CCPA Right To Opt Out
The right of opt out is described in the CCPA as follows:
“A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.” (Section 1798.120(a) – emphasis added)
The first important point to mention, which may seem obvious but is worth reiterating, is that the right to opt out does not apply to processing generally – it is in fact a very specific right that only applies where a business sells personal information relating to Californian consumers. Whether a business sells personal information according to the CCPA, however, is not necessarily a straightforward question. We’ll explore this issue first before discussing the actual substance of the requirements.
Do you sell personal information?
The CCPA definition of “sell” essentially includes any transfer of personal information to another business or third party for “monetary or other valuable consideration”. This includes “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating” personal information to another party (whether orally, in writing, or by electronic or other means). Importantly, the location of the sale (and whether the sale took place in California) is not relevant here – the key questions are (1) whether you are a business caught by the scope of the CCPA (which could include a business anywhere in the world), and (2) whether you “sell” personal information relating to Californian consumers (as defined by the Act).
Can you rely on any exemptions?
The CCPA specifies that a business does not sell personal information in four scenarios:
- Communicating opt out preferences: The first exemption is relatively straightforward and applies where a business shares personal information with a third party to alert them of the consumer’s opt out preferences. This would include, for example, where a website transmits a user’s cookie choices to an advertiser or ad tech intermediary or where a company provides a suppression list to a third-party marketing agency.
- Intentional interaction with a third party: A business does not sell personal information if the consumer has directed the business to intentionally disclose their information or uses the business to intentionally interact with a third party. The CCPA does not define how a consumer may “direct” a business to disclose their personal information but does clarify that “an intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions” which would not include “hovering over, muting, pausing, or closing a given piece of content”. This suggests that the consumer must take some form of affirmative action that is clearly linked to the instruction (e.g. not by merely closing or choosing to ignore a cookie banner). However, this is not the same as “opt-in” consent under the GDPR and would not necessarily require an unticked check box.
- Sharing personal information for a business purpose: The third exemption is the broadest in scope and applies wherever information is used or shared with a service provider for a “business purpose”, which is defined as “a business’s or a service provider’s operational purposes, or other notified purposes”. The CCPA provides a list of business purposes which covers a whole host of standard business activities such as security and fraud prevention, auditing, internal research and service improvement, marketing, analytics, as well as mere “short-term, transient use”. It also includes performing services on behalf of a business, such as maintaining customer accounts, processing orders or providing advertising or marketing services. The words “or other notified purposes” suggests the exemption could include other purposes not listed by the CCPA – but further regulation or guidance will be needed.
- Mergers, acquisitions and other corporate sale transactions: This exemption applies where a third party takes control of all or part of the business, and personal information is transferred as an asset as part of that transaction. If the acquirer materially changes or alters the way it uses or shares a consumer’s personal information, it must provide prior notice which must be sufficiently prominent and robust to ensure existing consumers can exercise their right to opt out.
What are the Opt out requirements?
If you sell personal information and cannot rely on one of the above exemptions, then you must comply with the Opt out requirements. These require that you:
- Provide a “Do Not Sell My Personal Information” (“DNSMPI”) link on (i) your homepage, (ii) any webpage where you collect personal information, (iii) your mobile app’s platform or download page and within the app itself, (iv) your privacy notice, and (v) wherever else you describe Californian consumers’ rights under the CCPA,
- Stop selling personal information as soon as a consumer exercises their right to opt out, unless the consumer subsequently provides express authorization for you to do so, and
- Wait at least 12 months before requesting authorization from the consumer to sell their personal information again.
- If you are not a business but a “third party” who has been sold personal information by a business, you must not sell the information unless the consumer has received explicit notice and been provided with an opportunity to exercise the right to opt-out.
The Opt in requirements
The CCPA also contains more restrictive “opt in” rights for children:
“A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information.” (Section 1798.120(c))
This means that a business can only sell the personal information of a child between the ages of 13 and 16 with the child’s consent and can only sell the personal information of a child under 13 with the consent of the child’s parent or guardian. This applies where the business has “actual knowledge” of the consumer’s age, although the CCPA is clear to state that any business that willfully disregards the consumer’s age is deemed to have actual knowledge.
To ensure compliance with the Opt out / Opt in requirements, a business should:
- Identify whether you “sell” personal information: Carry out a data mapping exercise to ascertain all situations in which you disclose personal information to third parties and decide if it can be considered a “sale”.
- Provide notice to consumers: If you do sell personal information, ensure that your privacy notice is updated to inform consumers of their right and the opportunity to opt out before their information is sold.
- Create a DNSMPI link: Create a DNSMPI link on your homepage and any other web pages and apps where personal information is collected.
- Identify the age of your consumers: Consider whether you collect any children’s personal information and whether you would be deemed to have knowledge of age. If so, ensure that you turn off sales by default and only sell such personal information if you obtain appropriate consent.
- Train your staff: The CCPA also requires that you train any staff that handle consumer inquiries to ensure that they are aware of the Opt out requirements and know how to handle consumer requests.
Techniti provides multiple services that can meet your organizations needs to assess applicable laws and the required steps for compliance. You can find out more by contacting us using our contact form listed here.