CCPA Right to Opt Out for the Sale of Personal Information
The California Consumer Privacy Act (CCPA) provides consumers with the right to opt out and stop businesses from selling their personal information. The CCPA opt out provision is one of several in California’s new privacy law that goes into effect on January 1, 2020 and will be enforced by the California Attorney General starting at the latest on July 1, 2020 per the SB 1121 amendments.
About the CCPA
The measures of the CCPA to stop the sale of personal information and give back control of their data to consumers were passed by the CA legislature and signed by CA Governor Jerry Brown at the end of June 2018. The law was initially drafted by a private organization and proposed as a ballot initiative for the November 2018 election. Following the Cambridge Analytica scandal in March and media coverage about the European Union’s implementation of the General Data Protection Regulation (GDPR) in May, public support grew for additional data privacy protections and several leading technology companies withdrew their opposition.
As a result, the initiative received sufficient support among the California legislature that the politicians consulted with the advocates for the CCPA and drafted AB-375, the legislative bill that would be passed unanimously at the end of June. While the California legislature was considering action on CCPA, other states were acting as well. Vermont passed its own law to require the registration of data brokers acting within its state. And the last of the 50 states were adopting data breach notification laws to make notifying consumers of the leak of their personal information a requirement in every state in the country.
About the Right to Opt Out in the CCPA
The right to opt out in the California Consumer Privacy Act gives consumers the ability to direct a business not to sell their personal information to a third party. This section does not stop a business from distributing the data within the organization that collected it (even to different business units). It also does not stop all transfers to third parties as businesses can continue to provide personal information to their service providers pursuant to a written contract that meets the law’s requirements. Further, they can continue to provide data that does not meet the definition of personal information.
Notwithstanding the limitations of this section of the privacy law, the restriction on the sale of personal information, in conjunction with the data subject access rights provided by the law, will do much to give consumers options to maintain control over their data.
GETÂ OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW …
How will the right to opt out work?
This right applies to all California consumers ages 16 or older and may be exercised at any time. The exercise of the right to opt out must be honored by a business unless the individual subsequently decides to opt-in to the sale of their personal information.
When the law goes into effect, a Do Not Sell My Personal Information link or logo will be found on the homepage of websites operating in California as well as in any California specific section of their privacy policy.
What does the Right to Opt Out mean for Businesses?
First, the CCPA only covers businesses that have more than $25 million in annual revenue, possess personal information on 50,000 people or households annually, or receive more than 50% of their revenue from the sale of personal information. If a company does not fall within these parameters, then they do not technically need to offer the right to opt out (whether they need to do so practically to stay competitive in the marketplace is an important separate question).
Second, the right to opt out requires businesses to determine what information they are selling to third parties. The sale of personal information is broadly defined by the law to include selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. In other words, most business to business transfers of personal information will fall within the definition of a sale.
Note that the definition of sale within the CCPA is broader than the classic definition of the term “sale”. A business does not need to be offering the personal information in the market for money and transferring it to the third party in order to fall within the definition. The definition includes simply making it available to the third party for valuable consideration. It does not need to include a transfer of money to be considered a sale.
Why is the definition of sale so broad? This appears to be a deliberate effort to prevent circumvention of the law by creative relationships between different business entities to transfer data in circumvention of the law in the future.
The sale of personal information does not include if the consumer directs a business to interact with a third party, the business alerts third parties that the consumer has opted out, the sharing of information is necessary to perform a business purpose and meets the other conditions specified, or the information is transferred as part of an asset in a merger, acquisition, bankruptcy or other change of control of the business.
Service Provider Exemption
Most businesses that fall within the expanded definition of the term “sale” will need to utilize the service provider exception to continue to transfer personal information to third parties. There are several requirements to meet this exemption. It involves providing notice to the consumer about the sharing and having a written contract with the service provider governing the relationship, with a necessary business purpose for the data sharing. The contract must prohibit the entity receiving the information from retaining, using or disclosing the personal information for any purpose other than that specified in the contract, as a service for the transferring business.
What information may not be transferred after an opt-out?
Personal information is broadly defined under the law. As a result, the transfer of any information that identifies or could reasonably be linked to a particular person or household that is not made available from federal, state or local government records will be included within the opt-out. This includes, among other things, name, IP address, email address, social security numbers, commercial information such personal property records, biometric information, search history, geolocation data, audio or visual information, employment-related information, education information, and inferences drawn from any of the identified information.
If an individual exercises the right to opt out, the business must honor the request for 12 months before it asks the individual to opt-in to the sale of their personal information.
Opt Out Protections
Businesses may not discriminate against consumers that exercise their rights, although they may offer a different price or financial incentives insofar as it complies with the exceptions provided for in the law. Any difference in price must be reasonably related to the value provided to the consumer by the consumer’s data, not unreasonable or coercive, disclosed to the consumer, and the consumer gives prior opt-in consent that may be revoked at any time.
This section was initially a total prohibition on price discrimination against consumers that exercised the right to opt out of the sale of personal information. However, it was subsequently modified in the CA legislature to permit limited price and service quality variations. Businesses are still working through the compliance challenges of offering these sort of financial incentives programs.
Restrictions Before Opt-Out
The CCPA also puts an important restriction on the transfer and sale of personal information even if an individual has not opted out. Third parties receiving data from a business may not resell it unless the consumer has received explicit notice and is given an opportunity to exercise their right to opt-out.
Children’s Personal Information
Children are not covered by the right to opt out because they have been given additional protections. In order to sell the personal information of kids under the age of 16, businesses need to acquire their opt-in consent (as well as their parent/guardian for those less than 13 years old.
Right to Opt Out Compliance Software
Clarip can help covered businesses prepare for the CCPA effective date of January 1, 2020. For additional information about the California Consumer Privacy Act, please visit our CCPA summary.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Still working on GDPR compliance? We understand! Our GDPR software tools offers a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.
CONTACT US TO SCHEDULE A DEMO OF THE CLARIP SOFTWARE PLATFORM …
Related Content
Consent Management Software Platform
Preference Management Software Solution
Opt In & Opt Out Consent Software for CCPA
Right to Opt Out in CCPA
Mobile App Consent Manager
Service Providers and the Right to Opt Out under the California Consumer Privacy Act
Opt In Consent for Children in CCPA
How to Obtain Consent Under GDPR
Best Practices for GDPR Consent
GDPR’s Special Categories of Personal Data
Verbal Consent Under GDPR
GDPR-K: Children’s Data and Parental Consent