What do the proposed draft CCPA regulations mean for your…privacy notices?

General

• Still need four notices: notice at collection, notice of opt out (if you sell), privacy notice and notice of financial incentive (if you have it)
• Notices must meet WCAG 2.1 accessibility requirements
• May use for a purpose different than those listed unless materially different
• Don’t need to list source or purpose of collection for each category of information

BUT

• Need to describe category, source and third parties in a manner that would be meaningful for consumers

Notice at Collection

• Should be readily available at point of collection (whether online, offline or on mobile)
• If you collect information from a consumer’s mobile device for unexpected purpose, add just-in-time notice with the purposes and link to your notice
• No “do not sell” button for employee notice at collection

Notice of Opt Out

• Can use suggested opt-out button
• If you don’t have an opt-out notice but collect personal information, you can’t sell it without affirmative opt in

Privacy Notice

• Still need to describe the categories of third parties to whom information was sold or disclosed, by category of information collected

For an in-depth analysis of the revised regulations, read my detailed analysis.