This is the Data Protection Report’s fourth blog posts in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (the “CCPA” or “Act”) includes significant and new disclosure requirements for businesses that collect and or sell or disclose California residents’ personal information. Below we have outlined: (1) disclosures businesses must make in their privacy policy; (2) disclosures businesses must make upon receipt of a “verifiable consumer request”; and (3) Norton Rose Fulbright’s takeaways.

Privacy policy disclosures

Upon the CCPA taking effect, a business’s privacy policy must affirmatively inform consumers of the categories of personal information collected about the consumer, the sources from which that information is collected, the commercial or business purpose for which the personal information is  collected, the categories of third parties the information will be shared with, and specific pieces of personal information collected about the consumer.  In addition, businesses must provide consumers with a description of their rights. Businesses should be cognizant that the Act specifically prohibits businesses from collecting additional categories of personal information and then using those new categories for purposes other than as disclosed.