Just-in-time notices are a legal requirement
A just-in-time notice is a statement or pop-up that a consumer can read immediately before deciding whether to provide their personal information to a business.
Transparency is an important aspect of privacy law compliance. Transparency means telling people what data you collect, how you collect it, and what you do with it.
That’s where just-in-time notices come in. A just-in-time notice is the perfect way to provide your users with:
- The most relevant transparency information
- At the most appropriate moment
- In the most appropriate place
Here’s why just-in-time notices are a key way to comply with two important privacy laws.
Just-in-time notices under the CCPA
The California Consumer Privacy Act (CCPA) requires businesses that collect personal information to provide consumers with relevant information “at or before the point of collection.” This is known as a “notice at collection.”
The notice at collection isn’t a just-in-time notice in itself—it’s a longer document that contains:
- A list of the categories of personal information you collect
- Your business or commercial purposes for collecting such information
- A link to your “Do Not Sell My Personal Information” page (if you have one)
The CCPA Regulations provide some guidance about the notice at collection and how to provide it. The rules are slightly different for websites and mobile apps.
On your website, you don’t need to provide the full notice at collection whenever you collect personal information. You can provide “a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected.”
If you’re collecting personal information via a mobile device “for a purpose that the consumer would not reasonably expect,“ the CCPA Regulations specify that you:
“…shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.”
Just-in-time notices and the GDPR
The General Data Protection Regulation (GDPR), which applies across the European Economic Area (EEA) and the UK, doesn’t refer directly to just-in-time notices. However, the law requires controllers to provide extensive transparency information whenever they collect personal data.
The upshot of the GDPR’s strict transparency rules is that you must provide a just-in-time notice in certain circumstances.
As the UK’s data protection authority, the Information Commissioner’s Office (ICO) explains:
“Just-in-time notices are particularly useful when people provide personal data at different points of a purchase or interaction, often on an organization’s website, when filling in a form.”
As we’ve seen, just-in-time notices are a key way to ensure you’re meeting your transparency obligations under two key privacy laws. The same principles apply under other laws, too, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Whether or not you’re legally required to provide a just-in-time notice before collecting personal information, it’s good practice to ensure consumers know what information you’re collecting about them and for what purpose.
Therefore, providing a just-in-time notice might be the perfect way to give consumers the information they need while improving trust in your business.