The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. 

Q. Does a company always have to provide a privacy notice to people from whom it collects information?

United States federal data privacy laws apply to specific industry sectors (e.g., financial institutions, health care providers, or educational institutions).  The statutes that require that a privacy notice be provided within those sectors do not mandate that the notice be distributed online.

Historically a few United States state data privacy laws have required that a company make its privacy policy “conspicuously available on its internet website,” but those laws are limited only to instances in which the company has collected personal information online I the first instance.¹  If the company does not collect information online, they do not require the company to post its privacy policy on the internet.

Unlike other United States privacy statutes, the CCPA states that a company subject to its jurisdictional scope must disclose its privacy practices “in its online privacy policy . . . or if the business does not maintain those [online privacy] policies, on its Internet Web site.”²  Read literally, this appears to require every company subject to the jurisdiction of the CCPA to have, in the first instance, an Internet Web site.  While it does not mandate that the website contain an “online privacy policy,” it arguably mandates that the information that a company would typically put in a separately marked “privacy policy” be included somewhere within its website.

In comparison, while the European GDPR requires that a company provide a privacy notice when it collects information from an individual