Last year towards the end of May, a barrage of emails and pop-ups informed online users about how companies use cookies – small bits of software that track website activity – in accordance with a requirement under the European Union’s General Data Protection Regulation.

On January 1, 2020, many companies will inform consumers about updates to their privacy notices – agreements between companies and their consumers about how personal information is processed – in accordance with a requirement under the California Consumer Privacy Act (“CCPA”).

Why this Matters

A privacy notice (aka privacy policy or privacy statement) is typically the first place a company explains its practices for handling the personal information it collects.  Privacy notices have received considerable attention this year, not all of it positive.  You do not have to read all of the New York Times article, “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster,” to know what it concluded.[1]  Similarly, an article titled “Are Organizations Ready for New Privacy Regulations?” summarizes the Online Trust Alliance’s analysis of 1,200 privacy statements and its view that many of these privacy notices could result in penalties for failing to follow new laws such as the CCPA.[2]  In addition, privacy notices have been the subject of litigation in cases asserting that the sale of customer information to non-affiliated entities for marketing purposes,[3] and the transfer of customer data in a merger, asset sale, or sale of customer information, were all improper because they violated companies’ privacy notices.[4]

Privacy Notices Under the CCPA

While the CCPA will only apply to companies that meet certain requirements[5] – which still, by some estimates, will be more than 500,000 – numerous other states including Washington, Oregon, Colorado, Nevada, and Texas, are close to enacting or seriously considering similar legislation.  Companies should therefore consider implementing CCPA-like changes to their notices or become familiar with its requirements even if they do not think the CCPA applies.  Indeed, last month Microsoft announced that it “will extend CCPA’s core rights for people to control their data to all our customers in the U.S.”[6]

For those companies to which the CCPA undoubtedly applies, the list of things a privacy notice must include is extensive.  For brevity, these are the mainstays:

  • A description of consumers’ rights under the CCPA including the right to request a companies’ data collection and sales practices.
  • Categories of personal information collected, sold or disclosed for a business purpose, and the source for each category, in the preceding 12 months.
  • Deletion request instructions and information on how consumers can request that personal information not be sold to third parties.
  • An explanation that consumers have the right to not be discriminated against for exercising rights under the CCPA.

Cal. Civ. Code § 1798.130(a)(5).[7]

As further requirements, on October 15 the California Attorney General issued proposed regulations for the CCPA stating that privacy notices must also:

  • Use plain, straightforward language and avoid technical or legal jargon.
  • Use a format that makes the notice readable, including on smaller screens, if applicable.
  • Be available in a format that allows a consumer to print it out as a separate document.
  • Be visible or accessible where consumers will see it before any personal information is collected.

§ 999.308.[8]

When asked yesterday how he will handle enforcement of the CCPA, California Attorney General Xavier Becerra said “we will look kindly on those that … demonstrate an effort to comply.”[9]  Becerra went on to explain, however, that if companies “are not [operating properly] … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”

There is still uncertainty around the meaning of some CCPA requirements.  After all, it is the first comprehensive law of its kind in the U.S.  But privacy notices should be easy to implement and if a company covered by the CCPA has done so by January 1, 2020, it will have at least embarked on the “effort to comply” that the attorney general was referring to.

If you have questions about the CCPA and its application to your company and its privacy notice, please reach out to one of our Global Privacy & Security Blog authors.


[1]  Kevin Litman-Navarro, N.Y. Times: The Privacy Project, (last visited Dec. 9, 2019).

[2]  Internet Society, Building Trust (Sept. 16, 2019),

[3]  Order Approving Settlement, Utility Consumers’ Action Network v. Sears Roebuck & Co., No. CGC99306232 (Cal. Super. Ct. S.F. Aug. 19, 2004) (plaintiff-favorable settlement in class-action lawsuit over unauthorized transfer of data to third-parties and misrepresentation of scope and nature of customer privacy policy).

[4] See F.T.C. v., No. 00-11341-RGS, 2000 WL 34016434 (D. Mass. July 21, 2000) (FTC settlement where bankrupt had tried to sell its customer lists when its privacy policy explicitly stated that customer information would never be shared with a third party).

[5] See Hunter Ferguson and Romaine C. Marshall, Stoel Rives LLP, “CCPA is Coming – Is Your Business Prepared for the Data Requests & Lawsuits?” (Apr. 29, 2019), (explaining who is covered by the CCPA).

[6] Julie Brill, Microsoft On the Issues, “Microsoft will honor California’s new privacy rights throughout the United States” (Nov. 11, 2019),

[7] California Legislative Information, Cal. Civil Code § 1798.130,

[8]  California Department of Justice, California Consumer Privacy Act (, Text of Proposed Regulations, pdf: (last visited Dec. 9, 2019).