held data; exercise these rights without discrimination.
  • You don't need consent to collect data. You don't need consent to sell data, except with children.
  • You do need to tell people about your data practices, using 11 categories of data to organize the details.
  • When collecting data you must say which categories you are collecting. For each category, you must say how and why you are using it and whether you plan to disclose it (and who will get it).
  • You must have a Privacy Policy that lists the five CCPA rights and how to exercise them.
  • Your Privacy Policy must give a category-by-category breakdown of your data practices in the past 12 months. For each category you must say whether or not you have collected data, whether or not you sold it, and whether or not you disclosed it.

    • This breakdown could be a list or a table depending on the amount of detail involved.
  • People have the right to opt out of your data sales. You must make this right available through a dedicated web page. Your home page must link to this using the words "Do Not Sell My Personal Information."
  • You can combine the advance notification and Privacy Policy in a single document. (The opt-out page must always be separate.)

    • Combining the documents is only appropriate where your plans for the data you are collecting now match the way you used it in the previous 12 months.
  • A new law, the CPRA, takes effect in 2023. It adds a 12th category, sensitive information, to include in all the breakdowns of data use.
  • The CPRA also requires a dedicated page to let users exercise a new right to limit your use of sensitive information solely to providing goods and services. Your home page must link to this with the words "Limit the Use of My Personal Information." Alternatively you can combine this with the data sales opt-out page.