The CCPA's Consent Requirements

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 14 May 2021.

The CCPA's Consent Requirements

You may have read that the California Consumer Privacy Act (CCPA) doesn't require consent for personal data. This is technically true for adults, but you do not have an absolute right to use the data.

Consumers have the right to stop you using data in several key ways. You do also need consent in some cases involving children.

Here's what you need to know about what the CCPA requires when it comes to consent, and how to comply with the requirements under the law.


Does the CCPA Apply to Me?

If you are a business (or any other for-profit entity) and you serve customers in California, you will come under the CCPA if you meet any of three thresholds. (The Act applies regardless of where you are physically based.)

  • The first threshold is an annual gross revenue that exceeds $25 million.
  • The second threshold is that you buy, sell or share personal information (for business purposes) about 50,000 consumers, devices or households in a year.
  • The third threshold is that selling consumers' personal information generates at least half of your annual revenue.

The CCPA's rules over consent for data about adults can be confusing and lead to people talking at cross-purposes, particularly when comparing it to other privacy laws.

To put this into context, laws such as Europe's GDPR rely on active, advance consent. With these laws, you must get an intentional, informed confirmation from a person to show that they consent.

The CCPA doesn't require active, advance consent. You can collect and use the data right away without any confirmation from the person. However, they do have the right to demand you to stop using the data in certain ways and you must follow this demand.

Use FreePrivacyPolicy.com to generate the necessary legal agreements for your website/app:

And check our Free Cookie Consent and make your business legally compliant with the Cookies Directive in the EU.

You could arguably describe the CCPA as having "default," "negative" or "implied" consent. In other words, you can treat customers as if they have consented to the data use unless and until they tell you otherwise. This is really a matter of semantics, however. What matters is that you follow the rules.

The CCPA's Consumer Rights

Whenever you take an action or set a policy to follow the CCPA, you should bear in mind the law explicitly says it is meant to protect five privacy rights:

  • The consumer must know what personal information you collect
  • The consumer must know if you sell or disclose their personal information and, if so, who gets it
  • The consumer must be able to stop you selling their personal information
  • The consumer must be able to see the personal information you have about them
  • The consumer must be able to get an equal service and pricing even if they exercise these rights

A court or regulatory body can take these rights into account when settling any ambiguity with the specific measures in the CCPA.

The rights only apply to citizens of California. This means only they can exercise the rights.

Giving Consumers Information Under the CCPA

Giving Consumers Information Under the CCPA

One of the key trade-offs for not having to get explicit consent under the CCPA is that you must give consumers clear information about how you are using their personal data. The Act groups personal data into the following 11 categories:

  1. Identifiers such as names, postal addresses, email addresses, passport numbers, etc.
  2. Special categories of personal information
  3. Characteristics of legally-/protected classifications
  4. Commercial information such as records of purchases
  5. Biometric information
  6. Internet and electronic network activity such as browsing and search history
  7. Geolocation data
  8. Audio, visual, electronic, olfactory, thermal information or similar
  9. Information related to employment and profession
  10. Information related to education when not publicly available information
  11. Inferences drawn from any of these categories that works to create a consumer profile

You will need to give users information about the data you collect, both in their specific case and your overall use.

Advance Notification

When you collect data from a consumer, you must say which categories it falls into. For each category you must say how and why you will use the data. Note that although you don't need consent to collect and use the data, you must give this information before you collect the data.

You must also tell users before you sell or share data with a third party. You must tell them which categories apply and, for each category, who will receive the data.

VMWare gives a clear overview of the types of data it shares, noting the section of the CCPA and giving examples for each category listed:

VMWare California Privacy Rights: Categories of Personal Information Collected - CCPA chart excerpt

Data Access Requests

You will also need to give consumers information if they make a data access request, which they can do twice a year. You will need to tell them the following even if you've already notified them about it before.

  • What data you've collected about the individual
  • The reasons you used the data
  • A category-by-category breakdown of whether you've collected data and, if so, where it came from and who you've shared it with

This information must cover all data in the past 12 months.

Having seen this information, the customer may ask you to delete some of the data. You must do so unless it's needed for an ongoing contract or transaction, or for security reasons.

Handling Customer Opt-Outs Under the CCPA

Handling Customer Opt-Outs Under the CCPA

The CCPA gives consumers the right to opt out of you selling their personal data. If they do so, you must stop doing so within 10 days and you cannot start again until they give permission. You cannot ask for this permission for at least 12 months.

Within 90 days of the consumer opting out you must get in touch with anyone to whom you've already sold the consumer's data. They must also stop selling the data and get in touch with anyone to whom they sold the data, and so on.

The CCPA says you must have a dedicated page for consumers to contact you to use this opt-out. Your home page must link to this page using the link text "Do Not Sell My Personal Information."

Tableau more than complies with this rule by including the text in its footer menu, shown on every page of its site:

Tableau website footer with Do Not Sell link highlighted

Colgate-Palmolive gives two ways to exercise the opt-out:

Screenshot of Colgate-Palmolive Do Not Sell page

Children and the CCPA

Selling the personal data of people aged under 16 is the one situation where the CCPA does directly require active, advance consent.

This works on an opt-in basis. If you know the person is aged between 13 and 16, you must get their consent. If you know the person is aged under 13, you must get consent from their parent or guardian.

It's your responsibility to check the child's age. If you "wilfully disregard" this responsibility, you'll be treated as if you knew how old the child was. This will increase the potential penalty for not getting consent.

The CCPA doesn't specify how you should get consent other than to say the child, parent or guardian must have "affirmatively authorized" the sale of the data. Some good principle to follow include:

  • Give clear information so that the child, parent or guardian knows what they are consenting to, including who is buying the data
  • Use appropriate language if you are asking for consent from a child
  • Require an active consent such as clicking a button or ticking a box. Remember that the authorization must be affirmative, so you can't require somebody to tick an opt-out box or say that continuing to use a site counts as consent.
  • For children aged under 13, consider ways to verify the consent really is from a parent or guardian

HCA Healthcare uses a dedicated form which reminds parents and guardians that they can withdraw consent at any time:

HCA Healthcare CCPA Parental Consent form with Revoke Consent section highlighted

The CCPA doesn't require active, advanced consent to collect or use a child's data for reasons other than selling it. However, remember that the CCPA is not the only privacy law that may affect you. In particular, the Children's Online Privacy Protection Rule (COPPA) applies if you aim your web site or online service at children under 13, or if you know children under 13 are using it.

If COPPA applies, you must get parental or guardian consent before collecting or using any personal data about a child aged under 13. You must verify this consent is genuine and really does come from the parent or guardian.

Penalties for Violating the CCPA

The CCPA is enforced by California's Attorney General, who can give 30 days' notice to fix any breach. If you don't fix the breach, you face a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional violation.

Future Changes to the CCPA

In November 2020, Californian voters backed a ballot initiative for a series of measures that build upon the CPPA. These measures are collectively known as the California Privacy Rights Act (CPRA). The state now has until the end of June 2022 to adopt relevant regulations, with the CPRA taking legal force on 1 January 2023.

The CPRA doesn't change the basic principle of not requiring active, advance consent before collecting and using data. It does add several requirements about how consumers can opt-out of data use, in effect overriding any implied or default consent. These include the following:

  • Consumers can stop you disclosing their data to third parties even if you aren't paid for it.
  • Consumers can stop you using automated decision making (profiling) using their data.
  • Some information, including government issued numbers, financial account details, health information and genetic data, will fall into a new category called "sensitive personal information." Consumers can stop you using this data for any reason other than to provide goods and services that they've asked for.

The CPRA strengthens the penalties for violations including the data of people you know to be aged under 16, including the consent requirements. The maximum penalty in such cases will triple to $7,500 for unintentional violations and $22,500 for intentional violations.

Summary

Let's recap what you need to know about the CCPA and consent.

  • The CCPA doesn't require explicit consent to collect, use or sell personal data about adults. However, people do have some rights to stop you using their data.
  • The CCPA applies if you serve California and either have an annual gross revenue above $25 million, if you buy, sell or disclose personal data about 50,000 people, homes or devices a year, or if you make more than half your annual revenue from selling personal data.
  • Consumers have specific rights regarding their data under CCPA. They must be able to know what data you collect, know what data you hold and know what data you sell. They must also be able to stop you selling data. You can't refuse service or charge more to people who exercise these rights.
  • You must have a dedicated page for consumers to stop you selling their data. Your home page must use the words "Do Not Sell My Personal Information" to link to this page.
  • You must get active, advance consent before selling personal data about a child aged under 16. If the child is aged 13-16 the consent can come from the child. If the child is aged under 13 the consent must come from their parent or guardian.
  • If the child is under 13, the federal COPPA rule will also apply. This means you need parental or guardian consent to collect or use data about the child.
  • A new law, the CPRA, takes effect in 2023. It gives consumers extra rights including stopping you disclosing data (rather than just selling it). They can also stop you using a new category of "sensitive personal information" in any way except to complete a contract.