Providing a compliant notice at collection under CPRA

• On May 27, 2022, the California Privacy Protection Agency (CPPA) voted unanimously to submit the final California Privacy Rights (CPRA) regulations to the California Office of Administrative Law. 

• Part of a larger rulemaking session, the final Draft Regulations provided clarification on certain CPRA provisions, including the requirement to provide a notice at collection.

• To ensure CPRA compliance before the July 1, 2023 enforcement date, businesses should start auditing their notice at collection now.

• What is CPRA notice at collection?

• CPRA notice at collection best practices

• What to include in a CPRA notice of collection

• Notice at collection vs. privacy policy

• Does a privacy policy satisfy the CPRA notice at collection requirement? 

According the CPRA Draft Regulations, the purpose of a notice at collection is:

“to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, and the purposes for which the personal information is collected or used, and whether that information is sold or shared“

For a CPRA notice at collection to be compliant, the business needs to include specific information about what data is being processed and why. It also needs to be presented prominently in a format that’s easy to understand.

The Draft Regulations define a notice at collection as: 

“the notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer” § 7001.(q)

At a minimum, this notice must include information about how the business is collecting or processing the consumer’s data. And, this requirement applies to first-party and third-party collection notices as well. 

When creating a compliant CPRA notice at collection, there are a few guiding principles—the purpose of collection should align with consumer expectations, businesses may not collect data beyond what's mentioned in their notice, and notices should be easy to access and understand.

The CPRA Draft Regulations state:

“The purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer(s) whose personal information is collected or processed.” - § 7002.(b)

And, to be clear, the business is responsible for managing those expectations. The text defines several ways in which a consumer's expectations can be shaped, one of which is a clear notice at collection. 

“The specificity, explicitness, prominence, and clarity of disclosures to the consumer(s) about the purpose for collecting or processing their personal information, such as in the Notice at Collection” -§ 7002.(b)(4)

What this really means is that businesses are expected to appropriately set a consumer’s expectations using clear and specific disclosures—and then process data in a way that aligns with those expectations. 

The Draft Regulations are quite specific here, stating: 

“A business shall not collect categories of personal information other than those disclosed in its Notice at Collection in accordance with the CCPA.” - § 7002.(f)

Basically, don’t say you’re collecting one thing and then collect another.

Using dark patterns or other styling tricks to hide, obfuscate, or limit the readability of either the notice at collection or the link that navigates to it are off limits under CPRA. 

More than that, businesses are required to follow clear public guidelines about content accessibility. The Draft Regulations state:

“Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines” - § 7003.(b)(3)

Though CCPA already dictated requirements for notices at collection, the CPRA Draft Regulations expanded that language, requiring businesses to include: 

• Categories of personal data collected

• Purpose of processing (why the data is being collected and used)

• Disclosure if the personal data is being sold or shared

• A link to information on how to opt out of the sale or sharing of personal data

• Details on any data processing third parties

• A link to the company’s privacy policy

The Draft Regulations do account for the fact that more than one business can be involved in data processing. Thus, it requires businesses to include extensive information regarding any third parties that process or control personal data on their behalf.

For example, if a business allows a third party to collect personal information on their marketing website, both the business and the third party must provide a notice at collection. Alternatively, they may cooperate to provide a single notice at collection, as long as it includes the necessary information about their joint data processing practices.

The Draft Regulations have precise instructions on how businesses must present their notice at collection. 

Instead of just directing consumers to the top of the privacy policy and expecting them to look through it, a business must include a link which takes them straight to the notice at collection section. This link should be clearly visible and “readily available where consumers will encounter it at or before the point of collection.”

The Draft Regulations provide a few examples of what a prominent presentation might look like:

• If a business is collecting data online, it needs to include an obvious link on the “introductory” page of their website, as well as on any page where information is actively being collected.

• If a business is collecting data through a webform, the link needs to be “in close proximity to the fields in which the consumer inputs their personal information.”

• If a business is collecting data in an app, it should provide notice on the app’s download page.

There are several other illustrative examples in the final Draft Regulations, so we recommend reading through that section to make sure you’re clear on what prominent disclosure looks like in this context.

Aside from being easy to find, a notice at collection must also:

• Use “plain, straightforward language” that avoids legal and technical jargon

• Be available in the language used throughout your product line

• Use “a format that draws the consumer’s attention” and is readable even on small screens (like a cell phone)

• Be accessible to folks with disabilities

The CPRA Draft Regulations extended the requirements around what businesses need to include in their privacy policies. Under CPRA, a privacy policy must include: 

• Details on how a business handles data on and offline

• A statement about whether or not the business discloses or uses sensitive personal information for any other reason than a valid “business purpose” 

• Information about a consumer’s rights under CPRA

• Instructions about how consumers can exercise their rights and what to expect throughout the process

• Details about how the business approaches opt-out signals

• Date of the privacy policy’s last update

• Consumer privacy request metrics from the following year

With the overlap between a notice at collection and a privacy policy, the question often arises: does one satisfy the other in terms of compliance? The simple answer is yes, a privacy policy can satisfy the notice at collection requirement—though there are caveats. 

CPRA does allow businesses to include their notice at collection within a privacy policy. However, they must provide a direct link to the notice’s specific section, so consumers aren't forced to scroll through pages of legalese.

As long as your business follows the Draft Regulation guidelines, this could be an easy way to reduce the number of legal documents being presented to customers.

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

• CPRA Final Regulations Text

• CPPA Approves Proposed Final CPRA Regulations for Submission to OAL

• CPPA Regulations