Ask CENTRL: Does my business need to provide a CCPA policy and notices in languages other than English?

Every business subject to the California Consumer Privacy Act (CCPA) must have a privacy policy that provides consumers with a comprehensive description of the following: (1) the business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information (PI), and (2) the rights of consumers regarding their PI. The CCPA also requires business to provide consumers with the following notices, as applicable:

• Notice at Time of Collection of PI - A business that collects PI from a consumer must provide a notice at or before the point of collection that describes the categories of PI to be collected from the consumer and the purposes for which the PI will be used by the business.
• Notice of Right to Opt-out of Sale of PI - A business that sells PI must provide a notice to consumers permitting them to opt-out or request that the business not sell or stop selling their PI.
• Notice of Financial Incentives - A business that offers financial incentives or price or service differences tied to the collection, retention, or sale of PI must provide a notice to consumers that explains the material terms of the incentive or difference so the consumer may make an informed decision about whether to participate.

The CCPA does not specifically require that a business’s privacy policy or any of the notices be provided in a language other than English. Instead, the CCPA notes that the California Attorney General (AG) may establish rules and procedures “to ensure that the notices and information that businesses are required to provide … are available in the language primarily used to interact with the consumer.” The proposed final CCPA regulations specifically address foreign language disclosure requirements.

Although the final CCPA regulations are still under administrative review, it may not be time to carpe diem. Under the current CCPA enforcement environment, it is prudent, in any language, to give some thought to these future requirements.

CCPA Policy and Notices

The proposed final regulations specifically provide that a business’s privacy policy, notice at the time of collection of PI, notice of right to opt-out of the sale of PI, and notice of financial incentives must “[b]e available in the languages in which the business in the ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.” The proposed regulations also remind business that these disclosures, whether provided in English or another language, must meet the following “look and feel” requirements:

• Designed and presented in a way that is easy to read and understandable to consumers;
• Use plain and straightforward language and avoid the use of technical or legal jargon; and
• Reasonably accessible to consumers with disabilities.

Businesses subject to the CCPA may operate in other states or countries and California residents may interact with a business while traveling outside the state or overseas. The OAG noted in the Statement of Reasons released with the proposed final regulations that it added “in California” after “consumers,” as highlighted above, to clarify that businesses must provide these disclosures in the languages in which they provide contracts and other information to consumers in California.

For example, a business located in California and subject to the CCPA that manufactures and sells tanning lotion may advertise in Portuguese in a Miami, Florida newspaper to reach Brazilian residents on vacation. The business does not, however, advertise in Portuguese in any newspapers or other advertisements in California or otherwise interact with consumers in California in Portuguese. The fact that a California resident may read the advertisement while on vacation in Miami does not mean that the business must now also provide its CCPA privacy policy and notices in Portuguese.

Next Steps

• Know Your Business Practices

The OAG has noted on its webpage regarding “Limited English Proficient Consumers” as follows:

California’s population is diverse. More than 200 languages and dialects are spoken here, and according to the US Census Bureau (2015), almost 44% of California households speak a language other than English, and nearly seven million Californians (19%) report speaking English “less than very well.” Language and cultural barriers can leave consumers vulnerable to fraud and predatory practices.

A robust CCPA compliance program will need to understand and incorporate the various languages used by the business “in the ordinary course” in providing contracts, disclaimers, sale announcements, and other information to consumers in California. A business may currently track its use of Spanish, Chinese, Tagalog, Vietnamese, or Korean in negotiations and other specific areas, as these specific languages are reflected in other California laws. See, e.g., Ca. Civ. Code § 1632. The proposed final CCPA regulations are open-ended so the applicable languages, whether one or more than 200, that will need to be reflected in each business’s privacy policy and notices will depend on the languages used in its various interactions with consumers in California.

• Know the Enforcement Risks

The Office of the AG (OAG) began sending notices of noncompliance to businesses on July 1, 2020. Since the final CCPA regulations are still under administrative review, the OAG’s initial enforcement actions are limited to the “four corners” of the statute. Although the OAG will not likely focus on whether businesses are providing CCPA policies and notices in all applicable foreign languages until the final regulations are in place, it would be prudent for all businesses subject to the CCPA to begin identifying the different languages that may be used in their interactions with consumers in California to ensure that CCPA policies and notices in these languages can be timely provided to consumers as of the effective date of the final regulations.

The OAG looked at two key areas in determining the recipients of its initial notices of noncompliance, the information provided by businesses on their websites and consumer complaints. The OAG can determine with a click of a button whether your business is providing its CCPA policy and notices on your website in any language other than English and consumers may complain, either through links on the OAG’s CCPA or limited English proficiency pages or on social media, about your business’s failure to provide relevant foreign language disclosures. Even if your business has a tight CCPA compliance budget, it makes practical sense, in any language, to minimize this area of enforcement risk. Take stock of your business practices and prepare to stock up on the appropriate number of foreign language translations of your CCPA policy and notices.