The CPRA Regulations to clarify and update the California Consumer Privacy Act (CCPA) are about to go into effect. The CCPA is intended to enhance the privacy rights of consumers in California, and the finalized draft regulations provide specific guidance for, among other things, how to support the opt-out rights of California users as it pertains to “selling/sharing” of personal information.
The Act does have guidance for the opt-out of offline data, privacy disclosures, and much more. The intent of this article is to share some of the guidance as it relates to marketing tags and pixels which use personal information to provide cross-context behavioral advertising, as well as how the draft might affect your organization’s method to comply with the opt-out requirement.
The first thing to consider is if your organization “sells/shares” personal information via marketing tags/pixels. As the senior data governance consultant here at InfoTrust, I rarely come across an organization that does not. If your organization is using marketing platforms to build audiences and retarget users, you are “selling” per CCPA and have the obligation to allow the user to opt-out of these activities.
Most organizations use a consent management platform to allow users to effectuate the opt-out request. Here are three of the recurring pitfalls I have seen, and some specific quotes from the draft addressing it.
Organizations using a banner that just speaks to cookies or cookie categories for the user to select
The draft regulations are very specific in this case; in fact, you don’t even need to be a lawyer to understand it:
The CCPA/CPRA does not concern itself with the setting of cookies like the European regulations many orgs are already familiar with. California wants an explicit message about the “sharing/selling” of personal information in your organization’s banner or link at the footer of all your websites pages in which personal information may be collected. The ability to opt-out of sharing or selling must be specifically addressed.
“When a business collects consumers’ personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected.” (Page 18)
Furthermore a “cookies controls” banner with an “allow all” and “manage preferences” or “cookie preferences” is not considered a “symmetrical” choice for California users since the user must take extra steps to make a more privacy-safe choice.
“Symmetry in choice. The path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer’s ability to make a choice. Illustrative examples follow.” (Page 9)
“A website banner that provides only the two choices when seeking the consumer’s consent to use their personal information, ‘Accept All’ and ‘More Information,’ or ‘Accept All’ and ‘Preferences,’ is not equal or symmetrical because the method allows the consumer to ‘Accept All’ in one step, but requires the consumer to take additional steps to exercise their rights over their personal information. Framing the consumer’s options in this manner impairs the consumer’s ability to make a choice. An equal or symmetrical choice could be ‘Accept All’ and ‘Decline All.’” (Page 9)
To summarize, your organization cannot use a standard cookie banner, with standard cookie banner language, or a “categorical cookie” control to be compliant with California. The banner must tell the consumer specifically about the right to opt-out of sharing/selling of personal information, and California is indicating a binary choice of “accept” or “decline.” A user selecting “decline” would be similar in approach to a user saying no to “targeting,” “advertising” and “social media” cookies depending upon your organizations use cases for those platforms.
Organizations not responding to Global Privacy Control or browser “signals,” from users requesting to opt-out
We have already seen an org hit with a violation from the California Attorney General for its website not responding to Global Privacy Control (GPC) signals. The finalized CPRA draft doubles down on this and mentions “signals” in general, not just specifically GPC.
“The purpose of an opt-out preference signal is to provide consumers with a simple and easy to-use method by which consumers interacting with businesses online can automatically exercise their right to opt-out of sale/sharing. Through an opt-out preference signal, a consumer can opt-out of sale and sharing of their personal information with all businesses they interact with online without having to make individualized requests with each business.” (Page 36)
The California attorney general specifically mentioned Global Privacy Control, which at this time is the closest to a standard for an opt-out preference signal supported by a number of browsers and plugins. The CPRA draft is stating your website must respond to browser preference signals and effectuate the users “opt-out” request.
“When a business that collects personal information from consumers online receives or detects an opt-out preference signal that complies with subsection (b):
(1) The business shall treat the opt-out preference signal as a valid request to opt-out of sale/sharing submitted pursuant to Civil Code section 1798.120 for that browser or device and any consumer profile associated with that browser or device, including pseudonymous profiles. If known, the business shall also treat the opt-out preference signal as a valid request to opt-out of sale/sharing for the consumer. This is not required for a business that does not sell or share personal information.” (Page 36)
No getting around it. I come across a fair amount of websites these days from large organizations in which the website is not responding to my Global Privacy Control signal—this is required—and must be followed for California users. In practice, if a user sends the signal to your website, all “sharing/selling” must stop, in the same way as if a user had selected “decline all” for “sharing/selling” when interacting with a banner.
Organizations using a “form submission” alone for the opt-out request of California users
I have often come across websites in which an organization is properly displaying a “Do not sell my personal information button” on all pages, but when clicking the link it takes me to a form in which I must provide my name, email, address, phone number, etc. While this is a valid method for allowing identified users to opt-out of “sharing/selling” especially as it relates to offline activities, it often does not account for pseudonymous users visiting the site.
“A business shall not require a verifiable consumer request for a request to opt-out of sale/sharing. A business may ask the consumer for information necessary to complete the request, such as information necessary to identify the consumer whose information shall cease to be sold or shared by the business. However, to the extent that the business can comply with a request to opt-out of sale/sharing without additional information, it shall do so.” (Page 42)
The form may be necessary for some businesses to comply, especially when you think about identified users, and effecting a request to opt-out that may go downstream to offline activities. For users just visiting your website and have no other identification to the organization than a unique browser ID, something like a consent management experience would be required. These users’ unique identifiers can still be “shared or sold” for cross-context behavioral advertising, and must have a means to opt-out.
BONUS: The CRPA draft offers an “alternative opt-out link”
This part of the draft I find particularly interesting, primarily from a wording perspective. I don’t think I have spoken to a single marketer who likes the idea of “Do Not Sell My Personal Information” language on every page of the website they operate. Let’s call it what it is—kind of nasty language—and not exactly what it means … since “sharing/selling” per CCPA doesn’t always mean physically taking money in exchange for personal information (at least in most cases although the law covers that as well). What user wants his/her personal information sold? Probably none if they take that statement literally! The draft has the answer to this dilemma: an “alternative opt-out link” using the wording “Your Privacy Choices” or “Your California Privacy Choices.”
“(a) The purpose of the Alternative Opt-out Link is to provide businesses the option of providing consumers with a single, clearly-labeled link that allows consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate ‘Do Not Sell or Share My Personal Information’ and ‘Limit the Use of My Sensitive Personal Information’ links. The Alternative Opt-out Link shall direct the consumer to a Page 25 of 66 webpage that would inform them of both their right to opt-out of sale/sharing and right to limit and provide them with the opportunity to exercise both rights.
(b) A business that chooses to use an Alternative Opt-out Link shall title the link, ‘Your Privacy Choices’ or ‘Your California Privacy Choices,’ and shall include the following opt-out icon adjacent to the title. The link shall be a conspicuous link that complies with section 7003, subsections (c) and (d), and is located at either the header or footer of the business’s internet Homepage(s). The icon shall be approximately the same size as other icons used by the business in the header or footer of its webpage.
(c) The alternative opt-out link shall direct the consumer to a webpage that includes the following information:
(1) A description of the consumer’s right to opt-out of sale/sharing and right to limit, which shall comply with section 7003, subsections (a) and (b); and
(2) The interactive form or mechanism by which the consumer can submit their request to opt-out of sale/sharing and their right to limit online. The method shall be easy for consumers to execute, shall require minimal steps, and shall comply with section 7004.” (Page 24-25)
That’s right, provided you use the specific language and icon they supply, instead of a “Do Not Sell My Personal Information” button on all pages or on a banner, you can present a “My Privacy Choices” button or link! Note from the excerpt of the draft above this must lead to a page or popup that tells the user about the right to opt-out of the “selling/sharing” personal information, and the “right to limit the use of sensitive personal information” (if your org uses sensitive personal information), as well as the ability for the user to exercise the opt-out if they choose to.
Thinking down the road, as more state regulations come into law, this singular button could lead to a page that addresses not only California, but other state laws that afford similar rights. I can see how this method could future-proof your architecture for the United States at least.
One final reminder, at InfoTrust we are trusted advisors in the area of analytics, governance, privacy, and more, but not lawyers! We recommend that you consult with a lawyer when making decisions about the law. We do offer services that can benefit your organization when working through these decisions, such as privacy audits, Tag Inspector, tag management services, and consent management configuration. Let us know how we can help!
**Important – The information covered in this article is not intended to be legal advice or counsel. You should not act or refrain from acting on the basis of any content included in this article regarding legal compliance without obtaining appropriate legal guidance. The contents of this article contain general information related to various laws and regulations, but may not reflect your current situation. In addition, applicable laws and regulations regularly change. This is particularly true with respect to data privacy laws and regulations. Therefore, any laws and regulations described or otherwise referenced in this article may not be current when you read the article or even at the time of publication. We disclaim all liability for actions you take or fail to take based on anything in this article. Any action you take or any action you refrain from taking based on the information in this article is entirely at your own discretion and risk.**