Overview:
A business that collects a consumer's personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
5) Create and make available to consumers the following Submission Options: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
6) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.
7) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
8) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.
Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
Additional Guidance:
Whether or not information has been "collected" triggers a number of CCPA requirements. Here the CCPA adopts a broad definition.
Collection of Personal Information
Collection is defined as "buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a Consumer by any means." Collecting also includes receiving information from a Consumer "either actively or passively, or by observing the consumer's behavior."
Sale of Personal Information
A "sale" of Personal Information under the CCPA is defined broadly to include the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means" the Personal Information of a Consumer to another business or third party "for monetary or other valuable consideration."
This broad definition suggests that if Personal Information is provided as part of a larger business relationship, a "sale" may have occurred even if no amounts are paid directly for the data itself. In addition, a website may be "selling" Personal Information by passing such information to third-party ad networks through cookies.
Exceptions
The CCPA outlines certain exceptions to what would be deemed a sale, including when:
1) A Consumer uses or directs the Business to intentionally disclose Personal Information to a third party. An "intentional" interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a "deliberate action". 2) A Business shares a Consumer identifier to alert a third party of a Consumer's opt-out decision.
3) Personal Information is shared with a third party to perform a "business purpose" (explained below) and: the Business has provided notice of this sharing and the opt-out right; and the third party does not further collect, sell or use the Personal Information except as necessary to perform the business purpose.
4) The Personal Information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Business, provided the Business complies with the CCPA disclosure requirements relating to the disclosure of information collected or sold (discussed below). If the acquirer plans to alter how it will use or share the Personal Information in a manner materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new practices to the Consumer and include a "prominent and robust" notice so the Consumer can opt out. Note that the CCPA also warns Businesses that material, retroactive privacy policy changes must not violate California's Unfair Competition Law — a statement apparently designed to address Businesses that want to make significant changes to a privacy policy in light of an impending deal.
Privacy Notices
A privacy notice (sometimes referred to as a privacy policy or an information notice) is a document provided by a company to data subjects that includes, among other things, a description of what types of personal data the company collects, how the company uses that data, with whom the company shares the data, and how the company protects the data. The CCPA requires that a business provide those Californians about whom it has collected personal information, information about the organization's privacy practices. The privacy notice should typically be given "at or before the point of collection" of the information.
Article ID: 98
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/ccpa-inform-consumers-of-categories-and-purpose-of-collection-100-b-98.html