The California Consumer Privacy Act (CCPA), is the second piece of legislation in the US to be passed focusing on data protection and privacy, following the Nevada Online privacy law. You can become CCPA compliant simply and quickly by using the Seers CCPA Compliant Cookie Consent Solution.
The CCPA Act is aimed at improving the protections and rights for consumers in California.
What does CCPA mean for companies?
The CCPA Act conferred several key rights that companies should be aware of when conducting business in California and their obligations in relation to those rights.
The main ones to be aware of include: informing their customers on what data they will be collecting and what they will use it for, responding to consumer requests, and providing an opt-out mechanism for the sale of personal data to a third party.
It is the final part that is of key concern for companies.
Consumers now have Opt-out rights!
Under Section 1798.120 of the CCPA, it states that consumers now have the right to at any time, makes the request that the company does not sell their personal information.
Otherwise referred to as the right to “Opt-Out”.
Under Section 1798.135, which states they should provide a link on their website to a form that enables them to make that request.
The common question that arises from the legislation is how should the opt-out procedure work on the website and if there are any similarities to the requirements in Europe.
Defining the “Sale of Data”
Under the section that provides the definitions, it outlines two main areas to consider. Determining whether the sale is taking place:
- The disclosure or communication of personal information, either orally, in writing, electronically or by other means;
- In exchange for monetary or other valuable consideration.
The communication of personal information is quite simple to understand for the most part.
What do we consider a Sale?
Receiving payment for the provision of that data by the third party is the clearest example.
This then brings us to the use of third-party cookies, such as analytics, marketing and social media cookies for example.
But what about third-party cookies as data?
Their interactions with websites including how visitors’ data is collected. Also how access to that data is granted to them.
The second element is dependent on whether something is being provided in return for access to the information. Such as providing an analysis of the visitors to the website.
This ties the right to opt-out with the use of certain cookies, as there is a sale taking place under those circumstances.
So combined with the traditional sale of data, any opt-out mechanism online should ideally incorporate a restriction on the use of third parties cookies.
Ensuring your opt-out mechanism is compliant
Companies should provide a link on their website for people to exercise the right to opt-out of the sale. They should inform them of the right. Also enabling the consumer to direct the company that they wish to exercise that right.
Though there is another issue that makes it that bit more complicated, which is a distinction between age groups.
16+ Opt-in VS Opt-out
Those under 16 years of age accessing a website, have to opt-in to the sale of their data. Those older have the right to opt-out.
This means providing a link for an opt-out runs the risk of it being non-compliant. Websites may have visitors who are the age for opt-out.
Thus the best practice would be putting it within a banner.
A summary of how companies should approach the CCPA Opt-out.
In short, the link to the process for opting out should be easily accessible upon arrival on the website, or for the purpose of best practice, making it accessible in the form of a pop-up on arrival.
The key points to consider are as follows:
- Making the process easy and accessible, informing the consumer of their right and how to exercise it in plain language.
- What are the chances that someone under the age of 16 will visit your website?
- The do-not sell functionality also applies to third-party cookies and stops them from transferring the data to those third parties.
So there you have it.