Skip to content

While the CPRA deferred a majority of the CCPA’s employee-related substantive requirements until Jan. 1, 2023, employers are still required to provide employees with a notice at collection.[1] As a result, since Jan. 1, 2020, a notice at collection, which must be provided “at or before the point at which” the collection of information occurs,[2] was required to include the following information:

  • A list of the categories of personal information that will be collected;
  • The business or commercial purpose for which the information is being collected;
  • Information on how to opt out of the sale of personal information (if information is being sold); and
  • Information on how to find the company’s complete privacy notice.[3]

After Jan. 1, 2023, the CPRA will expand the information required to be included in a notice of collection to include the following:

  • Whether that information is “sold or shared”;[4] and
  • The “length of time” that the business intends to retain each category of personal information.[5]

[1] Cal. Civ. Code 1798.145(m)(3).

[2] CCPA Reg. Section 999.301(l). See also CCPA 1798.100(b) (Oct. 2020).

[3] CCPA Reg. 999.305(b)(1)-(4).

[4] Cal. Civ. Code 1798.100(a)(1).

[5] Cal. Civ. Code 1798.100(a)(3).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).