Does an employee facing privacy notice need to contain different types of information from a privacy notice provided to other types of consumers?

It depends.

The CCPA applies to the personal information of California employees of a business that is subject to the statute. The specific rights afforded to employees were set to phase-in throughout 2020.

Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” ¹ While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures. These only apply to employee-privacy notices beginning on January 1, 2021. The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:

Privacy Notice Disclosures Required as of January 1, 2020 In All Privacy Notices (e.g., employee and non-employee)
1. Identify the enumerated categories of personal information collected.²
2. Identify the general purpose for which information will be used³

Privacy Notice Disclosures Required as of January 1, 2020

In All Privacy Notices (e.g., employee and non-employee)

1. Identify the enumerated categories of personal information collected.²

2. Identify the general purpose for which information will be used³

Additional Privacy Notice Disclosures Required as of January 1, 2020 in Non-Employee Privacy Notices and as of January 1, 2021 in Employee Privacy Notices
1. Explain the ability of a California resident to request access to their personal information.⁴
2. Identify the enumerated categories of personal information shared with services providers.⁵
3. Identify the enumerated categories of personal information sold to third parties (or affirmatively state that the business does not sell personal information).⁶
4. State that a California resident has the ability to opt-out of sale of information (if applicable).⁷
5. Provide contact information that can be used to request access, deletion, or opt-out (if applicable).⁸
6. Explain the ability of a California resident to request deletion of their personal information.⁹
7. Provide general information concerning the sources from which personal information was collected.¹⁰
8. Provide general information concerning the third party recipients of personal information¹¹
9. Explain in general terms the process used to verify or authenticate a California resident that requests access to, or the deletion of, their information.¹²
10. Explain that California residents will not be discriminated against if they choose to exercise one of their rights under the CCPA.¹³
11. Explain how an authorized agent can make a request under the CCPA on behalf of a California resident.¹⁴
12. Provide contact information for how questions or concerns regarding privacy practices can be raised with the business.¹⁵

The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents. In essence, it can be thought of as a “short form” privacy notice. After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.

Are consumers in Europe more likely than consumers in the United States to “opt-in” to cookies?”

Do cookie banners receive different acceptance rates on desktops and on smartphones?

Does the placement of a cookie banner impact user acceptance rate?

Yes.

Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners. If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.¹

Companies often struggle with how to display a cookie banner given the complexities of conveying information to individuals that may lack technical expertise, and “banner fatigue” – i.e., the fact that website visitors are presented with so many pop-ups and banners that they often do not spend the time to read banners that appear before closing them.

There is relatively little empirical data publicly available concerning website visitors interactions with cookie banners. The little data that does exist, however, indicates that user acceptance rates are significantly impacted by where a cookie banner is placed on a screen. For example, in one study researchers randomly placed the same cookie banner at the top, the top-left, the top-right, the bottom, the bottom-left, and the bottom-right of a website and then observed how 14,135 website visitors interacted with the banner.² They found that when the banner was placed in a “bar” at the top of the page approximately 1.8% of visitors accepted cookies. When the same banner was placed on the bottom-left of the screen the acceptance rate jumped to 18.4%. While the researchers did not probe the cause of the difference, they suspected that the bottom-left placement was more likely to cover the main content of a website (in comparison, notices shown at the top often hide only design elements), and that website visitors were accustomed to the left-to-right directionality of Latin script. Both factors may cause viewers to interact with a cookie banner at the bottom left.