The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Under California’s new privacy law, will a business have to provide a privacy notice to a consumer even if it gets the consumer’s data from a third party (i.e., rents it or purchases it)?

Typically.

Section 1798.100(b) of the CCPA states that a “business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”  The CCPA further defines the term “collects” as including situations in which a business “buy[s], rent[s], gather[s], obtain[s], receiv[es], or access[es]” personal information by “any means.”¹  The net result is that read literally the CCPA requires that any business that is subject to its jurisdiction notify consumers – at the time of data collection – as to its purpose for collecting the consumers’ data. 

It is worth noting, however, that notifying a consumer about the type of information collected and the purpose of the collection does not necessarily mean distributing to the consumer a full privacy policy.  The statute does not require, for example, that notification must be in writing or that the notification must include other types of information that are typically present in a privacy notice (e.g., information on the company’s practices with regard to sharing, etc.).  As a result, it is possible that a company might be able to fulfill its obligation to inform consumers of the data that it collects and its use for that data orally, contextually, or via a third party (e.g., via the privacy policy of company A that might intend to transmit the information to company B). 

It is also worth noting that under the CCPA businesses which do not determine the “purpose and means of the processing” are not subject to any requirement to disclose a privacy notice.²  As a result most service providers are not required to disclose their own privacy notice.

California’s law has some similarities to the European GDPR.  For example, under the GDPR if a company is a processor (i.e., it does not determine the purpose and means of processing) it is not required to provide a privacy notice to individuals about whom it possesses information.  As a result in situations in which a processor receives personal data from a controller about a data subject the processor is not required to provide the data subject with a privacy notice.  Also like the CCPA, the GDPR requires most companies that receive information indirectly (e.g., from a third party) to provide the consumer with a privacy notice.³  Unlike the CCPA, however, there are at least five situations in which a company that receives personal information about an individual from a third party is expressly excused from providing information about its privacy practices:

1. The data subject already knows the company’s privacy practices.  As with situations in which a company collects information directly from a person, if a “data subject already has the information” that would be contained within a privacy notice the company is not required to provide one to them.⁴
2. Impossibility.  If providing a privacy notice is “impossible” a company is relieved of the requirement.  That said, the GDPR requires that the company “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”⁵
3. Disproportionate effort.  If providing a privacy notice “would involve a disproportionate effort” a company is not required to provide the notice.⁶  That said, the GDPR requires that the company “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”⁷
4. Information must be collected by European Union law.  If a European Union Member State requires that a company collect personal data about an individual, and that requirement includes “appropriate measures to protect the data subject’s legitimate interests” then a company is not required to also provide a privacy notice to the individual.⁸
5. Collection cannot be disclosed pursuant to European Union law.  If a European Union Member State imposes an obligation of secrecy on a company that would prohibit the company from disclosing the fact that it collected an individual’s information, the company is not required to provide the individual with a privacy notice.⁹

In addition, unlike the CCPA, the GDPR does not require that a company which receives information about an individual from a third party provide the privacy notice “at or before the point of collection.”  The GDPR directs that the privacy notice should be provided “within a reasonable period after obtaining the personal data, but at the latest within one month.”¹⁰

It is unclear at this time whether the California legislature, or California courts, will attempt to  align the CCPA with the GDPR in order to make the CCPA a more practical statute.

1. CCPA, 1798.140(e)

2. CCPA, 1798.14(c)(1) (defining a “business” for the purpose of the statute as being an entity that determines the  purpose and means of processing).

3. GDPR, Article 14.

4. GDPR, Article 14(5)(a).

5. GDPR, Article 14(5)(b).

6. GDPR, Article 14(5)(b).

7. GDPR, Article 14(5)(b).

8. GDPR, Article 14(5)(c).

9. GDPR, Article 14(5)(d).

10. GDPR, Article 14(3)(a).

[View source.]