(a) Purpose and General Principles
(1) The purpose of the notice at collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used.
(2) The notice at collection shall be designed and presented in a way that is easy to read and understandable to consumers. The notice shall: a. Use plain, straightforward language and avoid technical or legal jargon. b. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable. c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California. d. Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.
(3) The notice at collection shall be made readily available where consumers will encounter it at or before the point of collection of any personal information. Illustrative examples follow: a. When a business collects consumers’ personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected. b. When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu. c. When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online. d. When a business collects personal information over the telephone or in person, it may provide the notice orally.
(4) When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, that contains the information required by this subsection.
(5) A business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection.
(6) If a business does not give the notice at collection to the consumer at or before the point of collection of their personal information, the business shall not collect personal information from the consumer.
(b) A business shall include the following in its notice at collection:
(1) A list of the categories of personal information about consumers to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.
(2) The business or commercial purpose(s) for which the categories of personal information will be used.
(3) If the business sells personal information, the link titled “Do Not Sell My Personal Information” required by section 999.315, subsection (a), or in the case of offline notices, where the webpage can be found online.
(4) A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online.
(c) If a business collects personal information from a consumer online, the notice at collection may be given to the consumer by providing a link to the section of the business’s privacy policy that contains the information required in subsection (b).
(d) A business that does not collect personal information directly from the consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.
(e) A data broker registered with the Attorney General pursuant to Civil Code section 1798.99.80 et seq. does not need to provide a notice at collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.
(f) A business collecting employment-related information shall comply with the provisions of section 999.305 except with regard to the following: (1) The notice at collection of employment-related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information”. (2) The notice at collection of employment-related information is not required to provide a link to the business’s privacy policy.
(g) Subsection (f) shall become inoperative on January 1, 2021, unless the CCPA is amended otherwise.
Note: Authority: Section 1798.185, Civil Code. Reference: Sections 1798.99.82, 1798.100, 1798.115 and 1798.185, Civil Code.