This is Part 3 of our CCPA Blog Series.
In Parts 1 and 2 we considered two of the core rights introduced by the CCPA – Notice and Access. This time, we'll be looking at the third core right – Opt out from the sale of personal information (and the related Opt in requirements for children). In particular, we will consider when the right to opt out applies, how it compares to similar rights under the GDPR and the practical steps businesses should take to stay compliant.
The Opt out requirements
The right of opt out is described in the CCPA as follows:
"A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out." (Section 1798.120(a) – emphasis added)
The first important point to mention, which may seem obvious but is worth reiterating, is that the right to opt out does not apply to processing generally – it is in fact a very specific right that only applies where a business sells personal information relating to Californian consumers. Whether a business sells personal information according to the CCPA, however, is not necessarily a straightforward question. We'll explore this issue first before discussing the actual substance of the requirements.
Do you sell personal information?
The CCPA definition of "sell" essentially includes any transfer of personal information to another business or third party for "monetary or other valuable consideration". This includes "renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating" personal information to another party (whether orally, in writing, or by electronic or other means). Importantly, the location of the sale (and whether the sale took place in California) is not relevant here – the key questions are (1) whether you are a business caught by the scope of the CCPA (which could include a business anywhere in the world), and (2) whether you "sell" personal information relating to Californian consumers (as defined by the Act).
In some cases, whether you sell personal information will be quite obvious – for instance, where you are a data broker, a lead / prospect generation service, or a company that sells marketing lists as a business.
However, in other cases, it may be less obvious. For example, consider these potential examples:
an online publisher disclosing visitor data to advertisers, ad networks, and other ad tech intermediaries to display targeted advertising for revenue,
identity verification services,
credit reporting services,
fraud detection services, or
disclosing telematics or machine learning data to affiliates for product development.
Can you rely on any exemptions?
The CCPA specifies that a business does not sell personal information in four scenarios:
1) Communicating opt out preferences: The first exemption is relatively straightforward and applies where a business shares personal information with a third party to alert them of the consumer's opt out preferences. This would include, for example, where a website transmits a user's cookie choices to an advertiser or ad tech intermediary or where a company provides a suppression list to a third-party marketing agency.
2) Intentional interaction with a third party: A business does not sell personal information if the consumer has directed the business to intentionally disclose their information or uses the business to intentionally interact with a third party. The CCPA does not define how a consumer may "direct" a business to disclose their personal information but does clarify that "an intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions" which would not include "hovering over, muting, pausing, or closing a given piece of content". This suggests that the consumer must take some form of affirmative action that is clearly linked to the instruction (e.g. not by merely closing or choosing to ignore a cookie banner). However, this is not the same as "opt-in" consent under the GDPR and would not necessarily require an unticked check box.
3) Sharing personal information for a business purpose: The third exemption is the broadest in scope and applies wherever information is used or shared with a service provider for a "business purpose", which is defined as "a business’s or a service provider’s operational purposes, or other notified purposes". The CCPA provides a list of business purposes which covers a whole host of standard business activities such as security and fraud prevention, auditing, internal research and service improvement, marketing, analytics, as well as mere "short-term, transient use". It also includes performing services on behalf of a business, such as maintaining customer accounts, processing orders or providing advertising or marketing services. The words "or other notified purposes" suggests the exemption could include other purposes not listed by the CCPA - but further regulation or guidance will be needed.
Applying this to one example, if you are a vendor providing fraud detection services you could argue that you fall within the exemption as you are protecting against fraud or illegality on behalf of a business. However, if you act as a controller for some of the personal information (e.g. you use visitor data obtained from one of your customers to inform other customers about the risk presented by that same visitor) and use it for your own commercial purposes, then you will no longer come within the scope of being a "service provider" and cannot rely on the business purpose exemption. Companies like these will need to consider what stance they will take as it will be difficult for them to offer opt out rights (as they typically have no interface with the end user) and it also undermines the nature of their services.
4) Mergers, acquisitions and other corporate sale transactions: This exemption applies where a third party takes control of all or part of the business, and personal information is transferred as an asset as part of that transaction. If the acquirer materially changes or alters the way it uses or shares a consumer's personal information, it must provide prior notice which must be sufficiently prominent and robust to ensure existing consumers can exercise their right to opt out.
What are the Opt out requirements?
If you sell personal information and cannot rely on one of the above exemptions, then you must comply with the Opt out requirements. These require that you:
provide a "Do Not Sell My Personal Information" ("DNSMPI") link on (i) your homepage, (ii) any webpage where you collect personal information, (iii) your mobile app's platform or download page and within the app itself, (iv) your privacy notice, and (v) wherever else you describe Californian consumers' rights under the CCPA,
stop selling personal information as soon as a consumer exercises their right to opt out, unless the consumer subsequently provides express authorization for you to do so, and
wait at least 12 months before requesting authorization from the consumer to sell their personal information again.
If you are not a business but a "third party" who has been sold personal information by a business, you must not sell the information unless the consumer has received explicit notice and been provided with an opportunity to exercise the right to opt-out.
Some businesses will need to give careful thought to how they will grant these rights, as doing so may not be easy in every situation. Returning to our previous example, if you are a fraud detection service that retains personal information only in the form of IP addresses and other device data, you may have difficulties in matching the particular consumer who made the request with all of the relevant data in your systems – you may need additional information from the consumer about all of their different devices in order to identify their data.
Equally, if you are an intermediary in the ad tech ecosystem then it may not be sufficient to place the DNSMPI link on your own website – the opt out may also need to be provided through each publisher's website where the information is actually being collected. However, would the existing Ad Choices icon be sufficient or does the CCPA envisage that there must be a separate DNSMPI link on these sites? Again, further guidance would help to address some of these uncertainties.
The Opt in requirements
The CCPA also contains more restrictive "opt in" rights for children:
"A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information." (Section 1798.120(c))
This means that a business can only sell the personal information of a child between the ages of 13 and 16 with the child's consent and can only sell the personal information of a child under 13 with the consent of the child's parent or guardian. This applies where the business has "actual knowledge" of the consumer's age, although the CCPA is clear to state that any business that wilfully disregards the consumer’s age is deemed to have actual knowledge.
So where sites or services are obviously attractive to or targeted at children, then this provision is likely to apply. For example, an online kids TV channel will most likely need to switch off all further sales of data by default (i.e. no ad tracking), unless they can obtain clear opt-in consent.
So what should you do to ensure compliance with the Opt out / Opt in requirements?
The GDPR does not focus on the "sale" of personal information – and there are no direct provisions relating to such sales – so it's likely that businesses will need to implement most of the requirements for this right from scratch.
To ensure compliance with the Opt out / Opt in requirements, a business should:
Identify whether you "sell" personal information: Carry out a data mapping exercise to ascertain all situations in which you disclose personal information to third parties. You will then need to consider carefully whether this may amount to a "sale" as per the guidance above.
Provide notice to consumers: If you do sell personal information, ensure that your privacy notice is updated to inform consumers of their right to opt out. You must also ensure consumers are given the opportunity to opt out before their information is sold.
Create a DNSMPI link: Create a DNSMPI link on your homepage and any other web pages and apps where personal information is collected. Note that you may place the link on your homepage or on a separate page dedicated specifically to California consumers.
Identify the age of your consumers: Consider whether you collect any children's personal information and whether you would be deemed to have knowledge of age. If so, ensure that you turn off sales by default and only sell such personal information if you obtain appropriate consent.
Train your staff: The CCPA also requires that you train any staff that handle consumer inquiries to ensure that they are aware of the Opt out requirements and know how to handle consumer requests. This could be provided as part of more general privacy training (for instance, alongside CCPA and/or GDPR training) or within shorter training.
We'll be looking at the rights to deletion and non-discrimination – watch this space!