Thoughts on Legal Risks Re: Your CCPA Data Collection and Use Notices
The California Consumer Protection Act (“CCPA”) is going into effect at the beginning of 2020. There are various statutes being proposed right now in the State Assembly intended to make the CCPA even more protective of consumers. It is important for San Diego businesses to begin preparing for the new statutory regime. It is essential to retain and consult an experienced San Diego corporate attorney. In this article, we provide some thoughts on the notices that will be required. There is some legal risk here because the CCPA only provides a general and somewhat vague description of what notice is required. For example, § 1798.100(b) provides that, at or before the point of collection, your San Diego business must inform consumers the following:
- The categories of personal information to be collected; and
- The purposes for which the categories of personal information shall be used.
The subsection continues and forbids a business from collecting additional categories of personal information without providing an additional notice to the customer and forbids the use of personal information for any purpose other than those listed.
So, what should your notice actually say? This is where the legal risk lies. The risk is that you provide a certain notice to thousands of consumers and a judge or jury decides your notice was not “good enough.” Now, your business is facing a money judgment ranging from $100 to $750 per violation. Here is a sample notice provision to highlight the problem:
“NOTICE — Collection of Personal Information Data. COMPANY collects the following types of CONSUMER personal information:
NOTICE — Use of Personal Information Data. COMPANY uses CONSUMER personal information for the following purposes:
For maintenance, support, and improving its products and services
To complete the CONSUMER’s transaction
To contact CONSUMER to provide updates to our Collection and Use Policies.”
This type of notice has the advantage of being simple, straightforward, and relatively non-intrusive. Importantly, the whole of the notice could be listed in a single consumer consent page/box. Legally speaking, that would satisfy the “conspicuous” requirement that many California judges require when dealing with webpages and whether consumers can be deemed to have agreed with a website’s Terms of Service agreements.
On the other hand, the disadvantage of this notice is that it likely does not provide enough information. What does “for marketing” actually mean? If it means that the consumer’s personal information is sold to any company and every company for the highest price and as often as possible, then the notice is probably insufficient. That being said, if your business provides a 500-word description of what “for marketing” actually means, then consumers are very unlikely to read it. As such, some judges might decide that, since consumers did not read it, the notice is not valid. A catch-22. Another significant concern is misleading statements and omissions. The longer the description, the higher the possibility that a judge or jury will hold that the statements were misleading or that something was omitted. In this manner, the notices will generate a body of case law similar to the case law about product and package labeling.
One solution is a short and simple notice where the consumer can consent but that also contains a layered set of hyperlinks providing more details. This, of course, generates several major administrative problems — tracking what notices have been given if company policies change, establishing procedures for sending out new notices, and avoiding accidental other uses not listed.
Contact San Diego Corporate Law
For more information, contact Michael Leonard of San Diego Corporate Law. Mr. Leonard provides legal services related to business law, contracts, corporate entity formations and maintenance, private securities offerings/sales, the sale/purchase of a business, and for mergers and acquisitions. To schedule a consultation, contact Mr. Leonard via email or call (858) 483-9200. Like us on Facebook.