Online and Offline Disclosure of Data Collection Practices under California’s Privacy Law
California regulates consumer privacy via the California Consumer Privacy Act (CCPA), an expansive legislation reminiscent of the European Union’s General Data Protection Regulation (GDPR). CCPA imposes obligations on covered businesses to (1) give consumers notice of what personal data it collects, how the data is used or shared and whether the data is being sold, and (2) set forth the rights that consumers have with respect to the data collected from them.
Notice Applicable to Methods of Collection of Personal Data
Notably, the CCPA applies not only to online data collection but also to collection on mobile, offline by use of forms or exchange of documents, over the phone or in person. Cal. Code Regs. Tit. 11, § 999.305(a)(3).
A business that collects personal information from a consumer must provide such notice at the time of collection in accordance with the CCPA and the regulations promulgated in accordance with the law. Cal. Code Regs. Tit. 11, § 999.304(b). This means the privacy notice must be made readily available where consumers will encounter it at or before the collection of any of their personal information. If a business collects personal data from a consumer in person but their privacy notice is posted only on the business’s website, this will likely not be deemed a sufficient notice at the time of the collection.
Examples of Timely Notices
CCPA regulations (Cal. Code Regs. Tit. 11, § 999.305(a)(3)) provide illustrative examples of how a timely notice may be given to consumers:
Online collection – A business may post a conspicuous link to the notice on the introductory page of the business’s website and on all web pages where personal information is collected.
Mobile application – A business may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
Offline collection – A business may provide a printed version of the privacy notice or post prominent signage directing consumers to a notice that may be found online.
Telephone or in-person collection – A business may give its privacy notice verbally.