Consumer Consent: A Major Focus in 2023

A major data privacy focus in 2023 among state legislators and data privacy professionals is consumer consent. Consumer Consent means a consumer’s freely informed and specific written agreement, to the collection, processing, and disclosure of Personal Identifiable Information (PII). At least 25 states and Puerto Rico introduced, or considered, almost 140 consumer privacy bills in 2023 with consent driving the discussion. The five state privacy laws have explicit and nuanced requirements when it comes to consent.

As of Apr 2023, five states have enacted comprehensive consumer privacy laws:

• The California Consumer Privacy Act and the California Consumer Privacy Rights Act’s amendments (2020 Proposition 24) ( Civil Code §1798.100 et seq.)
• The Colorado Privacy Act ( Rev. Stat. §6-1-1301 et seq. – Effective July 1, 2023)
• The Connecticut Personal Data Privacy and Online Monitoring (AN ACT CONCERNING PERSONAL DATA PRIVACY AND ONLINE – Effective July 1, 2023)
• The Virginia Consumer Data Protection Act ( Code §59.1-575 et seq. – Effective Jan. 1, 2023)
• The Utah Consumer Privacy Act (Utah Code Ann. §13-61-101 et seq. – Effective Dec. 31, 2023)

What are the consent requirements for the CCPA and CPRA?

The CCPA and CPRA amendments require that service providers obtain consent from consumers before collecting, using, or disclosing their PII. Consent must be obtained for each specific purpose for which the information will be used.

CCPA consent requirements:

• Businesses must provide clear and conspicuous notice at or before the point of data collection regarding the categories of personal information to be collected and the purposes for which it will be used.
• Consumers have the right to opt-out of the sale of their personal information. Businesses must provide a “Do Not Sell My Personal Information” link on their website.
• Businesses must obtain affirmative consent from consumers before collecting the personal information of minors under the age of 16.

CPRA amendments to consent requirements:

• The CPRA builds upon and expands the CCPA’s requirements, adding new consumer rights and protections.
• Businesses must provide more detailed information to consumers about the categories of personal information collected, the purposes for which it will be used, and the rights of consumers to control their personal information.
• The CPRA also introduces a new category of “sensitive personal information,” which requires additional protections and restrictions on its collection, use, and sharing.

What are the consent requirements for the CPA?

Under the CPA, companies will have to obtain express, affirmative consent to process personal information that involves or reveals sensitive data. The CPA defines consent as “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.”

However, the CPA further clarifies that consent does not include:

• Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information.
• Hovering over, muting, pausing, or closing a given piece of content.
• Agreement obtained through dark patterns.

Like the CCPA, the CPA requires companies to obtain consent before processing “sensitive data,” which includes information “revealing”:

• Racial or ethnic origin.
• Religious belief.
• Mental or physical health condition or diagnosis.
• Sex life or sexual orientation.
• Citizenship or citizenship status.
• Genetic and Biometric data.
• Personal data regarding a known child.

Unlike other US state laws, the CPA’s definition of sensitive data does not include precise geolocation or financial data. Under this definition of consent, companies will no longer be able to use general acceptance of terms of use or broad notices with unrelated terms as evidence of consent to process sensitive personal data.

What are the consent requirements for the CTDPA?

Under CTDPA, a consumer’s consent must be “freely given, specific, informed and unambiguous,” and the law specifically dictates that it cannot be obtained through the use of dark patterns.

Like the other US state laws, the CTDPA uses an opt-out model, which means that personal data can be collected without requiring consumers’ consent, but consent must be obtained before the data can be sold or shared (with some exceptions). Also, sensitive data under CTDPA covers “precise geolocation data.”

The CTDPA exempts the following entities from compliance requirements:

• State and local government entities
• Nonprofits
• Institutions of higher education
• Certain national security associations
• Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
• “Covered entities” and “business associates” as defined under the Health Insurance Portability and Accountability Act (HIPAA)

What are the consent requirements for the VCDPA?

Like the EU’s GDPR, the Virginia Consumer Data Protection Act (VCDPA) requires businesses to obtain opt-in consent to collect or process sensitive data. This is broader and stricter than CCPA. Businesses must consent via “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement.”

This made Virginia the first comprehensive U.S. privacy law to require opt-in consent for the use of sensitive personal information. This includes race, ethnicity, precise geolocation data and certain health data like mental or physical health diagnosis.

The VCDPA provides exemptions for certain businesses and certain categories of data:

• Financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
• Nonprofit organizations
• Institutions of higher education

What are the consent requirements for the UCPA?

Unlike most US data privacy laws, the UCPA does not require consent for processing PII or sensitive personal data. However, controllers do have to clearly notify consumers and provide the opportunity to opt out of having their sensitive personal data processed before it is collected and processed.

Under the UCPA consent is only required in the context of parental consent for processing children’s data.

Washington’s My Health, My Data Act

Beyond the current 5 comprehensive data privacy laws, on 17 April the Washington state legislature completed the final step needed to pass the My Health, My Data Act, which aims to “close the gap” between current industry practices and consumers’ understanding of how their health data is collected, stored, and transferred.

The current legislative session in Washington ended on April 23. Because the bill arrived on the desk of Gov. Jay Inslee, R-Wash., less than five days before the end of the legislative session, he now has 20 days to sign the bill into law or veto it. If he does not take any action, the bill will automatically become law.

How should an organization obtain, record, and manage consent?

In conclusion, a widely accepted privacy principle of “Consumer Consent” is that individual’s PII should only be collected and used with the consent of that individual, unless there is another basis in law for the collection and use.

Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions.

Companies should:

• Keep your consent request separate from your general terms and conditions, and clearly direct people’s attention to it. For instance, at the bottom of your website in the footer.
• Use clear, straightforward, and consistent language and methods across multiple consent options.
• Adopt a simple style that your intended audience will find easy to understand.
• Avoid technical or legal jargon with confusing terminology.

Click here to learn more about our Preference and Consent Management Platform! Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust!

Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Content:

Making the Case for Data Minimization
Automated Data Mapping
Data Discovery
Looking for Product Data Sheets?