CCPA/CPRA-Compliant Consent

The California Consumer Privacy Act (CCPA/CPRA) has wide implications for how businesses may collect, process, and share personal data.

Specifically, there are occasions where you'll need someone's express consent before you can gather their personal details or process them in any way. This usually concerns the "sale" of personal data, including data belonging to minors.

But before we get into the details, let's briefly touch on what the CCPA (CPRA) is, how it works, and who must comply with its requirements.

Note that the CPRA amended and expanded the CCPA.

The CCPA (CPRA)

The CCPA (CPRA) came into force on January 1, 2020. It regulates how businesses treat personal and sensitive information belonging to Californians.

Here's a summary of the key points.

"Personal Data"

The CCPA (CPRA) controls what businesses may do with "personal data." The Act defines personal data fairly broadly in Section 1798.140:

Let's unpack this.

• Personal data isn't just information you could use to identify a single person. It's also data you could use to identify a particular household.
• If you can use information to draw an inference about someone or their behavior, personality, or preferences, it's also personal data.

If in doubt, it's always safer to assume something's personal data than not.

The Rights of the Individual

Under the CCPA (CPRA), people have a number of rights including the following:

• Know what categories of personal information businesses collect from them, and why
• Understand if a business plans on sharing their data with third parties, or selling it
• Refuse to let businesses sell their personal information to third parties
• Ask businesses to delete their data
• Request portable copies of the data held on them

In short, the CCPA (CPRA) helps people control who they share personal data with, but it also allows businesses to continue collecting data for commercial or other legitimate business purposes.

Who the CCPA (CPRA) Applies to

The CCPA (CPRA) protects Californian consumers, as per Section 17984.140(C)(7)(g):

To be clear, this means any resident of California buying goods or services i.e. acting as a consumer.

"Consent"

There are some occasions when you must get an individual's informed consent before sharing their personal data, and people are free to withdraw their consent at any time (and you can't discriminate against them if they do).

Complying With the CCPA (CPRA)

That's what the CCPA (CPRA) is, but who must comply? Well, the rules are simple. You must comply with the CCPA (CPRA) if you:

• Are a for-profit company
• Collect personal information from California residents, and
• Decide how that data should be used

It's irrelevant whether you're based in California or not. If you transact with Californian residents, the Act may apply to you.

I say "may" because there's no need to comply unless one of the following additional criteria applies:

• You earn 50% or more in profit through sharing or selling consumer data
• You sell or buy data belonging to 100,000+ individuals
• Your gross income exceeds $25 million

This is all defined in Section 1798.140(C):

CCPA (CPRA) Consent Requirements

As mentioned, there are only a few occasions when you need someone's consent to process their personal data under the CCPA (CPRA).

So, when do consent requirements arise?

Mainly, on one occasion: When you plan on selling someone's personal data.

Selling Personal Information Under the CCPA (CPRA)

First, let's be clear on what a "sale" is under the CCPA (CPRA).

As we can see from Section 1798.140, a "sale" essentially covers any situation where you share any piece of information with a third party in exchange for something of value, financial or otherwise:

You could be "selling" personal data if, for example, you share data with third parties to produce personalized ad campaigns. For businesses, then, this means that there's a good chance you could be selling data within the meaning of the CCPA (CPRA).

To be clear, there are some exceptions to the rule. You're not selling personal data if:

• You're informing a third party that the consumer doesn't want their information sold
• The consumer asks you to share their data with a third party
• You use the data for a reasonable business purpose which is compatible with why you gathered the information originally

"Reasonable business purpose" isn't well-defined, but it seems similar to the "legitimate interest" exception under the GDPR. So, if you can show you're using the data in a way the consumer would reasonably expect, it's probably not a sale.

In short, if there's any chance you're selling someone's data within the Act's meaning, it's best to proceed as if you are, which means following the CCPA/CPRA's "opt out" rules.

Let's break them down.

Do Not Sell My Personal Information: Opt Out Rules

The main rule is this: Although the Act allows you to share personal data with third parties, every Californian (over the age of 16) has the right to opt out i.e. they can stop you selling their personal data.

To comply with this right, and to ensure you have someone's consent to selling their personal information, you must do three things.

• Create a Do Not Sell My Personal Information page and link to it somewhere prominently on your website, whether it's through your main web page or your Privacy Policy
• Inform consumers of their rights under the Act by including appropriate clauses in your Privacy Policy
• Treat all consumers fairly, even if they do opt out. You can't discriminate against them.

Let's unpack all of this further.

There's no set format for what a "Do Not Sell" page should look like, but according to Section 1798.135, it must contain three things.

• Information regarding your data selling policies
• A process for how users may opt out
• Contact details so that people can ask you for more information before they make a decision

As we can see, you must also provide a link to this page on your main homepage, or somewhere obvious within your Privacy Policy (if you're relying on Section 3).

Check out this example from Walmart. There's a "Do Not Sell" link at the bottom of the main page along with other important links:

Here's another example from Levi's. You'll find a link called "CA Do Not Sell My Personal Information" in the footer:

When you click the link, a box pops up directing consumers to contact Levi's for more information, or submit a request:

Always use a "Do Not Sell" link if you sell personal information, or if there's even a chance you might do so.

Once you've created your "Do Not Sell" page, you should include clauses in your Privacy Policy confirming:

• If you sell personal data
• How customers can opt out, and
• Where they can contact you for more information

Let's go back to Walmart. When you open its Privacy Policy, there's a section dedicated to CCPA (CPRA) rights:

Clause 3 of this section explains that Walmart may sell data within the meaning of the CCPA (CPRA), and gives people clear instructions for opting out:

Contact details are also included:

Finally, if you haven't sold any personal data within the Act's meaning in the last 12 months, you must specify this in your Privacy Policy, or else you'll need a "Do Not Sell" page.

You can say something like, "We do not sell your personal information to any third party." Here's an example from Gymshark:

However, you must be sure you're not actually selling data before you do this. Otherwise, it's best to use a "Do Not Sell" page.

Selling Information About Minors: Opt In Rules

When it comes to under-16s, the position's a little different.

In short, children must opt in before you can sell or share their personal data with any third party. You can't knowingly sell or share data belonging to under-16s unless:

• The child, aged 13 or over, consents, or
• If the child's under 13, a parent consents

This is set out in Section 1798.120(c):

So, rather than opting out, minors must opt in. How do you ensure you're not knowingly sharing personal data belonging to a minor, though?

Well, there are a few things you can do (technically, these tips apply to gathering personal data from kids more generally, but they work equally well for CCPA (CPRA) consent compliance).

Use Age Verification

Do you think under-16s use your website? It might be best to verify users' ages before they can use your website e.g. open an account or buy goods. You can then, ideally, separate data belonging to minors from data belonging to adults and avoid selling it to third parties.

Here's an example of a possible age verification technique from the Disney Store:

Sesame Street has a good approach. You can't open an account unless you're an adult, which means it's the parent, or guardian, consenting to the terms of your Privacy Policy, including the sale of personal data (we touched on those clauses in the previous section):

If your website is aimed at under-13s, this is probably the better approach.

Data Limitation

Alternatively, you can limit what information you collect from kids to reduce the risk of gathering data you can't sell without permission.

PBS Kids, for example, doesn't let children share personal data in their usernames:

Privacy Policy

Finally, if you don't have a reasonable belief that under-16s use your website, it might not be proportionate to collect age information. In this case, you should explain in your Privacy Policy explaining that:

• You don't knowingly sell data belonging to under-16s (or under-13s), and
• If someone has reason to believe you have data belonging to a minor, they can contact you to ensure it's deleted.

Here's an example from HowStuffWorks. As set out in its Privacy Policy, the company doesn't knowingly process data belonging to minors, and under-13s should not use the services:

As you can see, it's a balancing act. While you should take reasonable steps to verify someone's age, the steps you take must be proportionate.

Where possible, try to avoid selling minors' data to avoid falling short of the Act's requirements.

Finally, always keep a record of any consent you receive from minors or their guardians, so that it's verifiable consent.

Penalties For Non-Compliance

If you fail to get CCPA/CPRA-compliant consent, you could be subject to financial penalties.

As set out in Section 1798.155, if you're notified of a non-compliance issue, you have 30 days to remedy the violation. This is known as the "time to cure." If you haven't complied with the CCPA (CPRA) within the 30-day period, you could be fined:

• $2,500 fine for a non-intentional infringement

• $7,500 for a deliberate infringement

• The fine is for a single violation. So, for example, if you commit two accidental violations, and you don't fix them within 30 days, you could be fined $5,000.
• While the current law states that you have 30 days to fix a breach before you're fined, this could change.

Conclusion

The California Consumer Privacy Act (CCPA/CPRA) applies to businesses targeting consumers in California. It gives people living in California control over what happens to their personal data, who it's shared with, and whether it's sold on.

If the CCPA (CPRA) applies, you don't normally need someone's consent to process personal information. However, you do need consent in the context of selling personal data. To summarise, you need consent if:

• Someone opts out of personal data selling, and you want to request they opt back in
• You want to sell data belonging to minors

If consent is required, you must:

• Use a "Do Not Sell" page
• Include informative clauses in your Privacy Policy
• Take reasonable steps to verify the age of under-16s, and never sell their data unless they opt in first

A failure to secure the right consent may lead to financial penalties.