- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
If a company is required to provide a privacy notice, how soon must it be provided?
There are various United States federal and state laws that require companies to provide privacy notices. While each of those statutes differs in terms of how fast the notice must be provided, most require that the notice be provided at the time that information is collected from a data subject (in situations in which a business collects information directly from an individual), or at the time that a business establishes a relationship with an individual.1 The requirement to provide a privacy notice is triggered in other statutes once the business anticipates making certain uses or disclosures of the individual’s information. For example, under the Gramm Leach Bliley Act (“GLBA”) a financial institution is not required to provide a privacy notice to a consumer (i.e., someone with whom the financial institution does not have a customer relationship), unless the institution anticipates disclosing the individual’s information to a nonaffiliated third party. In such a situation, the privacy notice must be provided “before” the disclosure occurs.2
In the context of the California CCPA, a business is required to disclose certain privacy practices “at or before the point of [the information’s] collection.”3 There is inherent ambiguity whether this provision applies only to situations in which information is collected directly from a data subject, or whether it also applies to situations in which a business obtains information about a data subject from a third party.
In comparison to United States law, under the European GDPR, if a company collects information directly from an individual and is required to provide that individual with a privacy notice, the notice should be provided “at the time when personal data [is] obtained.”4 If a company collects information from a third party source (e.g., a public source or from a data broker) and is required to provide an individual with a privacy notice, it should provide the notice at the earliest of the following three situations:
- When the company first communicates with the data subject,
- When the company transfers the individual’s information to a third party, or
- Within one month of having obtained the information.5