View CCPA Act

Notices to Consumers

The Statute

The Statute contemplates that the California Attorney General will issue rules regarding the contents of notices to consumers, as well as their time of delivery, place, and manner. Section 1798.185 states, in pertinent part, that

(a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:

*

*

*

(6) Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentive offerings, within one year of passage of this title and as needed thereafter. [emphasis added]

The Regulation

Article 2 of the Regulations addresses the providing of notices to consumers with respect to the use of their personal information. Section 999.305(a)(1) states that “[t]he purpose of the notice at collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.” Noteworthy about this notice requirement is the “plain English” mandate of §305(a)(2), which is part of a larger “user friendliness” theme of that section.

A business’s use of personal information is circumscribed by the notice. In particular:

  • A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business does wish to do so, it must go back to the consumer and obtain explicit consent for this new use. 1
  • A business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection. 2
  • If a business does not give the notice at collection to the consumer at or before the point of collection of their personal information, the business shall not collect personal information from the consumer. 3

Contents of the notice include the following: 4

  • A list of the categories of personal information about consumers to be collected.
  • For each category of personal information, the business or commercial purpose(s) for which it the categories of personal information will be used.
  • If the business sells personal information, the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” (required by §999.315(a)), or in the case of offline notices, the web address for where the webpage to which it links can be found online.
  • A link to the business’s privacy policy, or in the case of offline notices, the web address of the where the business’s privacy policy can be found online.

There are special rules for mobile devices [emphasis added]:

  • The business may provide a link to the notice on the mobile application’s download page and within the application. 5
  • When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice (such as through a pop-up window) containing a summary of the categories of personal information being collected and a link to the full notice at collection. 6
  • A business shall post the notice of right to opt-out on the…the download or landing page of a mobile application. 7
  • The privacy policy shall be posted online through a conspicuous link using the word “privacy,”…on the download or landing page of a mobile application. …A mobile application may include a link to the privacy policy in the application’s settings menu. 8
  • A business shall provide two or more designated methods for submitting requests to opt-out, including an interactive webform accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” or “Do Not Sell My Info,” on the…mobile application. 9

1. CCPA Regulations §999.305(a)(5).
2. CCPA Regulations §999.305(a)(6).
3. Id.
4. CCPA Regulations §999.305(b)(1-4).
5. CCPA Regulations §999.305(b)(3).
6. CCPA Regulations §999.305(b)(4).
7. CCPA Regulations §999.306(b)(1).
8. CCPA Regulations §999.308(b).
9. CCPA Regulations §999.315(a).

Ready to get started?

Schedule a personalized demo with one of our data security experts to see Spirion data protection solutions in action.

Watch demo now
Discover, protect and comply.

Protect sensitive information with a solution that is customizable to your organizational needs. When your job is to protect sensitive data, you need the flexibility to choose solutions that support your security and privacy initiatives.

Governance Suite →

Industry Solutions

Not knowing where sensitive client financial data resides and failing to take the right security precautions can be a costly mistake for your organization. Find out how Data privacy is treated in your sector.

Read more →