Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s fourth blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (the “CCPA” or “Act”) includes significant and new disclosure requirements for businesses that collect and or sell or disclose California residents’ personal information. Below we have outlined: (1) disclosures businesses must make in their privacy policy; (2) disclosures businesses must make upon receipt of a “verifiable consumer request”; and (3) Norton Rose Fulbright’s takeaways.

Privacy policy disclosures

Upon the CCPA taking effect, a business’s privacy policy must affirmatively inform consumers of the categories of personal information collected about the consumer, the sources from which that information is collected, the commercial or business purpose for which the personal information is  collected, the categories of third parties the information will be shared with, and specific pieces of personal information collected about the consumer.  In addition, businesses must provide consumers with a description of their rights. Businesses should be cognizant that the Act specifically prohibits businesses from collecting additional categories of personal information and then using those new categories for purposes other than as disclosed.

In addition, if a business sells or discloses a consumer’s personal information to third parties, the business’s privacy policy must disclose the category or categories of consumer personal information the entity has sold and/ or disclosed to a third party for business purposes during the preceding 12 months, as well as the categories of third parties to whom the personal information was sold.  Moreover, the business must also include a clause in its privacy policy notifying consumers of their right to opt out of having their personal information sold and/ or disclosed to third parties. Alternatively, if the business has not sold or disclosed consumers’ personal information to a third party in the preceding 12 months, the privacy policy must reflect this fact.

Disclosures required after receipt of a verifiable consumer request

Businesses that sell or disclose personal information for business purposes must disclose certain information to consumers upon receipt of a “verifiable consumer request.” Specifically, upon receiving a “verifiable consumer request,” a business must disclose the following related to the preceding 12 months:

  • the categories of personal information the business has collected about the consumer;
  • the categories of sources from which that information about the consumer was collected;
  • the business/ commercial purpose for collecting or selling the consumer’s personal information;
  • the categories of third parties with whom the business shares personal information; and
  • the specific pieces of personal information the business has collected about that consumer.

Takeaways

Companies that do business with California residents will need to review their privacy policy and update their policy to meet the new disclosure requirements. In addition, companies will need to ensure they have robust data mapping policies and procedures in place in order to guarantee the disclosures made in their privacy policy are correct, as well as to respond to consumer requests for information. Strong data mapping capabilities allow companies to understand what consumer information is being collected and to which third parties (if any) the company is disclosing information.

Look out for our next blog article which will address the CCPA’s consumer access and portability rights.

*** In case you missed it, the California State Legislature passed SB-1121 which amends the CCPA. The amendments are now awaiting signature from the California governor. We will provide more detailed coverage on these amendments in a future blog article.

Links to our previous blog articles:

Article #1: Summary of CCPA’s Major Provisions

Article #2: CCPA Covered Entities

Article #3: CCPA Definition of Personal Information