Providing a compliant notice at collection under CPRA

At a glance: CPRA notice at collection

• On May 27, 2022, the California Privacy Protection Agency (CPPA) voted unanimously to submit the final California Privacy Rights (CPRA) regulations to the California Office of Administrative Law. 
• Part of a larger rulemaking session, the final Draft Regulations provided clarification on certain CPRA provisions, including the requirement to provide a notice at collection.
• To ensure CPRA compliance before the July 1, 2023 enforcement date, businesses should start auditing their notice at collection now.

Table of contents

• What is CPRA notice at collection?
• CPRA notice at collection best practices
• What to include in a CPRA notice of collection
• Notice at collection vs. privacy policy
• Does a privacy policy satisfy the CPRA notice at collection requirement? 

What is CPRA notice at collection?

According the CPRA Draft Regulations, the purpose of a notice at collection is:

For a CPRA notice at collection to be compliant, the business needs to include specific information about what data is being processed and why. It also needs to be presented prominently in a format that’s easy to understand.

The Draft Regulations define a notice at collection as: 

At a minimum, this notice must include information about how the business is collecting or processing the consumer’s data. And, this requirement applies to first-party and third-party collection notices as well. 

CPRA notice at collection best practices

When creating a compliant CPRA notice at collection, there are a few guiding principles—the purpose of collection should align with consumer expectations, businesses may not collect data beyond what's mentioned in their notice, and notices should be easy to access and understand.

Purpose of collection should align with consumer expectations

The CPRA Draft Regulations state:

And, to be clear, the business is responsible for managing those expectations. The text defines several ways in which a consumer's expectations can be shaped, one of which is a clear notice at collection. 

What this really means is that businesses are expected to appropriately set a consumer’s expectations using clear and specific disclosures—and then process data in a way that aligns with those expectations. 

Don’t collect data beyond what's disclosed in the notice at collection

The Draft Regulations are quite specific here, stating: 

Basically, don’t say you’re collecting one thing and then collect another.

Make your notice accessible and understandable

Using dark patterns or other styling tricks to hide, obfuscate, or limit the readability of either the notice at collection or the link that navigates to it are off limits under CPRA. 

More than that, businesses are required to follow clear public guidelines about content accessibility. The Draft Regulations state:

What to include in a CPRA notice of collection

Though CCPA already dictated requirements for notices at collection, the CPRA Draft Regulations expanded that language, requiring businesses to include: 

• Categories of personal data collected
• Purpose of processing (why the data is being collected and used)
• Disclosure if the personal data is being sold or shared
• A link to information on how to opt out of the sale or sharing of personal data
• Details on any data processing third parties
• A link to the company’s privacy policy

The Draft Regulations do account for the fact that more than one business can be involved in data processing. Thus, it requires businesses to include extensive information regarding any third parties that process or control personal data on their behalf.

For example, if a business allows a third party to collect personal information on their marketing website, both the business and the third party must provide a notice at collection. Alternatively, they may cooperate to provide a single notice at collection, as long as it includes the necessary information about their joint data processing practices.

How to present a CPRA notice of collection

The Draft Regulations have precise instructions on how businesses must present their notice at collection. 

Instead of just directing consumers to the top of the privacy policy and expecting them to look through it, a business must include a link which takes them straight to the notice at collection section. This link should be clearly visible and “readily available where consumers will encounter it at or before the point of collection.”

The Draft Regulations provide a few examples of what a prominent presentation might look like:

• If a business is collecting data online, it needs to include an obvious link on the “introductory” page of their website, as well as on any page where information is actively being collected.
• If a business is collecting data through a webform, the link needs to be “in close proximity to the fields in which the consumer inputs their personal information.”
• If a business is collecting data in an app, it should provide notice on the app’s download page.

There are several other illustrative examples in the final Draft Regulations, so we recommend reading through that section to make sure you’re clear on what prominent disclosure looks like in this context.

Aside from being easy to find, a notice at collection must also:

• Use “plain, straightforward language” that avoids legal and technical jargon
• Be available in the language used throughout your product line
• Use “a format that draws the consumer’s attention” and is readable even on small screens (like a cell phone)
• Be accessible to folks with disabilities

Notice at collection vs. privacy policy

CPRA privacy policy requirements

The CPRA Draft Regulations extended the requirements around what businesses need to include in their privacy policies. Under CPRA, a privacy policy must include: 

• Details on how a business handles data on and offline
• A statement about whether or not the business discloses or uses sensitive personal information for any other reason than a valid “business purpose” 
• Information about a consumer’s rights under CPRA
• Instructions about how consumers can exercise their rights and what to expect throughout the process
• Details about how the business approaches opt-out signals
• Date of the privacy policy’s last update
• Consumer privacy request metrics from the following year

With the overlap between a notice at collection and a privacy policy, the question often arises: does one satisfy the other in terms of compliance? The simple answer is yes, a privacy policy can satisfy the notice at collection requirement—though there are caveats. 

Does a privacy policy satisfy the CPRA notice at collection requirement? 

CPRA does allow businesses to include their notice at collection within a privacy policy. However, they must provide a direct link to the notice’s specific section, so consumers aren't forced to scroll through pages of legalese.

As long as your business follows the Draft Regulation guidelines, this could be an easy way to reduce the number of legal documents being presented to customers.

About Transcend

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

References

• CPRA Final Regulations Text
• CPPA Approves Proposed Final CPRA Regulations for Submission to OAL
• CPPA Regulations