§ 7012. Notice at Collection of Personal Information.

§ 7012. Notice at Collection of Personal Information.

(a)  The purpose of the Notice at Collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, the purposes for which the personal information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over the business’s use of their personal information. For example, upon receiving the Notice at Collection, the consumer can use the information in the notice as a tool to choose whether to engage with the business, or to direct the business not to sell or share their personal information and to limit the use and disclosure of their sensitive personal information.

(b)  The Notice at Collection shall comply with section 7003, subsections (a) and (b).

(c)  The Notice at Collection shall be made readily available where consumers will encounter it at or before the point of collection of any personal Illustrative examples follow.

(1)  When a business collects consumers’ personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected.

(2)  When a business collects consumers’ personal information through a webform, it may post a conspicuous link to the notice in close proximity to the fields in which the consumer inputs their personal information, or in close proximity to the button by which the consumer submits their personal information to the business.

(3)  When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.

(4)  When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online.

(5)  When a business collects personal information over the telephone or in person, it may provide the notice orally.

(d)  If a business does not give the Notice at Collection to the consumer at or before the point of collection of their personal information, the business shall not collect personal information from the consumer.

(e)  A business shall include the following in its Notice at Collection:

(1)  A list of the categories of personal information about consumers, including categories of sensitive personal information, to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.

(2)  The purpose(s) for which the categories of personal information, including categories of sensitive personal information, are collected and used.

(3)  Whether each category of personal information identified in subsection (e)(1) is sold or shared.

(4)  The length of time the business intends to retain each category of personal information identified in subsection (e)(1), or if that is not possible, the criteria used to determine the period of time it will be retained.

(5)  If the business sells or shares personal information, the link to the Notice of Right to Opt-out of Sale/Sharing or in the case of offline notices, where the webpage can be found online.

(6)  A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online.

(f)  If a business collects personal information from a consumer online, the Notice at Collection may be given to the consumer by providing a link that takes the consumer directly to the specific section of the business’s privacy policy that contains the information required in subsection (e)(1) through (6). Directing the consumer to the beginning of the privacy policy, or to another section of the privacy policy that does not contain the required information, so that the consumer is required to scroll through other information in order to determine the categories of personal information to be collected and/or whether the business sells or shares the personal information collected, does not satisfy this standard.

(g)  Third Parties that Control the Collection of Personal This subsection shall not affect the first party’s obligations under the CCPA to comply with a consumer’s request to opt-out of sale/sharing.

(1)  For purposes of giving Notice at Collection, more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a Notice at Collection in accordance with the CCPA and these regulations. For example, a first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a Notice at Collection. The first party and third parties may provide a single Notice at Collection that includes the required information about their collective information practices.

(2)  A business that, acting as a third party, controls the collection of personal information on another business’s physical premises, such as in a retail store or in a vehicle, shall provide a Notice at Collection in a conspicuous manner at the physical location(s) where it is collecting the personal information.

(3)  Illustrative examples follow.

(A)  Business F allows Business G, a third party ad network, to collect consumers’ personal information through Business F’s website. Business F may post a conspicuous link to its Notice at Collection on its homepage(s). Business G shall provide a Notice at Collection on its homepage(s) or include the required information about its information practices in Business F’s Notice at Collection.

(B)  Business H, a coffee shop, allows Business I, a business providing Wi-Fi services, to collect personal information from consumers using Business I’s services on Business H’s Business H may post conspicuous signage at the entrance of the store or at the point-of-sale directing consumers to where the Notice at Collection for Business H can be found online. In addition, Business I shall post its own Notice at Collection on the first webpage or other interface consumers see before connecting to the Wi-Fi services offered.

(C)  Business J, a car rental business, allows Business K to collect personal information from consumers within the vehicles Business J rents to consumers. Business J may give its Notice at Collection to the consumer at the point of sale (e., at the rental counter) either in writing or orally. Business K may provide its own Notice at Collection within the vehicle, such as through signage on the vehicle’s dashboard directing consumers to where the notice can be found online.

(h)  A business that neither collects nor controls the collection of personal information directly from the consumer does not need to provide a Notice at Collection to the consumer if it neither sells nor shares the consumer’s personal information.

(I)  A data broker registered with the Attorney General pursuant to Civil Code section 1798.99.80 et seq. that collects personal information from a source other than directly from the consumer does not need to provide a Notice at Collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out of sale/sharing.

 

Note: Authority: Section 1798.185, Civil Code. Reference: Sections 1798.99.82, 1798.100, 1798.115, 1798.120, 1798.121, 1798.145 and 1798.185, Civil Code.