Does a business have to provide a privacy notice directly to a consumer if it obtains the consumer’s data from a third party (i.e., purchases it)?
Modern data privacy statutes require that organizations inform individuals about the organization’s privacy practices by creating a privacy notice (sometimes referred to as a privacy policy or a notice at collection). Some data privacy statutes provide specific directions regarding how the privacy notice must be distributed. For example, the California Consumer Privacy Act and the California Privacy Rights Act expressly require that a privacy notice be posted on a company’s website (if the company has a website), and a notice at collection be provided anytime a company collects personal information directly from a consumer. California does not require, however, that a company directly provide consumers with a privacy notice in situations in which the company obtains the consumer’s information from a third party (e.g., purchases it). This contrasts with other privacy regimes (e.g., the European GDPR) which require privacy notices to be distributed directly to a consumer even when an organization obtains the information from a third party, unless the organization can demonstrate that distribution would pose a disproportionate effort.
Most of the other U.S. modern data privacy statutes do not prescribe when, and how, a privacy notice should be distributed, stating only that a controller is under an obligation to make the privacy notice “accessible.” The following chart compares and contrasts the distribution strategy required by modern state privacy statutes.
