Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s fourth blog posts in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (the “CCPA” or “Act”) includes significant and new disclosure requirements for businesses that collect and or sell or disclose California residents’ personal information. Below we have outlined: (1) disclosures businesses must make in their privacy policy; (2) disclosures businesses must make upon receipt of a “verifiable consumer request”; and (3) Norton Rose Fulbright’s takeaways.

Privacy policy disclosures

Upon the CCPA taking effect, a business’s privacy policy must affirmatively inform consumers of the categories of personal information collected about the consumer, the sources from which that information is collected, the commercial or business purpose for which the personal information is  collected, the categories of third parties the information will be shared with, and specific pieces of personal information collected about the consumer.  In addition, businesses must provide consumers with a description of their rights. Businesses should be cognizant that the Act specifically prohibits businesses from collecting additional categories of personal information and then using those new categories for purposes other than as disclosed.

In addition, if a business sells or discloses a consumer’s personal information to third parties, the business’s privacy policy must disclose the category or categories of consumer personal information the entity has sold and/ or disclosed to a third party for business purposes during the preceding 12 months, as well as the categories of third parties to whom the personal information was sold.  Moreover, the business must also include a clause in its privacy policy notifying consumers of their right to opt out of having their personal information sold and/ or disclosed to third parties. Alternatively, if the business has not sold or disclosed consumers’ personal information to a third party in the preceding 12 months, the privacy policy must reflect this fact.

Disclosures required after receipt of a verifiable consumer request

Businesses that sell or disclose personal information for business purposes must disclose certain information to consumers upon receipt of a “verifiable consumer request.” Specifically, upon receiving a “verifiable consumer request,” a business must disclose the following related to the preceding 12 months:

  • the categories of personal information the business has collected about the consumer;
  • the categories of sources from which that information about the consumer was collected;
  • the business/ commercial purpose for collecting or selling the consumer’s personal information;
  • the categories of third parties with whom the business shares personal information; and
  • the specific pieces of personal information the business has collected about that consumer.


Companies that do business with California residents will need to review their privacy policy and update their policy to meet the new disclosure requirements. In addition, companies will need to ensure they have robust data mapping policies and procedures in place in order to guarantee the disclosures made in their privacy policy are correct, as well as to respond to consumer requests for information. Strong data mapping capabilities allow companies to understand what consumer information is being collected and to which third parties (if any) the company is disclosing information.

Look out for our next blog article which will address the CCPA’s consumer access and portability rights.

*** In case you missed it, the California State Legislature passed SB-1121 which amends the CCPA. The amendments are now awaiting signature from the California governor. We will provide more detailed coverage on these amendments in a future blog article.

Our other CCPA articles

Article 1: Summary of CCPA’s major provisions

Article 2: CCPA covered entities

Article 3: CCPA definition of personal information

Article 4: CCPA disclosure requirements

Article 5: CCPA “Right to Deletion”

Article 6: California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Article 7: Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Article 8: GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Article 9: CCPA: “Attorney General Amendment” Likely Dead

Article 10: Nevada, New York and other states follow California’s CCPA

Article 11: “What’s cooking” in Sacramento: CCPA’s “employee exception” bill is amended; “publicly available information” exception is broadened, and consumer access rights are clarified

Article 12: Back At The Negotiating Table: CCPA Amendments Debate Continues

Article 13: One-Month Countdown to Pass CCPA Amendments Begins

Article 14: CCPA: “Wait and see” is not the right approach

Article 15: And then there were five: CCPA amendments pass legislature

Article 16: Mic Drop: California AG releases long-awaited CCPA Rulemaking

Article 17: California Governor Signs All 5 CCPA Amendments

Article 18: Here We Go Again: Another Ballot Initiative for CCPA in 2020

Article 19: Privacy Officers’ New Year’s Resolutions

Article 20: State of the Untion: CCPA and beyond in 2020