California and European Privacy FAQs: Do companies have to provide a privacy notice if they collect personal data about a person from a third party?

March 8, 2019

The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Do companies have to provide a privacy notice if they collect personal data about a person from a third party?

Sometimes. 

There are a number of federal and state laws within the United States that require a company to provide people with a notice concerning the company’s privacy practices.  The requirement that a privacy notice be provided is triggered within some of those laws – like GLBA – by the creation of a relationship between the consumer and the regulated entity.1  The requirement that a privacy notice be provided is triggered within other laws – like COPPA – by the act of the company collecting personal information from the data subject.2  Historically most United States privacy laws did not require a company that collected personal data about a person only from third parties (e.g., a data broker) to provide data subjects with a privacy notice.

The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions.3  Given its hasty drafting, there are a number of areas in which the act intentionally, or unintentionally, is ambiguous.  Whether the Act requires a business to provide privacy notices to consumers when the business collects information from third parties is one of those areas.  Specifically, the Act states that a business should “at or before the point of collect” provide some disclosure to consumers about the business’s privacy practices.4  What the Act does not specify is whether the “point of collection” encompasses only those situations in which the business collects information from consumers, or whether it could refer to situations in which a business collects information from a third party (e.g., purchases a list).  Obviously the latter interpretation raises a number of practical challenges as it may be impossible to provide a consumer with a privacy notice at the point at which the company obtains the information if the company has not obtained the consumer’s contact information. 

In comparison, the European GDPR generally requires that a privacy notice be given to a consumer regardless of whether the personal information was collected from the consumer directly, or was collected from a third party.  Specifically, in situations in which a controller acquires a data subject’s information from a third party the GDPR requires the controller to provide a privacy notice to the data subject within one month of the information’s receipt.5   It should be noted that the GDPR also identifies at least five exceptions where a controller is not required to provide a privacy notice.  Specifically a notice is not required when:

  1. The data subject already knows the controller’s privacy practices.  As with situations in which a company collects information directly from a person, if a “data subject already has the information” that would be contained within a privacy notice the company is not required to provide one to them.6
  2. Impossibility.  If providing a privacy notice is “impossible” a company is relieved of the requirement.  That said, the GDPR requires that the company “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”7
  3. Disproportionate effort.  If providing a privacy notice “would involve a disproportionate effort” a company is not required to provide the notice.8  That said, the GDPR requires that the company “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”9
  4. Information must be collected by European Union law.  If a European Union Member State requires that a company collect personal data about an individual and that requirement includes “appropriate measures to protect the data subject’s legitimate interests” then a company is not required to also provide a privacy notice to the individual.10
  5. Collection cannot be disclosed pursuant to European Union law.  If a European Union Member State imposes an obligation of secrecy on a company that would prohibit the company from disclosing the fact that it collected an individual’s information, the company is not required to provide the individual with a privacy notice.11

1. 16 CFR 313.4(a)(1) (stating that privacy notice must be provided “not later than when you establish a customer relationship”).

2. 16 CFR 312.4(a)

3. For more on the history of the CCPA, you can find a timeline  that illustrates its history and development on page 2 of BCLP’s Practical Guide to the CCPA

4. CCPA, § 1798.100(b).

5. Article 14(3)(a).

6. GDPR, Article 14(5)(a).

7. GDPR, Article 14(5)(b).

8. GDPR, Article 14(5)(b).

9. GDPR, Article 14(5)(b).

10. GDPR, Article 14(5)(c).

11. GDPR, Article 14(5)(d).