On January 1, 2020, many companies will inform consumers about updates to their privacy notices – agreements between companies and their consumers about how personal information is processed – in accordance with a requirement under the California Consumer Privacy Act (“CCPA”).
Why this Matters
Privacy Notices Under the CCPA
While the CCPA will only apply to companies that meet certain requirements – which still, by some estimates, will be more than 500,000 – numerous other states including Washington, Oregon, Colorado, Nevada, and Texas, are close to enacting or seriously considering similar legislation. Companies should therefore consider implementing CCPA-like changes to their notices or become familiar with its requirements even if they do not think the CCPA applies. Indeed, last month Microsoft announced that it “will extend CCPA’s core rights for people to control their data to all our customers in the U.S.”
For those companies to which the CCPA undoubtedly applies, the list of things a privacy notice must include is extensive. For brevity, these are the mainstays:
- A description of consumers’ rights under the CCPA including the right to request a companies’ data collection and sales practices.
- Categories of personal information collected, sold or disclosed for a business purpose, and the source for each category, in the preceding 12 months.
- Deletion request instructions and information on how consumers can request that personal information not be sold to third parties.
- An explanation that consumers have the right to not be discriminated against for exercising rights under the CCPA.
Cal. Civ. Code § 1798.130(a)(5).
As further requirements, on October 15 the California Attorney General issued proposed regulations for the CCPA stating that privacy notices must also:
- Use plain, straightforward language and avoid technical or legal jargon.
- Use a format that makes the notice readable, including on smaller screens, if applicable.
- Be available in a format that allows a consumer to print it out as a separate document.
- Be visible or accessible where consumers will see it before any personal information is collected.
When asked yesterday how he will handle enforcement of the CCPA, California Attorney General Xavier Becerra said “we will look kindly on those that … demonstrate an effort to comply.” Becerra went on to explain, however, that if companies “are not [operating properly] … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”
There is still uncertainty around the meaning of some CCPA requirements. After all, it is the first comprehensive law of its kind in the U.S. But privacy notices should be easy to implement and if a company covered by the CCPA has done so by January 1, 2020, it will have at least embarked on the “effort to comply” that the attorney general was referring to.
If you have questions about the CCPA and its application to your company and its privacy notice, please reach out to one of our Global Privacy & Security Blog authors.
 Kevin Litman-Navarro, N.Y. Times: The Privacy Project, https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html (last visited Dec. 9, 2019).
 Internet Society, Building Trust (Sept. 16, 2019), https://www.internetsociety.org/resources/ota/2019/are-organizations-ready-for-new-privacy-regulations/.
 See Hunter Ferguson and Romaine C. Marshall, Stoel Rives LLP, “CCPA is Coming – Is Your Business Prepared for the Data Requests & Lawsuits?” (Apr. 29, 2019), https://www.stoel.com/legal-insights/legal-updates/ccpa-is-coming (explaining who is covered by the CCPA).
 Julie Brill, Microsoft On the Issues, “Microsoft will honor California’s new privacy rights throughout the United States” (Nov. 11, 2019), https://blogs.microsoft.com/on-the-issues/2019/11/11/microsoft-california-privacy-rights/.
 California Legislative Information, Cal. Civil Code § 1798.130, https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.130.
 California Department of Justice, California Consumer Privacy Act (https://www.oag.ca.gov/privacy/ccpa), Text of Proposed Regulations, pdf: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf (last visited Dec. 9, 2019).