California regulates consumer privacy through the California Consumer Privacy Act (CCPA), extensive legislation reminiscent of the European Union’s General Data Protection Regulations (GDPR). The ACCP imposes on Covered Companies an obligation to (1) inform consumers of the personal data it collects, how the data is used or shared and whether the data is sold, and (2) to set out the rights that consumers have with regard to the data collected from them.
Notice applicable to personal data collection methods
In particular, the CCAC applies not only to online data collection but also to collection on mobile, offline through the use of forms or the exchange of documents, by phone or in person. Cal. Reg. Tit. 11, Â§ 999.305 (a) (3).
A business that collects personal information from a consumer must provide such notice at the time of collection in accordance with the CCPA and regulations promulgated in accordance with the law. Cal. Reg. Tit. 11, Â§ 999.304 (b). This means that the privacy notice must be readily available where consumers will encounter it at or before the collection of their personal information. If a business collects personal data from a consumer in person but their privacy notice is published only on the business’s website, this is unlikely to be considered sufficient notice at the time of collection.
Examples of timely notices
CCPA regulations (Cal. Code Regs. Tit. 11, Â§ 999.305 (a) (3)) provide illustrative examples of how timely notice can be given to consumers:
Online collection – A business can publish a visible link to the notice on the introduction page of the company website and on all web pages where personal information is collected.
Mobile app – A business can provide a link to the review on the mobile app’s download page and in the app, for example through the app settings menu.
Offline Collection – A business can provide a printed version of the privacy notice or post prominent signage direct consumers to a review that can be found online.
Collection by phone or in person – A business can verbally provide its privacy notice.
Â© 2021 Wilson ElserRevue nationale de droit, volume XI, number 257