The CCPA/CPRA's Consent Requirements

You may have read that the California Consumer Privacy Act (CCPA) doesn't require consent for personal data. This is technically true for adults, but you do not have an absolute right to use the data.

Consumers have the right to stop you using data in several key ways. You do also need consent in some cases involving children.

Here's what you need to know about what the CCPA requires when it comes to consent, and how to comply with the requirements under the law.

(Please note that the CPRA added additional requirements to the CCPA by expanding and amending it, taking effect in Jan 2023.)

Does the CCPA (CPRA) Apply to Me?

If you are a business (or any other for-profit entity) and you serve customers in California, you will come under the CCPA (CPRA) if you meet any of three thresholds. (The Act applies regardless of where you are physically based.)

• The first threshold is an annual gross revenue that exceeds $25 million.
• The second threshold is that you buy, sell or share personal information (for business purposes) about 10,000 consumers or households in a year.
• The third threshold is that sharing or selling consumers' personal information generates at least half of your annual revenue.

Confusion Over Consent with the CCPA (CPRA)

The CCPA/CPRA's rules over consent for data about adults can be confusing and lead to people talking at cross-purposes, particularly when comparing it to other privacy laws.

To put this into context, laws such as Europe's GDPR rely on active, advance consent. With these laws, you must get an intentional, informed confirmation from a person to show that they consent.

The CCPA (CPRA) requires active, advance consent in limited circumstances. Individuals also have the right to demand you to stop using the data in certain ways and you must follow this demand.

You could arguably describe the CCPA (CPRA) as having "default," "negative" or "implied" consent. In other words, you can treat customers as if they have consented to the data use unless and until they tell you otherwise. This is really a matter of semantics, however. What matters is that you follow the rules.

The CCPA/CPRA's Consumer Rights

Whenever you take an action or set a policy to follow the CCPA (CPRA), you should bear in mind the law explicitly says it is meant to protect privacy rights:

• The consumer must know what personal information you collect
• The consumer must be able to access the personal information you hold about them
• The consumer must know if you sell or disclose their personal information and, if so, who gets it
• The consumer must be able to stop you selling their personal information, or opt out of processing, sharing and selling of the data
• The consumer must be able to opt out of automated decision-making
• The consumer must be able to have their data in a portable format upon request
• The consumer must be able to request that you and anyone you've shared their data with to delete the data
• The consumer must be able to get an equal service and pricing even if they exercise these rights (non-discrimination)
• The consumer must be able to request limits to the use of their sensitive personal information

The rights only apply to citizens of California. This means only they can exercise the rights.

Giving Consumers Information Under the CCPA (CPRA)

One of the key trade-offs for not having to get explicit consent under the CCPA (CPRA) is that you must give consumers clear information about how you are using their personal data. The Act groups personal data into the following 12 categories:

1. Identifiers such as names, postal addresses, email addresses, passport numbers, etc.
2. Special categories of personal information
3. Characteristics of legally-/protected classifications
4. Commercial information such as records of purchases
5. Biometric information
6. Internet and electronic network activity such as browsing and search history
7. Geolocation data
8. Audio, visual, electronic, olfactory, thermal information or similar
9. Information related to employment and profession
10. Information related to education when not publicly available information
11. Inferences drawn from any of these categories that works to create a consumer profile
12. Sensitive personal information

You will need to give users information about the data you collect, both in their specific case and your overall use.

Advance Notification

When you collect data from a consumer, you must say which categories it falls into. For each category you must say how and why you will use the data. Note that although you don't need consent to collect and use the data, you must give this information before you collect the data.

You must also tell users before you sell or share data with a third party. You must tell them which categories apply and, for each category, who will receive the data.

VMWare gives a clear overview of the types of data it shares, noting the section of the CCPA and giving examples for each category listed:

Data Access Requests

You will also need to give consumers information if they make a data access request, which they can do twice a year. You will need to tell them the following even if you've already notified them about it before.

• What data you've collected about the individual
• The reasons you used the data
• A category-by-category breakdown of whether you've collected data and, if so, where it came from and who you've shared it with

This information must cover all data in the past 12 months.

Having seen this information, the customer may ask you to delete some of the data. You must do so unless it's needed for an ongoing contract or transaction, or for security reasons.

Handling Customer Opt-Outs Under the CCPA (CPRA)

The CCPA (CPRA) gives consumers the right to opt out of you selling their personal data. If they do so, you must stop doing so within 10 days and you cannot start again until they give permission. You cannot ask for this permission for at least 12 months.

Within 90 days of the consumer opting out you must get in touch with anyone to whom you've already sold the consumer's data. They must also stop selling the data and get in touch with anyone to whom they sold the data, and so on.

The CCPA (CPRA) says you must have a dedicated page for consumers to contact you to use this opt-out. Your home page must link to this page using the link text "Do Not Sell My Personal Information."

Tableau more than complies with this rule by including the text in its footer menu, shown on every page of its site:

Colgate-Palmolive gives two ways to exercise the opt-out:

Children and the CCPA (CPRA)

Under the CCPA (CPRA), selling the personal data of people aged under 16 requires active, advance consent.

This works on an opt-in basis. If you know the person is aged between 13 and 16, you must get their consent. If you know the person is aged under 13, you must get consent from their parent or guardian.

It's your responsibility to check the child's age. If you "wilfully disregard" this responsibility, you'll be treated as if you knew how old the child was. This will increase the potential penalty for not getting consent.

The CCPA (CPRA) doesn't specify how you should get consent other than to say the child, parent or guardian must have "affirmatively authorized" the sale of the data. Some good principle to follow include:

• Give clear information so that the child, parent or guardian knows what they are consenting to, including who is buying the data
• Use appropriate language if you are asking for consent from a child
• Require an active consent such as clicking a button or ticking a box. Remember that the authorization must be affirmative, so you can't require somebody to tick an opt-out box or say that continuing to use a site counts as consent.
• For children aged under 13, consider ways to verify the consent really is from a parent or guardian

HCA Healthcare uses a dedicated form which reminds parents and guardians that they can withdraw consent at any time:

The CCPA (CPRA) doesn't require active, advanced consent to collect or use a child's data for reasons other than selling it. However, remember that the CCPA (CPRA) is not the only privacy law that may affect you. In particular, the Children's Online Privacy Protection Rule (COPPA) applies if you aim your web site or online service at children under 13, or if you know children under 13 are using it.

If COPPA applies, you must get parental or guardian consent before collecting or using any personal data about a child aged under 13. You must verify this consent is genuine and really does come from the parent or guardian.

Summary

Let's recap what you need to know about the CCPA (CPRA) and consent.

• The CCPA (CPRA) doesn't require general explicit consent to collect, use or sell personal data about adults. However, people do have some rights to stop you using their data.
• The CCPA (CPRA) applies if you serve California and either have an annual gross revenue above $25 million, if you buy, sell or disclose personal data about 100,000 people or homes a year, or if you make more than half your annual revenue from selling or sharing personal data.
• Consumers have specific rights regarding their data under CCPA (CPRA). They must be able to know what data you collect, know what data you hold and know what data you sell. They must also be able to stop you selling data. You can't refuse service or charge more to people who exercise these rights.
• You must have a dedicated page for consumers to stop you selling their data. Your home page must use the words "Do Not Sell My Personal Information" to link to this page.
• You must get active, advance consent before selling personal data about a child aged under 16. If the child is aged 13-16 the consent can come from the child. If the child is aged under 13 the consent must come from their parent or guardian.
• If the child is under 13, the federal COPPA rule will also apply. This means you need parental or guardian consent to collect or use data about the child.