News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top 5 Operational Impacts of the CCPA: Part 2 - Transparency and notice obligations Related reading: MedData data breach lawsuit settled for $7M

rss_feed

""

The California Consumer Privacy Act of 2018 (aka the CCPA) creates unprecedented obligations for companies that do business in California (the world’s fifth largest economy) or collect the personal information of California’s 40 million residents. Among other things, the CCPA guarantees Californians the rights: to know what personal information is being collected about them; to know whether their personal information is sold or disclosed and to whom; and to access their personal information. These rights create significant operational responsibilities for businesses falling into the law’s scope.

This second installment in a five-part series exploring the operational impacts of the CCPA addresses the law’s transparency and notice obligations. Part one covered the law’s scope while part three will dive deeper into businesses’ obligations to respond to consumers’ personal information access requests.

Updating the privacy notice

Click image above for a printable PDF.

The CCPA creates specific transparency obligations relating to collected and sold personal information. In particular, a business must disclose in its online privacy notice, and in any California-specific description of consumers’ privacy rights (or, if the business does not actually have a privacy notice, it still has to put the information somewhere on its web site), the following, pursuant to Sections 1798.130(a)(5)(A) and 1798.105(b):

  • A description of consumers’ rights under Section 1798.110 to request:
    • The categories of personal information the business has collected about the consumer.
    • The categories of sources from which the personal information is collected.
    • The business or commercial purpose of collecting or selling personal information.
    • The categories of third parties with whom the business shares personal information.
    • The specific pieces of personal information the business has collected about the consumer.
  • A description of consumers’ rights under Section 1798.115 to request:
    • The categories of personal information that business collected about the consumer.
    • The categories of personal information that the business sold about the consumer.
    • The categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
    • The categories of personal information about the consumer that the business disclosed for a business purpose.
  • A description of consumers’ rights under Section 1798.125 not to be discriminated against for exercising any the CCPA rights.
  • One or more designated means for consumers to submit requests, including (at minimum) a toll-free number.
  • The right to deletion of personal information.

Section 1798.130(a)(5)(A) does not make it clear whether businesses that collect but do not sell consumers’ personal information must nonetheless include a description of consumers’ rights vis-à-vis sellers of personal information. Absent guidance on the matter from the California Attorney General, non-sellers updating their privacy policies should likely err on the side of inclusion.

Collectors of personal information

The CCPA defines “collectors” and “sellers” of consumers’ personal information in Sections 1798.140(e) and (t)(1). While not all “collectors” are “sellers,” a seller is most likely a collector. The CCPA applies the obligations outlined below to all businesses that collect personal information. These provisions often reference one another and can occasionally be written in a confusing or contradictory fashion; we’ve tried to break down what the statute requires, with the understanding that any or all provisions referenced may be subject to amendment or clarification before January 1, 2020. 

Section 1798.100(b) requires a business that collects a consumer’s information to, “at or before the point of collection”:

  • Inform consumers of the categories of personal information to be collected.
  • Inform consumers of the purposes for which the categories of personal information shall be used.
  • Provide notice of the collection of any additional categories of information or use of collected information for any additional purposes taking place after initial disclosures have been made.

Section 1798.105(b) requires any business collecting personal information about consumers to “disclose … the consumer’s rights to request deletion of the consumer’s personal information.” Operationally, businesses should make sure that disclosures of this right to request deletion also include its limitations, set forth in Section 1798.105(d). Those limitations consist of nine enumerated exemptions.

Section 1798.110(c) requires, “pursuant to Section 1798.130(a)(5)(B),” that a business that collects personal information about a consumer disclose:

  • The categories of personal information it has collected about the consumer.
  • The categories of sources from which the personal information is collected.
  • The business or commercial purpose of collecting or selling personal information.
  • The categories of third parties with whom the business shares personal information.
  • The specific pieces of personal information the business has collected about the consumer.

Section 1798.110(c) is identical to Section 1798.110(a), which describes consumers’ right to request information, with the addition of a reference to Section 1798.130(a)(5)(B), which clarifies that “the list of categories of personal information” that must be disclosed means categories of personal information collected by the business about consumers in the preceding 12 months, “by reference to the enumerated category or categories in subdivision (c) of Section 1798.130 that most closely describe the personal information collected.” Section 1798.130(c) likely refers to Section 1798.140’s definition of personal information, which includes 11 enumerated subcategories.

Categories of personal information will be discussed further in part three of this series.

All disclosures must be “in a form that is reasonably accessible to consumers” and updated “at least once every 12 months.” The use of the word “and” in Section 1798.130(a) may require identical disclosures in multiple written policies. Aside from the specific disclosures discussed above that must be included in a business’ online privacy policy or California-specific description of rights, the statute is silent on the specifics of how disclosures must take place.

Transfers to third parties

Some businesses, in addition to acquiring information from or about consumers, also transmit that information onward. Businesses that sell personal information about consumers or disclose it “for a business purpose” are a subcategory of businesses that collect personal information and have additional disclosure obligations. Per Section 1798.115(c) and Section 1798.130(a)(5)(C) these businesses must release two specific lists:

  • The category or categories of personal information sold in the last 12 months, or if information has not been sold in the preceding 12 months, that fact.
  • The category or categories of personal information disclosed for a business purpose in the last 12 months, or if no such disclosure has occurred in the preceding 12 months, that fact.

Businesses that sell consumer information to third parties are further obligated, per Section 1798.120(b), to disclose that:

  • Consumer information may be sold.
  • Consumers have the right to opt out of the sale of their personal information.

Section 1798.135 adds that businesses who sell personal information must disclose the above information in a form readily accessible to consumers, and:

  • Provide a “clear and conspicuous” link on the business’ homepage, titled “Do Not Sell My Personal Information.”
  • Not require the creation of an account in order to direct a business not to sell a consumer’s personal information.
  • Include a description of a consumer’s rights under Section 1798.120, and a separate link to the “Do Not Sell My Personal Information” page, in:
    • Its online privacy policy or policies, if the business maintains them.
    • Any California-specific description of consumer privacy rights.

As mentioned above, businesses that sell personal information will need to comply with the obligations of those that collect personal information as well.

Ambiguities in the Law

Section 1798.110(c)(5) will likely need to be amended for clarity. As written, the CCPA requires businesses that collect personal information to disclose “the specific pieces of personal information the business has collected about that consumer.” This disclosure obligation is separate from the obligation to respond to a verified request for from a consumer exercising their rights under Section 1798.110(a) and (b) and seems to require any business collecting personal information to proactively disclose granular information essentially identical to what can be obtained through the “right to request.” How this could be done on an individual basis is unclear.

Takeaways

Identifying what personal information a business has, where it comes from, where it is stored, and where it is transferred are the first steps in complying with the CCPA’s notice and transparency requirements. Without good data mapping and inventory, no business can hope to accurately make the category-centric disclosures emphasized by the statute, let alone comply with verified requests from consumers for specific pieces of personal information.

As both collectors and sellers of personal information are required to disclose the categories of information collected, based on the enumerated list located in Section 1798.140, all businesses covered by the CCPA should pay careful attention to any regulations ultimately adopted by the California Attorney General’s office under Section 1798.185(a)(1). The AG must “solicit broad public participation” on or before January 1, 2020, to adopt regulations that, among other things, will “[update] as needed additional categories of personal information to those enumerated” in Section 1798.130(c) and Section 1798.140(o) “in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.”

Businesses that sell or “transfer for a business purpose” should quickly ensure they have a complete inventory of all parties receiving their data. Businesses that do not sell data for cash but do transfer it to third parties may yet qualify as sellers; they should pay careful attention to the requirements that attach to “business purpose” transfers, including the duty to inform consumers when such transfers have not taken place.

Only after completing thorough data mapping and inventory should businesses begin updating privacy policies, California-specific rights pages, and putting in place (if necessary) “Do Not Sell My Information” apparatus.

Photo credit: Makaristos [Public domain], from Wikimedia Commons

Author
Headshot Lee Matheson, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP IAPP Member Contributor
Tags
U.S.
Privacy Law
Privacy Operations Management
1 Comment

If you want to comment on this post, you need to login.

  • comment Marc Schultz • Aug 10, 2018 
    Nice summary in this evolving dynamic.  There is a lot of interest comparing the work done under GDPR as we prepare for CaCPA.  Developing a single set of documentation, especially as it relates to the appropriate level of granularity will be key in sustaining compliance programs.
Related Stories
MedData data breach lawsuit settled for $7M
The HIPAA Journal reports cycle management firm MedData agreed to pay USD7 million to settle a class-action lawsuit related to a data breach. The lawsuit involved an incident where the data of 136,000 people was exposed after an employee allegedly uploaded the information to a public-facing website....
Read More queue Save This
European Commission issues guidance on Data Act
The European Commission published an overview of the Data Act. The law raises rules on who can access and use data generated in the EU across all economic sectors while establishing the conditions upon which public sector entities can obtain request data from businesses "where there is an exceptiona...
Read More queue Save This
Related Stories
Tags
U.S.
Privacy Law
Privacy Operations Management
Recent Comments