The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Most United States federal data privacy laws apply to specific sectors (e.g., financial institutions, health care providers, or educational institutions). As a result companies that do not operate within those arenas are not required to provide privacy notices under federal law. Furthermore, even if a company is regulated by one of the federal privacy statutes, those statutes do not require that a company provide a privacy notice to every individual from whom the company collected information. For example, the Gramm Leach Bliley Act (“GLBA”) only requires a bank to provide a privacy notice to its “customers” and, in some limited situations, to “consumers.” The GLBA defines customers as individuals that have a continuing relationship with the financial institution under which the institution provides a product or service. As a result, under GLBA if an individual were to obtain a loan from a bank, the bank would be required to provide a privacy notice. If an individual were, instead, to join the bank’s mailing list, or to apply for a job with the bank, GLBA would not require a privacy notice.
Most United States state data privacy laws are triggered by the collection of specific types of personal information (e.g., Social Security Numbers), or by the collection of personal information through specific mediums (e.g., online collections of personal information). So, for example, if an individual were to sign up online to join a company’s mailing list some states would require that the company issue a privacy notice; conversely if the same individual were to sign up on paper to join a mailing list the requirement to distribute a privacy notice would not be triggered.
Unlike other United States privacy laws, the CCPA requires that any company subject to its jurisdictional scope “that collects a consumer’s personal information shall, at or before the point of collection” disclose information concerning its privacy practices.1 The CCPA contains no express exceptions to this rule.
In comparison, while the European GDPR requires that a company provide a privacy notice when it collects information from an individual, that requirement does not apply if a “data subject already has the information.”2 It is worth noting that some European Union Member State data protection authorities suggest that if an organization intends to rely upon this exception they should consider “mak[ing] privacy information available if [the data subject] look[s] for it,” by, for example, placing their privacy practices on their publicly accessible website.3
1. CCPA, § 1798.100(b).
2. GDPR, Article 13(4).
3. See UK ICO, “When Should You Actively Communicate Privacy Information” available at https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/when-should-you-actively-communicate-privacy-information/ (last viewed Feb. 10, 2018).