Discover what your business needs to do, in order to comply with CCPA and the exact nature of “Opting out”
The California Consumer Privacy Act (CCPA), is the second piece of legislation in the US to be passed focusing on data protection and privacy, following the Nevada Online privacy law.
The CCPA Act is ultimately aimed to improve the protections and rights for consumers whose data is being collected and used by companies.
The title of the act indicates and limited scope focusing on consumers, to the exclusion of employees.
The CCPA Act conferred several key rights that companies should be aware of when conducting business in California and their obligations in relation to those rights.
The main ones to be aware of is informing their customers on what data they will be collecting and what they will use it for, responding to consumer requests, and to provide an opt-out mechanism for the sale of the data to a third party.
It is that final part that is of interest.
Consumers now have Opt-out rights!
Under Section 1798.120 of the CCPA, it states that consumers now have the right to at any time, makes the request that the company does not sell their personal information.
Otherwise referred to as the Right to “Opt-Out”.
The exercise of this right is further defined under Section 1798.135, which states they should provide a link on their website to a form that enables them to make that request.
The common question that arises from the legislation is how should the opt-out procedure work on the website and if there are any similarities to the requirements in Europe.
The simple answer would be that they are quite distinct, at the surface level, but when you dig into the actual definition of what is considered the sale of data, complications arise.
The right to opt-out is strictly focused on the sale of personal data.
The question that comes out of this, is what would be considered a sale of data?
Under the section that provides the definitions, it outlines two main things to consider when determining whether the sale is taking place:
The communication of personal information is quite simple to understand for the most part.
While it is the second element, that raises questions as to “What would also be seen as consideration for the sale?”
Receiving payment for the provision of that data by the third party is the clearest example, however, it can be assumed if the data is being provided in return for services this would be considered a sale as well.
This then brings us to the use of Third-Party cookies, such as Analytics, Marketing and Social Media for example.
Their interaction with websites, and how they collect the data of visitors and the access they are given to that data, indicates that the first element of communication is satisfied.
The second element is dependent on whether something is being provided in return for access to the information, is most likely falling under the provision of a service, such as providing an analysis of the visitors to the website or marketing assistance through the cookies or connecting them to another platform.
This ties the right to opt-out with the use of certain cookies, as there is a sale taking place under those circumstances.
So combined with the traditional sale of data, any opt-out mechanism online should ideally incorporate a restriction on the use of third parties cookies that are collecting personal data.
Taking into account the above points, companies are required to have a link on their website for people to exercise the right to opt-out of the sale, informing them of the right and enabling the consumer to direct the company that they wish to exercise that right.
In light of the above comments, this should also restrict the use of third-party cookies and other tracking technology that may be used by third parties.
Though there is another issue that makes it that bit more complicated, which is a distinction between age groups.
16+ Opt-in VS Opt-out
Those under 16 years of age accessing a website, have to opt-in to the sale of their data, while those older have the right to opt-out.
This means providing a link for an opt-out runs the risk of it being non-compliant, on the mere basis that websites may have visitors who are the age for opt-out.
Thus the best practice would be for the right to be exercised at first instance, putting it
within a banner similar to how consent is captured for Cookies in the EU.
A summary of how companies should approach the CCPA Opt-out.
In short, the link to the process for opting out should be easily accessible upon arrival on the website, or for the purpose of best practice, making it accessible in the form of a pop-up on arrival.
So there you have it…
Use the information to make sure you don’t find it fined.