CCPA Privacy FAQs: Does the CCPA require that a business provide its privacy notice “at or before” the point at which information is collected?

November 12, 2019

No.

A privacy policy typically discloses the following information to the public:

  • The categories of information collected from a data subject directly and from third parties about a data subject,
  • The purpose for which information is collected and used,
  • The extent to which the business tracks or monitors data subjects,
  • The extent to which the business shares the data subject’s information with third parties,
  • The standard by which the business protects the information from unauthorized access,
  • The ability (if any) of a data subject to request access to their information,
  • The ability (if any) of a data subject to request the deletion of their information,
  • The ability (if any) of a data subject to request the rectification of inaccurate information, and
  • The process by which a business will inform data subjects about changes in its privacy practices.

While section 1798.100(b) of the CCPA requires that a business that collects a consumer’s personal information disclose the first two categories of information “at or before the point of collection,” it does not require that all of the information typically contained in a privacy notice be disclosed at that time.  As a result, if a business discloses the categories of information collected and the purpose of the collection to a consumer orally, contextually, or in a summary form at or before the point of collection, the CCPA does not mandate that the entirety of the privacy notice be provided to the consumer.  It is worth noting that to the extent that a business collects personal information about California residents online, a separate law – the California Online Privacy Protection Act – may require that the business’s full privacy notice be posted online.1

For more information and resources about the CCPA visit http://www.CCPA-info.com. 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Bus. & Prof. Code § 22575(a).

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.