The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
There are a number of federal and state laws within the United States that require a company to provide people with a notice concerning the company’s privacy practices. The requirement that a privacy notice be provided is triggered within some of those laws – like GLBA – by the creation of a relationship between the consumer and the regulated entity.1 The requirement that a privacy notice be provided is triggered within other laws – like COPPA – by the act of the company collecting personal information from the data subject.2 Historically most United States privacy laws did not require a company that collected personal data about a person only from third parties (e.g., a data broker) to provide data subjects with a privacy notice.
The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions.3 Given its hasty drafting, there are a number of areas in which the act intentionally, or unintentionally, is ambiguous. Whether the Act requires a business to provide privacy notices to consumers when the business collects information from third parties is one of those areas. Specifically, the Act states that a business should “at or before the point of collect” provide some disclosure to consumers about the business’s privacy practices.4 What the Act does not specify is whether the “point of collection” encompasses only those situations in which the business collects information from consumers, or whether it could refer to situations in which a business collects information from a third party (e.g., purchases a list). Obviously the latter interpretation raises a number of practical challenges as it may be impossible to provide a consumer with a privacy notice at the point at which the company obtains the information if the company has not obtained the consumer’s contact information.
In comparison, the European GDPR generally requires that a privacy notice be given to a consumer regardless of whether the personal information was collected from the consumer directly, or was collected from a third party. Specifically, in situations in which a controller acquires a data subject’s information from a third party the GDPR requires the controller to provide a privacy notice to the data subject within one month of the information’s receipt.5 It should be noted that the GDPR also identifies at least five exceptions where a controller is not required to provide a privacy notice. Specifically a notice is not required when:
1. 16 CFR 313.4(a)(1) (stating that privacy notice must be provided “not later than when you establish a customer relationship”).
2. 16 CFR 312.4(a)
3. For more on the history of the CCPA, you can find a timeline that illustrates its history and development on page 2 of BCLP’s Practical Guide to the CCPA.
4. CCPA, § 1798.100(b).
5. Article 14(3)(a).
6. GDPR, Article 14(5)(a).
7. GDPR, Article 14(5)(b).
8. GDPR, Article 14(5)(b).
9. GDPR, Article 14(5)(b).
10. GDPR, Article 14(5)(c).
11. GDPR, Article 14(5)(d).