The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Under California’s new privacy law, will a business have to provide a privacy notice to a consumer even if it gets the consumer’s data from a third party (i.e., rents it or purchases it)?
Section 1798.100(b) of the CCPA states that a “business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” The CCPA further defines the term “collects” as including situations in which a business “buy[s], rent[s], gather[s], obtain[s], receiv[es], or access[es]” personal information by “any means.”1 The net result is that read literally the CCPA requires that any business that is subject to its jurisdiction notify consumers – at the time of data collection – as to its purpose for collecting the consumers’ data.
It is also worth noting that under the CCPA businesses which do not determine the “purpose and means of the processing” are not subject to any requirement to disclose a privacy notice.2 As a result most service providers are not required to disclose their own privacy notice.
California’s law has some similarities to the European GDPR. For example, under the GDPR if a company is a processor (i.e., it does not determine the purpose and means of processing) it is not required to provide a privacy notice to individuals about whom it possesses information. As a result in situations in which a processor receives personal data from a controller about a data subject the processor is not required to provide the data subject with a privacy notice. Also like the CCPA, the GDPR requires most companies that receive information indirectly (e.g., from a third party) to provide the consumer with a privacy notice.3 Unlike the CCPA, however, there are at least five situations in which a company that receives personal information about an individual from a third party is expressly excused from providing information about its privacy practices:
In addition, unlike the CCPA, the GDPR does not require that a company which receives information about an individual from a third party provide the privacy notice “at or before the point of collection.” The GDPR directs that the privacy notice should be provided “within a reasonable period after obtaining the personal data, but at the latest within one month.”10
It is unclear at this time whether the California legislature, or California courts, will attempt to align the CCPA with the GDPR in order to make the CCPA a more practical statute.
1. CCPA, 1798.140(e)
2. CCPA, 1798.14(c)(1) (defining a “business” for the purpose of the statute as being an entity that determines the purpose and means of processing).
3. GDPR, Article 14.
4. GDPR, Article 14(5)(a).
5. GDPR, Article 14(5)(b).
6. GDPR, Article 14(5)(b).
7. GDPR, Article 14(5)(b).
8. GDPR, Article 14(5)(c).
9. GDPR, Article 14(5)(d).
10. GDPR, Article 14(3)(a).