What do the proposed draft CCPA regulations mean for your…privacy notices?


  • Still need four notices: notice at collection, notice of opt out (if you sell), privacy notice and notice of financial incentive (if you have it)
  • Notices must meet WCAG 2.1 accessibility requirements
  • May use for a purpose different than those listed unless materially different
  • Don’t need to list source or purpose of collection for each category of information
  • Need to describe category, source and third parties in a manner that would be meaningful for consumers

Notice at Collection

  • Should be readily available at point of collection (whether online, offline or on mobile)
  • If you collect information from a consumer’s mobile device for unexpected purpose, add just-in-time notice with the purposes and link to your notice
  • No “do not sell” button for employee notice at collection

Notice of Opt Out

  • Can use suggested opt-out button
  • If you don’t have an opt-out notice but collect personal information, you can’t sell it without affirmative opt in

Privacy Notice

  • Still need to describe the categories of third parties to whom information was sold or disclosed, by category of information collected

For an in-depth analysis of the revised regulations, read my detailed analysis.