What Is Notice at Collection?
The CCPA puts a lot of emphasis on making privacy disclosures to consumers. When dealing with the contents of those disclosures (categories of personal information collected, purposes for collecting it, etc), it’s easy to overlook that the CCPA also sets out rules for where these disclosures must be posted. Called a “notice at collection,” businesses must make their privacy notice available to consumers at or before the point of collection.
A point of collection is any place, such as a web page or newsletter sign-up form, where the business is collecting personal information about the consumer. The “at or before” requirement means that consumers must be told about the collection while they still have some choice over the matter. It serves as a gateway, telling them, “From this point on, we will be collecting the following personal information; if you don’t agree to this, please don’t continue forward.” If you don’t make this privacy notice available at the appropriate point, or if you later collect personal information that was not included in the notice, it is considered a CCPA violation.
The law provides several examples of what is considered a proper notice at collection:
- Websites – Post a conspicuous link to the privacy notice on the homepage and any other web page where personal information is collected.
- Mobile Apps – Post a link on the link to the privacy notice on the app download page and in the app’s settings menu.
- Offline – Include the privacy notice in printed forms or post prominent signage directing consumers to where they can find the notice (a simple URL, for example).
- Collection via Telephone – The notice may be provided orally over the phone.
As to where the privacy link should point to, CCPA regulations state that the link should take the consumer “to the section of the business’s privacy policy that contains the information required.” This suggests that it is not enough to merely link to the top of the main privacy policy; businesses should link either to a separate California privacy rights page or to the specific section of their privacy policy that contains the California privacy information.
It should be noted that websites can be designed to only display this privacy link to California website visitors.
Best Practices
For most businesses, their primary concern is how to make the proper notice at collection on their website. Practically speaking, technology like cookies and site analytics means that every web page is a point of collection. Luckily, compliance is as simple as adding a privacy link to the footer of the website so that it shows up on every page.
Additionally, include a link to the privacy notice every time a consumer is asked to actively submit any personal information through a form (such as when they sign up to receive emails). This should ensure you have made your required disclosures at or before the point of collection. Here's an example:
Adding Notices to Pop-ups in Shopify
If your business uses third party pop up apps in Shopify, you may need to contact the vendor to find out how to add a link to your California Privacy Notice. Here are some how-to guides and videos from the top pop-up vendors on the Shopify App Store: