The California Consumer Privacy Act (CCPA), is the second piece of legislation in the US to be passed focusing on data protection and privacy, following the Nevada Online privacy law. You can become CCPA compliant simply and quickly by using the Seers CCPA Compliant Cookie Consent Solution.
The CCPA Act is ultimately aimed to improve the protections and rights for consumers whose data is being collected and used by companies in California.
What does CCPA mean for companies?
The CCPA Act conferred several key rights that companies should be aware of when conducting business in California and their obligations in relation to those rights.
The main ones to be aware of include: informing their customers on what data they will be collecting and what they will use it for, responding to consumer requests, and providing an opt-out mechanism for the sale of personal data to a third party.
It is the final part that is of key concern for companies.
Consumers now have Opt-out rights!
Under Section 1798.120 of the CCPA, it states that consumers now have the right to at any time, makes the request that the company does not sell their personal information.
Otherwise referred to as the right to “Opt-Out”.
The exercise of this right is further defined under Section 1798.135, which states they should provide a link on their website to a form that enables them to make that request.
The common question that arises from the legislation is how should the opt-out procedure work on the website and if there are any similarities to the requirements in Europe.
The simple answer would be that they are quite distinct, at the surface level, but when you dig into the actual definition of what is considered the sale of data, complications arise.
Defining the “Sale of Data”
The right to opt-out is strictly focused on the sale of personal data.
The question that arises, is what would be considered a sale of data?
Under the section that provides the definitions, it outlines two main areas to consider when determining whether the sale is taking place:
- The disclosure or communication of personal information, either orally, in writing, electronically or by other means;
- In exchange for monetary or other valuable consideration.
The communication of personal information is quite simple to understand for the most part.
While it is the second element, that raises questions as to “what would also be seen as consideration for the sale?”
What do we consider a Sale?
Receiving payment for the provision of that data by the third party is the clearest example, however, it can be assumed if the data is being provided in return for services this would be considered a sale as well.
This then brings us to the use of third-party cookies, such as analytics, marketing and social media cookies for example.
But what about third-party cookies as data?
Their interaction with websites, and how they collect the data of visitors and the access they are given to that data, indicates that the first element of communication is satisfied.
The second element is dependent on whether something is being provided in return for access to the information, is most likely falling under the provision of a service, such as providing an analysis of the visitors to the website or marketing assistance through the cookies or connecting them to another platform.
This ties the right to opt-out with the use of certain cookies, as there is a sale taking place under those circumstances.
So combined with the traditional sale of data, any opt-out mechanism online should ideally incorporate a restriction on the use of third parties cookies that are collecting personal data.
Ensuring your opt-out mechanism is compliant
Taking into account the above points, companies are required to have a link on their website for people to exercise the right to opt-out of the sale, informing them of the right and enabling the consumer to direct the company that they wish to exercise that right.
In light of the above comments, this should also restrict the use of third-party cookies and other tracking technology that may be used by third parties.
Though there is another issue that makes it that bit more complicated, which is a distinction between age groups.
16+ Opt-in VS Opt-out
Those under 16 years of age accessing a website, have to opt-in to the sale of their data, while those older have the right to opt-out.
This means providing a link for an opt-out runs the risk of it being non-compliant, on the mere basis that websites may have visitors who are the age for opt-out.
Thus the best practice would be for the right to be exercised at first instance, putting it
within a banner similar to how consent is captured for Cookies in the EU such as the one offered by Seers.
A summary of how companies should approach the CCPA Opt-out.
In short, the link to the process for opting out should be easily accessible upon arrival on the website, or for the purpose of best practice, making it accessible in the form of a pop-up on arrival.
The key points to consider are as follows:
- Making the process easy and accessible, informing the consumer of their right and how to exercise it in plain language.
- What are the chances that someone under the age of 16 will visit your website?
- The do-not sell functionality also applies to third-party cookies and stops them from transferring the data to those third parties.
So there you have it.