For businesses that collect California residents’ personal information, deciphering what notices are required and how to facilitate the opt-out process is not a straightforward task. Between the California Consumer Privacy Act, the CCPA regulations in effect, the proposed modifications to the CCPA regulations and the recently approved California Privacy Rights Act, there is no shortage of confusion as to what is legally required. This installment of the IAPP’s 10-part series regarding the CPRA explores how the notice and opt-out requirements will evolve from the CCPA to the CPRA.

Notice requirements

As Section 999.304 of the CCPA regulations makes clear, businesses subject to the CCPA must provide consumers with four different types of notice regarding their personal information:

  • Notice at collection.
  • Privacy policy.
  • Notice of right to opt out.
  • Notice of financial incentive (if applicable).

Examining each of these sources is helpful in understanding what the requirements are today, and how they will change when the majority of the CPRA’s provisions go into effect in 2023.

Notice at collection

Perhaps one of the largest differences between the CPRA and CCPA is the notification requirements regarding the collection, retention and use of personal data.

Section 1798.100(b) of the CCPA requires a business that collects a consumer’s personal information to inform them “at or before the point of collection” of the categories of data that will be collected and the purposes for which it shall be used. Further, this subsection dictates a business shall not collect additional categories of personal information or use the data collected for additional purposes without providing the consumer with notice.

The CCPA regulations further interpret this notice requirement in Section 999.305. For example, the regulations instruct that the notice at collection must be “designed and presented in a way that is easy to read and understandable to consumers.” Such notice must “be made readily available where consumers will encounter it at or before the point of collection of any personal information.” Further, “when a business collects personal information from a consumer's mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.”

Additionally, a “business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection.”

The CPRA modifies the CCPA and requires additional disclosures. Section 1798.100 of the CPRA mandates “a business that controls the collection of a consumer’ personal information” must also disclose the following at or before collection:

  • The purposes for which categories of both sensitive personal information and personal information are collected or used and whether such information is sold or shared.
  • The length of time the business intends to retain each category of personal information, or where this is impossible, the criteria used to determine such period.

Privacy policy

The CCPA requires a business to disclose certain information in its privacy policy — any California-specific description of consumers’ privacy rights and if a business does not have a privacy policy, it must be disclosed on its website. Specifically, pursuant to Section 1798.130(a)(5), the following must be disclosed:

  • A description of a consumer’s rights pursuant to Sections 1798.110, 1798.115, and 1798.125, as well as a method for submitting requests.
  • A list of the categories of personal information it has collected about consumers in the preceding 12 months.
  • A list of the categories of personal information it has sold about consumers in the preceding 12 months.
  • A list of the categories of personal information it has disclosed for a business purpose in the preceding 12 months by reference.
  • Whether the business sells or discloses deidentified patient information derived from patient information and whether such information was deidentified pursuant to enumerated methods.

Importantly, a business must disclose if it has not sold consumers’ personal information nor disclosed it for a business purpose in the preceding 12 months.

Section 999.308 of the CCPA regulations make clear that a business that is required to comply with the CCPA is indeed required to have a privacy policy and sets forth additional requirements, including:

  • The categories of third parties to whom the information was disclosed or sold.
  • Identification of the business or commercial purpose for collecting or selling personal information.
  • Identification of the categories of sources from which the personal information is collected.

Regarding the CPRA, although the new statute does not differ from the CCPA dramatically, it does incorporate the above requirements from the CCPA regulations into the text of the law. Operationally, this change should not make too large of an impact given that the disclosures are already required under the regulations. That said, it is worth noting that the authority now comes directly from the text of the law.

Notice of financial incentive

If a business offers financial incentives to consumers to provide personal information, CCPA Section 1798.125(b)(2) requires the business to provide notice it is doing so. CCPA regulation requirements on financial incentive notification can be found here. The CPRA does not make any substantive changes in this area.

Notice of right to opt out

CCPA Section 1798.120(b) requires that a business selling personal information to third parties provide notice to consumers “that this information may be sold and that consumers have the ‘right to opt-out’ of the sale of their personal information.”

The CCPA regulations expand on this requirement and regulate both the method of notice, as well as the substance. Section 999.306 mandates the notice of the right to opt out must be posted on the page the consumer is directed to after clicking on the “Do Not Sell My Personal Information” link on the homepage or in the mobile application. Alternatively, a “business that does not operate a website shall establish, document, and comply with another method by which it informs consumers of their right to opt-out.” Section 999.306(c) sets forth the substantive requirements of notice to opt-out.

The CPRA provides minimal alterations to this requirement beyond changing the name of the primary opt-out link to “Do Not Sell or Share My Personal Information” and requiring an additional link (discussed in part three of this series). It does alter the requirement so businesses have the potential to forego such links in certain circumstances that are discussed below.

Additionally, the CCPA proposed modified regulations suggest two additional provisions regarding the notice of the right to opt out.

The first proposed change in Section 999.306 would require “A business that sells personal information that it collects in the course of interacting with consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out.”

The proposed modified regulations also suggest an optional opt-out button to be used in addition to the notice of the right to opt out.  This button would be placed next to the “Do Not Sell My Personal Information” link on the homepage and would link to the same webpage. 

Whether these provisions will ultimately be finalized has yet to be seen. That said, this is an area to keep an eye on for future activity.

Opting out

In addition to mandating businesses notify consumers about their right to opt out of the sale or sharing of personal information, the CPRA dictates how a business must facilitate and respond to an opt-out request.

Under Section 1798.120(a) of the CCPA, a consumer has the right to opt out of the sale of their personal information at any point. Section 1798.135 of the CCPA further provides that a business that sells personal information must:

  • Provide a description of consumer rights.
  • Provide a clear and conspicuous link on the homepage labeled “Do Not Sell My Personal Information” that directs consumers to an opt-out page.
  • Ensure that all individuals handling consumer inquiries about the business’s privacy practices are informed of all CCPA requirements and how to direct consumers to exercise their rights.
  • refrain from selling personal information collected by the business about a consumer once they have opted out.
  • Wait 12 months before requesting that a consumer who has previously opted out authorize the sale of personal information.
  • Limit the use of any personal information collected from the consumer during the opt-out process solely to comply with the opt-out request.

Section 999.315 of the CCPA regulations build upon and clarify certain aspects of these requirements. Regarding the manner in which a business facilitates the opt-out process, the CCPA regulations provide that a business must provide at least two methods to submit opt-out requests. One of these methods must be an interactive form accessed via a “Do Not Sell My Personal Information” link. Options for the second method of opt-out include but are not limited to:

  • A toll-free phone number.
  • A designated email address.
  • A form submitted in person.
  • A form submitted by mail.
  • User-enabled global privacy controls that communicate the decision to opt out.

Finally, the CPRA makes substantial modifications to the CCPA opt-out language. Importantly, Section 1798.120 of the CPRA changes the right from “the right to opt-out [of sale]” under the CCPA to “the right to opt-out of sale or sharing.” The term “sharing” is defined as the practice of providing information for the purposes of “cross-context behavioral advertising.” This new defined term is defined as “the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” Therefore, because such advertising is considered “sharing” and the CPRA permits individuals to opt out of sharing, individuals may now opt out of this type of behavioral advertising.

Furthermore, the CPRA changes an organization’s opt-out obligations under Section 1798.135. One such change prohibits businesses from requiring consumers to create an account or “provide additional information beyond what is necessary” during the opt-out process, whereas the CCPA merely prohibited businesses from requiring a consumer to create an account in order to exercise their rights. 

Perhaps the largest change, however, is that once the law comes into effect, businesses may choose to comply with one of two new provisions to facilitate the opt-out process.

Pursuant to CPRA Section 1798.135(a)(1) and (2), businesses are required to provide a link labeled “Limit the Use of My Sensitive Personal Information” in addition to the “Do Not Sell or Share my Personal Information” link. The CPRA allows the business to forgo providing these links separately and instead choose to provide a single link that enables the consumer to both limit the use and disclosure of sensitive personal information and opt out of the sale and sharing of personal information.

The CPRA also permits a business to forgo providing the links if they instead choose to allow consumers to opt out by sending an opt-out preference signal via ”platform, technology, or mechanism.”

Conclusion

Ultimately, the task of deciphering the legal obligations imposed on businesses will only become more complex as Jan. 1, 2023, looms closer. This article presents a snapshot of where notice and opt-out obligations stand today. As the full picture develops, we will continue to provide updates and insight through other series and articles.

Photo by Vital Sinkevich on Unsplash