The California Consumer Privacy Act (CCPA) gives consumers the right to request that a business (1) respond to the consumer with a list of the categories or specific pieces of personal information that the business has collected about that consumer (request to know); (2) delete any personal information that the business has collected from the consumer (request to delete); and (3) not sell the consumer’s personal information (request to opt out). The California attorney general’s proposed regulations implementing the CCPA set forth the requirements for a business not only to receive such requests, but also how a business must respond to such requests. This article explains the rules and outlines the best practices for businesses providing responses to a consumer’s request to opt out made under the CCPA.
The CCPA provides that a consumer “shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.” The CCPA’s definition of “sale” extends beyond transfers and uses of data related to a transaction in which a buyer pays a seller for goods or services. “Sale” is broadly defined by the CCPA as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
This means that “sale” under the CCPA includes transactions in which a buyer pays a seller for goods or services, but also encompasses a wide range of other business activities that are usually not considered “sales” under the common meaning of the term. The limiting phrase “valuable consideration” has not been defined in the statute or in the California attorney general’s general draft regulations issued on October 10, 2019. Businesses must thus first determine whether they sell personal information within the meaning of the CCPA and if so, how the request to opt out affects their business. It is important to note that disclosures of personal information to a service provider do not constitute a sale if the written agreement includes certain CCPA-mandated contractual provisions that restrict the third-party service provider’s right to use personal information to just the services provided under the contract for the business’s legitimate business purposes. A future article in this series will discuss service providers in more detail.
Methods for Opting Out. A business must provide two or more designated methods for submitting requests to opt out, including, at a minimum, an interactive web form accessible through “a clear and conspicuous” link on the business’s internet homepage or mobile application, titled “Do Not Sell My Personal Information,” or “Do Not Sell my Info.” An opt-out button is also acceptable as long as it is in addition to posting a notice of the right to opt out, but it cannot replace posting a notice. The proposed regulations state that a form of opt-out button or logo will be added in a modified version of the proposed regulations and made available for public comment.
Other acceptable methods for submitting these requests to opt out include providing a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and use-enabled privacy controls, like a browser plugin or privacy setting.
If a business substantially interacts with consumers offline, then it must provide notice to those consumers by an offline method that informs the consumers of their right to opt out. Acceptable methods of achieving this include printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, posting signage directing consumers to a website, or other methods.
Who Can Opt Out? A request to opt out can be submitted by a consumer or by an authorized agent on the consumer’s behalf if the consumer provides the authorized agent written permission to do so. If a business believes a request to opt out is fraudulent, it may deny the request.
Responding to an Opt-Out Request. When responding to a request to opt out, a business may present the consumer with the choice to opt out of sales of certain categories of personal information as long as a global option to opt out of the sale of all personal information is more prominently presented than the other choices. A business cannot require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
Fifteen-Day Limit. When a business receives an opt-out request, the business should act as quickly as possible to comply with it. However, a business is not permitted to take more than 15 days from the date it receives the request to comply.
Notifying Third Parties of Opt Out. If a consumer has submitted an opt-out request, but the consumer’s information has already been sold within the 90 days prior to the business’s receipt of the request, the business to which the request was made must notify third parties of the request to opt out and direct those third parties to no longer sell the consumer’s personal information.
Twelve-Month Limitation. For consumers who have exercised their right to opt out of the sale of their personal information, a business must refrain from requesting that the consumer authorize the sale of the consumer’s personal information for at least 12 months.
A consumer may also request to opt in to the sale of personal information, which may be accomplished through a two-step opt-in process in which the consumer clearly requests to opt in and then separately confirms their choice to opt in. In addition, a business can tell a consumer who has opted out when a transaction specifically requires the sale of their personal information as a condition of the transaction, along with instructions on how the consumer can opt in.
Businesses must keep records of consumer requests, including requests to opt out, for at least 24 months.
The CCPA also provides that “a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age.” This is true unless a consumer between 13 and 16 years old has affirmatively authorized the sale of the consumer’s personal information, or a guardian of a minor less than 13 years has authorized the sale of the minor’s personal information. It is important to know that a business that “willfully disregards” the consumer’s age will be deemed to have had actual knowledge of the consumer’s age. The CCPA’s rules relating to personal information of minors will be addressed in more detail in a future article.
Businesses should build or modify processes to respond to a consumer’s request to opt out and implementing a “Do Not Sell” button. This process should begin with an assessment of the extent to which the business is engaged in “sales” of personal information under the CCPA’s broad definition of that term. The scope of the opt-out obligation may be limited by ensuring that applicable service provider agreements have been reviewed and amended, as necessary, to include CCPA service provider provisions. It may be beneficial to run an internal test to determine where gaps may be in the business’s processes to help prepare personnel to address a consumer’s request within the CCPA required timelines. Socializing these requirements and training personnel as to how to address these types of requests is required and may help ensure a controlled implementation of the opt out requirements.
The proposed regulations also have detailed requirements regarding responses to requests to know and requests to delete, which have been discussed in previous articles.
The California attorney general issued proposed regulations for the CCPA on October 10, 2019. The proposed regulations are pending public comment through December 6, 2019. As part of the rulemaking process, the California attorney general will then decide whether any modifications should be made to the proposed regulations before they become final. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which takes effect on January 1, 2020.
Please visit our CCPA Resource Center for more information and the latest updates.
The Morgan Lewis privacy team is providing practical advice on privacy to more than 100 businesses on compliance with CCPA, the newly proposed regulations, and how to accept, verify, and respond to requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:
 California Consumer Privacy Act, Section 1798.120(a).
 California Consumer Privacy Act, Section 1798.140(t)(1).
 CCPA Proposed Regulations, Section 999.306(a)(2).
 CCPA Proposed Regulations, Section 999.306(c); Section 999.308(b)(3).
 CCPA Proposed Regulations, Section 999.315(a).
 CCPA Proposed Regulations, Section 999.306(e)(1).
 CCPA Proposed Regulations, Section 999.306(b)(2).
 CCPA Proposed Regulations, Section 999.315(h).
 CCPA Proposed Regulations, Section 999.315(d).
 Cal. Civil Code Section 1798.135(a)(1).
 CCPA Proposed Regulations, Section 999.315(e).
 CCPA Proposed Regulations, Section 999.315(f).
 Cal. Civil Code Section 1798.135(a)(5).
 CCPA Proposed Regulations, Section 999.316(a).
 Cal. Civil Code Section 1798.120(c).