News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top-10 operational impacts of the CPRA: Part 5 — Notice obligations and right to opt out Related reading: Top-10 operational impacts of the CPRA: Part 1 – The California Privacy Protection Agency

rss_feed

""

For businesses that collect California residents’ personal information, deciphering what notices are required and how to facilitate the opt-out process is not a straightforward task. Between the California Consumer Privacy Act, the CCPA regulations in effect, the proposed modifications to the CCPA regulations and the recently approved California Privacy Rights Act, there is no shortage of confusion as to what is legally required. This installment of the IAPP’s 10-part series regarding the CPRA explores how the notice and opt-out requirements will evolve from the CCPA to the CPRA.

Notice requirements

As Section 999.304 of the CCPA regulations makes clear, businesses subject to the CCPA must provide consumers with four different types of notice regarding their personal information:

  • Notice at collection.
  • Privacy policy.
  • Notice of right to opt out.
  • Notice of financial incentive (if applicable).

Examining each of these sources is helpful in understanding what the requirements are today, and how they will change when the majority of the CPRA’s provisions go into effect in 2023.

Notice at collection

Perhaps one of the largest differences between the CPRA and CCPA is the notification requirements regarding the collection, retention and use of personal data.

Section 1798.100(b) of the CCPA requires a business that collects a consumer’s personal information to inform them “at or before the point of collection” of the categories of data that will be collected and the purposes for which it shall be used. Further, this subsection dictates a business shall not collect additional categories of personal information or use the data collected for additional purposes without providing the consumer with notice.

The CCPA regulations further interpret this notice requirement in Section 999.305. For example, the regulations instruct that the notice at collection must be “designed and presented in a way that is easy to read and understandable to consumers.” Such notice must “be made readily available where consumers will encounter it at or before the point of collection of any personal information.” Further, “when a business collects personal information from a consumer's mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.”

Additionally, a “business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection.”

The CPRA modifies the CCPA and requires additional disclosures. Section 1798.100 of the CPRA mandates “a business that controls the collection of a consumer’ personal information” must also disclose the following at or before collection:

  • The purposes for which categories of both sensitive personal information and personal information are collected or used and whether such information is sold or shared.
  • The length of time the business intends to retain each category of personal information, or where this is impossible, the criteria used to determine such period.

Privacy policy

The CCPA requires a business to disclose certain information in its privacy policy — any California-specific description of consumers’ privacy rights and if a business does not have a privacy policy, it must be disclosed on its website. Specifically, pursuant to Section 1798.130(a)(5), the following must be disclosed:

  • A description of a consumer’s rights pursuant to Sections 1798.110, 1798.115, and 1798.125, as well as a method for submitting requests.
  • A list of the categories of personal information it has collected about consumers in the preceding 12 months.
  • A list of the categories of personal information it has sold about consumers in the preceding 12 months.
  • A list of the categories of personal information it has disclosed for a business purpose in the preceding 12 months by reference.
  • Whether the business sells or discloses deidentified patient information derived from patient information and whether such information was deidentified pursuant to enumerated methods.

Importantly, a business must disclose if it has not sold consumers’ personal information nor disclosed it for a business purpose in the preceding 12 months.

Section 999.308 of the CCPA regulations make clear that a business that is required to comply with the CCPA is indeed required to have a privacy policy and sets forth additional requirements, including:

  • The categories of third parties to whom the information was disclosed or sold.
  • Identification of the business or commercial purpose for collecting or selling personal information.
  • Identification of the categories of sources from which the personal information is collected.

Regarding the CPRA, although the new statute does not differ from the CCPA dramatically, it does incorporate the above requirements from the CCPA regulations into the text of the law. Operationally, this change should not make too large of an impact given that the disclosures are already required under the regulations. That said, it is worth noting that the authority now comes directly from the text of the law.

Notice of financial incentive

If a business offers financial incentives to consumers to provide personal information, CCPA Section 1798.125(b)(2) requires the business to provide notice it is doing so. CCPA regulation requirements on financial incentive notification can be found here. The CPRA does not make any substantive changes in this area.

Notice of right to opt out

CCPA Section 1798.120(b) requires that a business selling personal information to third parties provide notice to consumers “that this information may be sold and that consumers have the ‘right to opt-out’ of the sale of their personal information.”

The CCPA regulations expand on this requirement and regulate both the method of notice, as well as the substance. Section 999.306 mandates the notice of the right to opt out must be posted on the page the consumer is directed to after clicking on the “Do Not Sell My Personal Information” link on the homepage or in the mobile application. Alternatively, a “business that does not operate a website shall establish, document, and comply with another method by which it informs consumers of their right to opt-out.” Section 999.306(c) sets forth the substantive requirements of notice to opt-out.

The CPRA provides minimal alterations to this requirement beyond changing the name of the primary opt-out link to “Do Not Sell or Share My Personal Information” and requiring an additional link (discussed in part three of this series). It does alter the requirement so businesses have the potential to forego such links in certain circumstances that are discussed below.

Additionally, the CCPA proposed modified regulations suggest two additional provisions regarding the notice of the right to opt out.

The first proposed change in Section 999.306 would require “A business that sells personal information that it collects in the course of interacting with consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out.”

The proposed modified regulations also suggest an optional opt-out button to be used in addition to the notice of the right to opt out.  This button would be placed next to the “Do Not Sell My Personal Information” link on the homepage and would link to the same webpage. 

Whether these provisions will ultimately be finalized has yet to be seen. That said, this is an area to keep an eye on for future activity.

Opting out

In addition to mandating businesses notify consumers about their right to opt out of the sale or sharing of personal information, the CPRA dictates how a business must facilitate and respond to an opt-out request.

Under Section 1798.120(a) of the CCPA, a consumer has the right to opt out of the sale of their personal information at any point. Section 1798.135 of the CCPA further provides that a business that sells personal information must:

  • Provide a description of consumer rights.
  • Provide a clear and conspicuous link on the homepage labeled “Do Not Sell My Personal Information” that directs consumers to an opt-out page.
  • Ensure that all individuals handling consumer inquiries about the business’s privacy practices are informed of all CCPA requirements and how to direct consumers to exercise their rights.
  • refrain from selling personal information collected by the business about a consumer once they have opted out.
  • Wait 12 months before requesting that a consumer who has previously opted out authorize the sale of personal information.
  • Limit the use of any personal information collected from the consumer during the opt-out process solely to comply with the opt-out request.

Section 999.315 of the CCPA regulations build upon and clarify certain aspects of these requirements. Regarding the manner in which a business facilitates the opt-out process, the CCPA regulations provide that a business must provide at least two methods to submit opt-out requests. One of these methods must be an interactive form accessed via a “Do Not Sell My Personal Information” link. Options for the second method of opt-out include but are not limited to:

  • A toll-free phone number.
  • A designated email address.
  • A form submitted in person.
  • A form submitted by mail.
  • User-enabled global privacy controls that communicate the decision to opt out.

Finally, the CPRA makes substantial modifications to the CCPA opt-out language. Importantly, Section 1798.120 of the CPRA changes the right from “the right to opt-out [of sale]” under the CCPA to “the right to opt-out of sale or sharing.” The term “sharing” is defined as the practice of providing information for the purposes of “cross-context behavioral advertising.” This new defined term is defined as “the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” Therefore, because such advertising is considered “sharing” and the CPRA permits individuals to opt out of sharing, individuals may now opt out of this type of behavioral advertising.

Furthermore, the CPRA changes an organization’s opt-out obligations under Section 1798.135. One such change prohibits businesses from requiring consumers to create an account or “provide additional information beyond what is necessary” during the opt-out process, whereas the CCPA merely prohibited businesses from requiring a consumer to create an account in order to exercise their rights. 

Perhaps the largest change, however, is that once the law comes into effect, businesses may choose to comply with one of two new provisions to facilitate the opt-out process.

Pursuant to CPRA Section 1798.135(a)(1) and (2), businesses are required to provide a link labeled “Limit the Use of My Sensitive Personal Information” in addition to the “Do Not Sell or Share my Personal Information” link. The CPRA allows the business to forgo providing these links separately and instead choose to provide a single link that enables the consumer to both limit the use and disclosure of sensitive personal information and opt out of the sale and sharing of personal information.

The CPRA also permits a business to forgo providing the links if they instead choose to allow consumers to opt out by sending an opt-out preference signal via ”platform, technology, or mechanism.”

Conclusion

Ultimately, the task of deciphering the legal obligations imposed on businesses will only become more complex as Jan. 1, 2023, looms closer. This article presents a snapshot of where notice and opt-out obligations stand today. As the full picture develops, we will continue to provide updates and insight through other series and articles.

Photo by Vital Sinkevich on Unsplash

'CCPA Genius'

The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.

Access here

'California Privacy Law, Fourth Edition'

“California Privacy Law,” now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.

Print version | Digital version


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Sarah Rippy Nonmember Contributor
Tags
Privacy Law
Westin Research Center
Comments

If you want to comment on this post, you need to login.

Related Stories
The Top-10 Most Impactful Provisions of the CPRA
The IAPP created an infographic outlining the 10 most-impactful provisions of the California Privacy Rights Act ballot initiative. The infographic gives a snapshot of the potential implications stemming from the CPRA being passed and entering into force January 2023. New provisions on sensitive data...
Read More queue Save This
'CCPA Genius'

The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.

Access here

'California Privacy Law, Fourth Edition'

“California Privacy Law,” now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.

Print version | Digital version

Related Stories
Tags
Privacy Law
Westin Research Center
Recent Comments