Consumer rights

California Privacy Law Data Collection Disclosures: Online and Disabled

California regulates consumer privacy through the California Consumer Privacy Act (CCPA), extensive legislation reminiscent of the European Union’s General Data Protection Regulations (GDPR). The ACCP imposes on Covered Companies an obligation to (1) inform consumers of the personal data it collects, how the data is used or shared and whether the data is sold, and (2) to set out the rights that consumers have with regard to the data collected from them.

Notice applicable to personal data collection methods

In particular, the CCAC applies not only to online data collection but also to collection on mobile, offline through the use of forms or the exchange of documents, by phone or in person. Cal. Reg. Tit. 11, § 999.305 (a) (3).

A business that collects personal information from a consumer must provide such notice at the time of collection in accordance with the CCPA and regulations promulgated in accordance with the law. Cal. Reg. Tit. 11, § 999.304 (b). This means that the privacy notice must be readily available where consumers will encounter it at or before the collection of their personal information. If a business collects personal data from a consumer in person but their privacy notice is published only on the business’s website, this is unlikely to be considered sufficient notice at the time of collection.

Enforcement measures

Recent enforcement measures issued by the California Attorney General (CA AG) illustrate this point and remind businesses of the importance of educating consumers about their privacy policies not only online but also offline. Specifically, the AG reports that she has taken enforcement action against an auto company that has collected information from consumers who test vehicles at the company. Although the company has a written privacy policy, they did not provide a notice upon collection. CA AG has notified the company of an alleged non-compliance, and the company has implemented a notice when collecting personal information received in connection with test drives, whether collected online or in person.

Examples of timely notices

CCPA regulations (Cal. Code Regs. Tit. 11, § 999.305 (a) (3)) provide illustrative examples of how timely notice can be given to consumers:

  • Online collection – A business can publish a visible link to the notice on the introduction page of the company website and on all web pages where personal information is collected.

  • Mobile app – A business can provide a link to the review on the mobile app’s download page and in the app, for example through the app settings menu.

  • Offline Collection – A business can provide a printed version of the privacy notice or post prominent signage direct consumers to a review that can be found online.

  • Collection by phone or in person – A business can verbally provide its privacy notice.

© 2021 Wilson ElserRevue nationale de droit, volume XI, number 257

Leave a Reply

Your email address will not be published.