Skip to content

The regulations implementing the CCPA require that “[e]very business . . . shall provide a privacy policy in accordance with the CCPA and the [regulations].”1 The regulations clarify that a business meets its obligation to “provide” a privacy policy by posting the policy online or, if it does not operate a website, “mak[ing] the privacy policy conspicuously available to consumers.”2 It is important to note that making a privacy policy “conspicuously available” does not necessarily mean that a business must proactively distribute its privacy policy to consumers. The Office of the Attorney General was asked to provide additional examples of what might constitute “conspicuous availability.” The Attorney General responded that in his opinion “[t]he meaning of ‘conspicuous’ is reasonably clear based on the plain meaning of the word.”3 The Attorney General did, however, point out that other California laws – including CalOPPA –define the term “conspicuously post” in the context of website links and implied that those definitions might be probative when interpreting the CCPA.4 Cal

Unlike the CCPA, the European GDPR requires that most companies that receive information indirectly (e.g., from a third party) must provide individuals with a privacy policy.5 There are at least five situations, however, in which a company that receives personal information about an individual from a third party is expressly excused from providing information about its privacy practices under the GDPR:

  1. The data subject already knows the company’s privacy practices. As with situations in which a company collects information directly from a person, if a “data subject already has the information” that would be contained within a privacy policy the company is not required to provide one to them.6
  2. Impossibility. If providing a privacy policy is “impossible” a company is relieved of the requirement. That said, the GDPR requires that the company “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”7
  3. Disproportionate effort. If providing a privacy policy “would involve a disproportionate effort” a company is not required to provide the policy.8 That said, the GDPR requires that the company “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”9
  4. Information must be collected by European Union law. If a European Union Member State requires that a company collect personal data about an
    individual and that requirement includes “appropriate measures to protect the data subject’s legitimate interests” then a company is not required to also provide a privacy policy to the individual.10
  5. Collection cannot be disclosed pursuant to European Union law. If a European Union Member State imposes an obligation of secrecy on a company that would prohibit the company from disclosing the fact that it collected an individual’s information, the company is not required to provide the individual with a privacy policy.[11

1 CCPA Reg. 999.304(a).

2 CCPA Reg. 999.308(b).

3 FSOR Appendix A at 28 (Response 103).

4 FSOR Appendix A at 86 (Response 286).

5 GDPR, Article 14.

6 GDPR, Article 14(5)(a).

7 GDPR, Article 14(5)(b).

8 GDPR, Article 14(5)(b).

9 GDPR, Article 14(5)(b).

10 GDPR, Article 14(5)(c).

11 GDPR, Article 14(5)(d).