Senior Content Marketing Manager
March 10, 2023•6 min read
According the CPRA Draft Regulations, the purpose of a notice at collection is:
“to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, and the purposes for which the personal information is collected or used, and whether that information is sold or shared“
For a CPRA notice at collection to be compliant, the business needs to include specific information about what data is being processed and why. It also needs to be presented prominently in a format that’s easy to understand.
The Draft Regulations define a notice at collection as:
“the notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer” § 7001.(q)
At a minimum, this notice must include information about how the business is collecting or processing the consumer’s data. And, this requirement applies to first-party and third-party collection notices as well.
When creating a compliant CPRA notice at collection, there are a few guiding principles—the purpose of collection should align with consumer expectations, businesses may not collect data beyond what's mentioned in their notice, and notices should be easy to access and understand.
The CPRA Draft Regulations state:
“The purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer(s) whose personal information is collected or processed.” - § 7002.(b)
And, to be clear, the business is responsible for managing those expectations. The text defines several ways in which a consumer's expectations can be shaped, one of which is a clear notice at collection.
“The specificity, explicitness, prominence, and clarity of disclosures to the consumer(s) about the purpose for collecting or processing their personal information, such as in the Notice at Collection” -§ 7002.(b)(4)
What this really means is that businesses are expected to appropriately set a consumer’s expectations using clear and specific disclosures—and then process data in a way that aligns with those expectations.
The Draft Regulations are quite specific here, stating:
“A business shall not collect categories of personal information other than those disclosed in its Notice at Collection in accordance with the CCPA.” - § 7002.(f)
Basically, don’t say you’re collecting one thing and then collect another.
Using dark patterns or other styling tricks to hide, obfuscate, or limit the readability of either the notice at collection or the link that navigates to it are off limits under CPRA.
More than that, businesses are required to follow clear public guidelines about content accessibility. The Draft Regulations state:
“Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines” - § 7003.(b)(3)
Though CCPA already dictated requirements for notices at collection, the CPRA Draft Regulations expanded that language, requiring businesses to include:
The Draft Regulations do account for the fact that more than one business can be involved in data processing. Thus, it requires businesses to include extensive information regarding any third parties that process or control personal data on their behalf.
For example, if a business allows a third party to collect personal information on their marketing website, both the business and the third party must provide a notice at collection. Alternatively, they may cooperate to provide a single notice at collection, as long as it includes the necessary information about their joint data processing practices.
The Draft Regulations have precise instructions on how businesses must present their notice at collection.
Instead of just directing consumers to the top of the privacy policy and expecting them to look through it, a business must include a link which takes them straight to the notice at collection section. This link should be clearly visible and “readily available where consumers will encounter it at or before the point of collection.”
The Draft Regulations provide a few examples of what a prominent presentation might look like:
There are several other illustrative examples in the final Draft Regulations, so we recommend reading through that section to make sure you’re clear on what prominent disclosure looks like in this context.
Aside from being easy to find, a notice at collection must also:
The CPRA Draft Regulations extended the requirements around what businesses need to include in their privacy policies. Under CPRA, a privacy policy must include:
With the overlap between a notice at collection and a privacy policy, the question often arises: does one satisfy the other in terms of compliance? The simple answer is yes, a privacy policy can satisfy the notice at collection requirement—though there are caveats.
CPRA does allow businesses to include their notice at collection within a privacy policy. However, they must provide a direct link to the notice’s specific section, so consumers aren't forced to scroll through pages of legalese.
As long as your business follows the Draft Regulation guidelines, this could be an easy way to reduce the number of legal documents being presented to customers.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.
Senior Content Marketing Manager