California and European Privacy FAQs: If a company is required to provide a privacy notice, how soon must it be provided?

March 13, 2019

The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

 Q. If a company is required to provide a privacy notice, how soon must it be provided?

There are various United States federal and state laws that require companies to provide privacy notices.  While each of those statutes differs in terms of how fast the notice must be provided, most require that the notice be provided at the time that information is collected from a data subject (in situations in which a business collects information directly from an individual), or at the time that a business establishes a relationship with an individual.1  The requirement to provide a privacy notice is triggered in other statutes once the business anticipates making certain uses or disclosures of the individual’s information.  For example, under the Gramm Leach Bliley Act (“GLBA”) a financial institution is not required to provide a privacy notice to a consumer (i.e., someone with whom the financial institution does not have a customer relationship), unless the institution anticipates disclosing the individual’s information to a nonaffiliated third party.  In such a situation, the privacy notice must be provided “before” the disclosure occurs.2

In the context of the California CCPA, a business is required to disclose certain privacy practices “at or before the point of [the information’s] collection.”3 There is inherent ambiguity whether this provision applies only to situations in which information is collected directly from a data subject, or whether it also applies to situations in which a business obtains information about a data subject from a third party. 

In comparison to United States law, under the European GDPR, if a company collects information directly from an individual and is required to provide that individual with a privacy notice, the notice should be provided “at the time when personal data [is] obtained.”4 If a company collects information from a third party source (e.g., a public source or from a data broker) and is required to provide an individual with a privacy notice, it should provide the notice at the earliest of the following three situations:

  1. When the company first communicates with the data subject,
  2. When the company transfers the individual’s information to a third party, or
  3. Within one month of having obtained the information.5

1. See, e.g., 16 CFR 313.4(a)(1) (requiring that financial institutions subject to GLBA provide privacy notices typically “not later than when you establish a customer relationship”).

2. 16 CFR 313.4(a)(2).

3. CCPA, Section 1798.100(b).

4. GDPR, Art. 13(1), (2).

5. GDPR, Art. 14(3).