Proposed Regulations Under the California Consumer Privacy Act: Delivery and Content of Initial Notices and Disclosures

On October 10, 2019, the California attorney general issued proposed regulations under the California Consumer Privacy Act (“CCPA”). Written comments to the proposed regulations must be submitted by no later than 5:00 p.m. on December 6, 2019.

The proposed regulations focus on the form and content of required notices and disclosures, practices for handling of consumer requests, practices for verifying the identity of the consumer making those requests, practices regarding the personal information of minors, and the offering of financial incentives or price or service differences in exchange for the sale or retention of consumers’ personal information.

This article discusses the notices and disclosures that must be made available to consumers without any specific request by consumers and, in particular, the possible or required delivery methods for this information. While we discuss certain of the content of the various notices, we do that primarily for the purpose of addressing delivery options and requirements under the proposed regulations. In addition, while the methods for delivery of the notices would sometimes depend on whether a business collects information online or operates a website, in this article we focus on those businesses that collect personal information online and operate a website because we expect that most businesses that are large enough to be subject to the CCPA also will collect information online and operate a website.

Before we delve into the delivery and content of the various notices, it might help for background purposes if we first note that a business would be required to offer two or more designated methods for consumers to submit requests for information, requests for the deletion of their personal information, and requests to opt out of the sales of personal information. For requests to opt out, one of those designated methods must include an interactive webform that is accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” on the business’s website or mobile application (the “DNS Link”).

Under the proposed regulations, a business would be required to provide up to four different disclosures or notices to consumers without prior request by the consumer. These include a privacy policy, the notice required at or before the time of collecting consumers’ personal information (the “notice at collection”), a notice regarding financial incentives or price or service differences offered in exchange for the sale or retention of consumers’ personal information (the “incentive notice”), and a notice of consumers’ rights to opt-out of the sale of their personal information (“opt-out rights notice”).

The Privacy Policy
The CCPA privacy policy is intended to be “a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.” A business that operates a website would be required by the proposed regulations to post its CCPA privacy policy online through a conspicuous link using the word “privacy,” on the business’s website homepage or on the download or landing page of a mobile application.

A business that is subject to the consumer privacy rules of the Gramm-Leach-Bliley Act (“GLBA”) also is required to provide a privacy notice under the GLBA. Most businesses are likely to conclude that they must provide both a GLBA privacy notice and a CCPA privacy policy. If all personal information regarding individuals that the business collects, processes, sells, and discloses is done so pursuant to the GLBA, that business would have a nearly complete exemption from the CCPA, but it is doubtful that many businesses will qualify for this complete exemption. (We discuss the limits on the GLBA exemption in a podcast.) Moreover, if the business is subject to the CCPA with respect to some personal information of individuals, then unless the business wants to grant full CCPA rights to all individuals regardless of whether they are California residents and entitled to the CCPA protections, the business would not want to rely solely on the CCPA privacy policy. Relying solely on the CCPA privacy policy also would mean that the business would lose a GLBA compliance safe harbor that otherwise is available to a business that discloses its GLBA privacy policies using the GLBA model forms.

The Notice at Collection
The notice at collection would need to be visible or accessible where consumers will see it before any personal information is collected. If the business collects personal information online, the business may provide this notice through a conspicuous link on the business’s website homepage, on the mobile application download page, or on all pages where personal information is collected.

Under the proposed regulations, a business that collects personal information online can choose to provide the content of the notice at collection by a link to the section of its CCPA privacy policy that includes this information. As the proposed regulations are currently written, however, it is doubtful that a business could rely on this option to omit a separate and specific reference to its notice at collection on the business’s website or on its mobile application page.

As noted above, the notice at collection would need to be visible or accessible where consumers see it before any personal information is collected, and one way to do this is through a conspicuous link to the notice at collection on the business’s website or mobile application. This suggests a clearly labeled link, such as “Your Information We Collect.” A link to the entire CCPA privacy policy, even if labeled “Your Information We Collect,” also would not satisfy the requirement that the link be “to the section” of the CCPA privacy policy where the notice at collection information is provided. Accordingly, one or more generalized links to the CCPA privacy policy on the business’s website likely would not be sufficient under the proposed regulations.

If your business will not “sell” consumers’ personal information and will not offer any financial incentive or price or service difference in exchange for the retention or “sale” of consumers’ personal information, the CCPA notice obligations are relatively straightforward: include a link to your CCPA privacy policy on your website homepage or on the download or landing page of a mobile application, include a link to a webpage entitled something like “Your Information We Collect” for the notice at collection, and then either include the content of the notice at collection at that link or use the link to send the consumer directly to the appropriate section of the CCPA privacy policy.

It should be noted, however, that the CCPA defines “sell” and “sale” very broadly. A business that makes personal information available to a third party or otherwise communicates it to a third party through any means could be considered to be “selling” the information if that is done for any “valuable consideration.” “Valuable consideration” is not limited to actual payments for the personal information but might include the receipt of any benefit, however slight, arising from such sharing of information, including a benefit as basic as future business opportunities arising from the sharing of the information. One key exception is that a business would not be considered to be selling personal information if it only uses or shares the personal information with a processor or other service provider, so long as, among other things, the business and service provider enter into a written contract under which the service provider may retain, use, or disclose the personal information only for the processing, operational, or similar business purposes for which it is shared. While this is a valuable exception to the definition of “sale,” it is limited in scope, and it otherwise might be difficult for many businesses to avoid the rules applicable to sellers of personal information.

The Incentive Notice Only to Retain Information
If your business will not sell consumers’ personal information, keeping in mind the CCPA’s broad definition of “sell,” but wants to offer incentives only for the retention of personal information, providing the incentive notice itself also would be relatively simple. The incentive notice must be available online or other physical location where consumers see it before opting into the financial incentive or price or service difference. The incentive notice must either include specific information or, if the incentive is offered online, the business may provide a link to the section of its privacy policy that includes this information.

Notice of Opt-Out Rights and the Incentive Notice if Offering Incentives for the Sale of Personal Information
If a business wants to sell personal information, whether pursuant to an incentive program or otherwise, the disclosure obligations are more complicated. As a practical matter, many businesses might conclude that delivery of the notice of opt-out rights and of the methods for exercising these opt-out rights can be handled only through a dedicated website page or pages.

Under the proposed regulations, the notice of opt-out rights would always be provided on an internet webpage to which the consumer is directed after clicking on the DNS Link. As noted in the introduction to this article, a business would be required to offer two or more designated methods for consumers to submit requests to opt out of the sale of their personal information, and one of those designated methods would need to be an interactive webform that is accessible via this DNS Link. In other words, the DNS Link is supposed to take the consumer to the notice of opt-out rights and at least this one method of opting out.

Under the proposed regulations, the notice at collection would include this DNS Link. In addition, the privacy policy would either need to include the content of the notice of opt-out rights or this DNS Link. In theory, the website page that the consumer is directed to by clicking on the DNS Link could include the content of the notice of opt-out rights or could itself link to the appropriate page of the privacy policy for this information. While the proposed regulations do not address the question, it seems clear that a business could not link to the privacy policy for delivery of the content of the notice of opt-out rights only to have the privacy policy then link back out to the original DNS Link.

This is why, however, businesses likely will conclude that it is necessary to have a dedicated website page or pages for delivery of the notice of opt-out rights and delivery of the required interactive web form for submitting of opt-out requests. If a business were to use the DNS Link to direct consumers to the content of the notice of opt-out rights in the privacy policy, the privacy policy also then would need to include the interactive webform. While that might be possible, it probably would be much easier — and less confusing and irritating to consumers — for the business to handle all of these opt-out issues in dedicated web pages. Here is one way that a business might approach this:

• Use the DNS Link to deliver the required content of the notice of opt-out rights as well as the interactive webform for submitting opt-out requests. 
• Include the DNS Link in the notice at collection, which is specifically required by the proposed regulations. If the notice at collection itself provides a link to the privacy policy for the required content of the notice at collection, that section of the privacy policy would include the DNS Link. 
• The privacy policy also would include the DNS Link, rather than or in addition to providing the required content of the notice of opt-out rights. The privacy policy would not include the interactive webform for submitting opt-out requests, but it would be provided through the DNS Link from the privacy policy.

In subsequent articles, we will address some of the other thorny issues under the CCPA and its proposed regulations. We also will keep you apprised of future developments as they occur, including finalization of the currently proposed regulations and the future regulations that the California attorney general will need to propose and finalize to address the October 2019 amendments to the CCPA.

In the meantime, if you have any questions, please feel free to contact any of the K&L Gates lawyers named below.