CCPA-Compliant Consent

by Jennifer L. Legal writer.
CCPA-Compliant Consent

The California Consumer Privacy Act (CCPA) has wide implications for how businesses may collect, process, and share personal data.

Specifically, there are occasions where you'll need someone's express consent before you can gather their personal details or process them in any way. This usually concerns the "sale" of personal data, including data belonging to minors.

But before we get into the details, let's briefly touch on what the CCPA is, how it works, and who must comply with its terms.


The CCPA

The CCPA came into force on January 1, 2020. It regulates how businesses treat personal and sensitive information belonging to Californians.

Here's a summary of the key points.

"Personal Data"

The CCPA controls what businesses may do with "personal data." The Act defines personal data fairly broadly in Section 1798.140:

CCPA Section 1798 140 - Definition of Personal Information V2

Let's unpack this.

  • Personal data isn't just information you could use to identify a single person. It's also data you could use to identify a particular household.
  • If you can use information to draw an inference about someone or their behavior, personality, or preferences, it's also personal data.

If in doubt, it's always safer to assume something's personal data than not.

The Rights of the Individual

Under the CCPA, people have the right to:

  • Know what categories of personal information businesses collect from them, and why
  • Understand if a business plans on sharing their data with third parties, or selling it
  • Refuse to let businesses sell their personal information to third parties
  • Ask businesses to delete their data
  • Request portable copies of the data held on them

In short, the CCPA helps people control who they share personal data with, but it also allows businesses to continue collecting data for commercial or other legitimate business purposes.

Who the CCPA Applies to

The CCPA protects Californian consumers, as per Section 17984.140(C)(7)(g):

CCPA Section 1798 140 - Definition of Consumer V2

To be clear, this means any resident of California buying goods or services i.e. acting as a consumer.

For the most part, consent isn't much of an issue in the CCPA. It's normally ok to collect, use, and process a Californian consumer's data without their consent. We'll cover the exceptions in more detail in a moment, but for now, just know that:

  • There are some occasions when you must get an individual's informed consent before sharing their personal data, and
  • People are free to withdraw their consent at any time (and you can't discriminate against them if they do).

Complying With the CCPA

Complying With the CCPA

That's what the CCPA is, but who must comply? Well, the rules are simple. You must comply with the CCPA if you:

  • Are a for-profit company
  • Collect personal information from California residents, and
  • Decide how that data should be used

It's irrelevant whether you're based in California or not. If you transact with Californian residents, the Act may apply to you.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

I say "may" because there's no need to comply unless one of the following additional criteria applies:

  • You earn 50% or more in profit through selling consumer data
  • You sell or buy data belonging to 50,000+ individuals
  • Your gross income exceeds $25 million

This is all defined in Section 1798.140(C):

CCPA Section 1798 140 - Definition of Business V2

So, for example, if your gross income is $24 million, and you only sell or buy data belonging to 10,000 individuals, and only 10% of your profits come from selling consumer data, the CCPA doesn't apply.

CCPA Consent Requirements

As mentioned, there are only a few occasions when you need someone's consent to process their personal data under the CCPA.

So, when do consent requirements arise?

Mainly, on one occasion: When you plan on selling someone's personal data.

Selling Personal Information Under the CCPA

First, let's be clear on what a "sale" is under the CCPA.

As we can see from Section 1798.140, a "sale" essentially covers any situation where you share any piece of information with a third party in exchange for something of value, financial or otherwise:

CCPA Section 1798 140 - Definition of Sell V2

You could be "selling" personal data if, for example, you share data with third parties to produce personalized ad campaigns. For businesses, then, this means that there's a good chance you could be selling data within the meaning of the CCPA.

To be clear, there are some exceptions to the rule. You're not selling personal data if:

  • You're informing a third party that the consumer doesn't want their information sold
  • The consumer asks you to share their data with a third party
  • You use the data for a reasonable business purpose which is compatible with why you gathered the information originally

"Reasonable business purpose" isn't well-defined, but it seems similar to the "legitimate interest" exception under the GDPR. So, if you can show you're using the data in a way the consumer would reasonably expect, it's probably not a sale.

In short, if there's any chance you're selling someone's data within the Act's meaning, it's best to proceed as if you are, which means following the CCPA's "opt out" rules.

Let's break them down.

Do Not Sell My Personal Information: Opt Out Rules

Do Not Sell My Personal Information: Opt Out Rules

The main rule is this: Although the Act allows you to share personal data with third parties, every Californian (over the age of 16) has the right to opt out i.e. they can stop you selling their personal data.

To comply with this right, and to ensure you have someone's consent to selling their personal information, you must do three things.

  • Create a Do Not Sell My Personal Information page and link to it somewhere prominently on your website, whether it's through your main web page or your Privacy Policy
  • Inform consumers of their rights under the Act by including appropriate clauses in your Privacy Policy
  • Treat all consumers fairly, even if they do opt out. You can't discriminate against them.

Let's unpack all of this further.

There's no set format for what a "Do Not Sell" page should look like, but according to Section 1798.135, it must contain three things.

  • Information regarding your data selling policies
  • A process for how users may opt out
  • Contact details so that people can ask you for more information before they make a decision

CCPA Section 1798 135 - Definition of Do Not Sell Page V2

As we can see, you must also provide a link to this page on your main homepage, or somewhere obvious within your Privacy Policy (if you're relying on Section 3).

Check out this example from Walmart. There's a "Do Not Sell" link at the bottom of the main page along with other important links:

Walmart website footer with Do Not Sell My Personal Information page link highlighted

Here's another example from Levi's. You'll find a link called "CA Do Not Sell My Personal Information" in the footer:

Levis website footer with CA Do Not Sell My Personal Information page link highlighted

When you click the link, a box pops up directing consumers to contact Levi's for more information, or submit a request:

levis-do-not-sell-personal-information-page-opt-out-section-highlighted

Always use a "Do Not Sell" link if you sell personal information, or if there's even a chance you might do so.

Once you've created your "Do Not Sell" page, you should include clauses in your Privacy Policy confirming:

  • If you sell personal data
  • How customers can opt out, and
  • Where they can contact you for more information

Let's go back to Walmart. When you open its Privacy Policy, there's a section dedicated to CCPA rights:

Walmart Privacy Policy: CCPA clause

Clause 3 of this section explains that Walmart may sell data within the meaning of the CCPA, and gives people clear instructions for opting out:

Walmart Privacy Policy: Stop Selling My Personal Information clause

Contact details are also included:

Walmart Privacy Policy: Contact clause

Finally, if you haven't sold any personal data within the Act's meaning in the last 12 months, you must specify this in your Privacy Policy, or else you'll need a "Do Not Sell" page.

You can say something like, "We do not sell your personal information to any third party." Here's an example from Gymshark:

Gymshark California Privacy Notice: Sale of Personal Information clause

However, you must be sure you're not actually selling data before you do this. Otherwise, it's best to use a "Do Not Sell" page.

Selling Information About Minors: Opt In Rules

Selling Information About Minors: Opt In Rules

When it comes to under-16s, the position's a little different.

In short, children must opt in before you can sell or share their personal data with any third party. You can't knowingly sell or share data belonging to under-16s unless:

  • The child, aged 13 or over, consents, or
  • If the child's under 13, a parent consents

This is set out in Section 1798.120(c):

CCPA Section 1798 120 - Consent from minors requirements

So, rather than opting out, minors must opt in. How do you ensure you're not knowingly sharing personal data belonging to a minor, though?

Well, there are a few things you can do (technically, these tips apply to gathering personal data from kids more generally, but they work equally well for CCPA consent compliance).

Use Age Verification

Do you think under-16s use your website? It might be best to verify users' ages before they can use your website e.g. open an account or buy goods. You can then, ideally, separate data belonging to minors from data belonging to adults and avoid selling it to third parties.

Here's an example of a possible age verification technique from the Disney Store:

Disney Create Account form with birth date field highlighted

Sesame Street has a good approach. You can't open an account unless you're an adult, which means it's the parent, or guardian, consenting to the terms of your Privacy Policy, including the sale of personal data (we touched on those clauses in the previous section):

Sesame Street Account registration for adults only disclaimer

If your website is aimed at under-13s, this is probably the better approach.

Data Limitation

Alternatively, you can limit what information you collect from kids to reduce the risk of gathering data you can't sell without permission.

PBS Kids, for example, doesn't let children share personal data in their usernames:

PBS Kids Create Username form

Privacy Policy

Finally, if you don't have a reasonable belief that under-16s use your website, it might not be proportionate to collect age information. In this case, you should explain in your Privacy Policy explaining that:

  • You don't knowingly sell data belonging to under-16s (or under-13s), and
  • If someone has reason to believe you have data belonging to a minor, they can contact you to ensure it's deleted.

Here's an example from HowStuffWorks. As set out in its Privacy Policy, the company doesn't knowingly process data belonging to minors, and under-13s should not use the services:

HowStuffWorks Privacy Statement: Children Under the Age of 13 clause

As you can see, it's a balancing act. While you should take reasonable steps to verify someone's age, the steps you take must be proportionate.

Where possible, try to avoid selling minors' data to avoid falling short of the Act's requirements.

Finally, always keep a record of any consent you receive from minors or their guardians, so that it's verifiable consent.

Penalties For Non-Compliance

Penalties For Non-Compliance

If you fail to get CCPA-compliant consent, you could be subject to financial penalties.

As set out in Section 1798.155, if you're notified of a non-compliance issue, you have 30 days to remedy the violation. This is known as the "time to cure". If you haven't complied with the CCPA within the 30-day period, you could be fined:

  • $2,500 fine for a non-intentional infringement
  • $7,500 for a deliberate infringement

  • Bryan Cave Leighton Paisner: CCPA Section 1798 155 - Attorney General Guidance and Enforcement with fines highlighted

  • The fine is for a single violation. So, for example, if you commit two accidental violations, and you don't fix them within 30 days, you could be fined $5,000.
  • While the current law states that you have 30 days to fix a breach before you're fined, this could change.

Conclusion

The California Consumer Privacy Act (CCPA) applies to businesses targeting consumers in California. It gives people living in California control over what happens to their personal data, who it's shared with, and whether it's sold on.

If the CCPA applies, you don't normally need someone's consent to process personal information. However, you do need consent in the context of selling personal data. To summarise, you need consent if:

  • Someone opts out of personal data selling, and you want to request they opt back in
  • You want to sell data belonging to minors

If consent is required, you must:

  • Use a "Do Not Sell" page
  • Include informative clauses in your Privacy Policy
  • Take reasonable steps to verify the age of under-16s, and never sell their data unless they opt in first

A failure to secure the right consent may lead to financial penalties.

Last updated on 13 August 2021

Article categories

Jennifer L.

Legal writer.