Welcome

ANALYSIS: Options Muddle California’s Updated Opt-Out Notice

March 8, 2021, 2:22 PM

Two links? One link? No link at all? So many options for an opt-out protocol!

The California Privacy Rights Act (CPRA) offers a variety of ways for businesses to notify consumers of their right to opt out of certain uses of their personal information. Thankfully, since the CPRA’s provisions won’t become operational until 2023, there’s plenty of time to assess which option—two, one, or none—works best for you. Still, be forewarned that the CPRA’s failure to standardize an opt-out regime may increase the likelihood of consumer confusion over the scope―and manner―of opting out.

The CPRA is the voter-approved sequel to the California Consumer Privacy Act (CCPA), which created, among other things, a right for consumers to opt out of the “sale” of their personal information.

It’s been said that the CCPA’s definition of “sale” is not your mother’s definition and extends beyond a common understanding of the word. But the definition is nevertheless significant because it determines whether and how a business must provide an opt-out notice.

Specifically, businesses that “sell” personal information—i.e., those who rent, release, disclose, disseminate, make available, transfer, or otherwise communicate a consumer’s personal information “for monetary or other valuable consideration"―must notify consumers of their right to opt out of such transactions and provide instructions on how they may exercise their right.

Moreover, businesses that operate a website must provide a clear and conspicuous link on the website’s homepage, labeled “Do Not Sell My Personal Information,” that provides access to an interactive form by which consumers can submit their requests to opt out. (See Bloomberg Law’s annotated checklist on creating a compliant notice to opt out.)

The CPRA, however, introduces significant changes to the opt-out notice, as outlined in the following image:

To enlarge the image, click here.

Notably, the CPRA expands the opt-out right beyond personal information that is merely “sold,” and it creates a new right for a special class of personal information.

Option A: Two Links

As I mentioned in an earlier article, the CPRA covers personal information “shared” as well as “sold.” It also creates a new subcategory of personal information, known as “sensitive personal information” (SPI).

As a consequence, the two-link notice option requires (1) an update to the “Do Not Sell” link—specifically, editing it to say “Do Not Sell or Share My Personal Information”—and (2) a separate link addressing SPI.

But what seems like a simple, albeit inefficient, solution raises the prospect of confounding consumers.

As I explained before, “sharing” refers to transfers of personal information to a third party for cross-context behavioral advertising; it does not require the exchange of consideration. “Selling,” by contrast, covers transfers “for monetary or other valuable consideration,” as noted above.

Whether a transfer is occasioned by “selling” or “sharing”—indeed, whether it requires an exchange of consideration or doesn’t—is immaterial to consumers. Opting out means opting out. In all likelihood, adding another term to an existing opt-out-of-sale link will only prompt observant consumers to question what their past opt-out requests did NOT cover.

And when those questions arise, I suspect that parroting the CPRA’s definition of “cross-context behavioral advertising” will fall a little short of the requirement to use “plain, straightforward language” and to avoid the use of “technical or legal jargon.”

Remember, your notice must be “easy to read and understandable to consumers.” And regardless of whether consumers directly ask what “sharing” means, your notice will still need to explain it.

The situation doesn’t get any easier with the second link, addressing SPI.

The CPRA’s right regarding SPI is not a right to opt out per se, but rather a right to limit a business’s use and disclosure of SPI. Specifically, it prohibits businesses from using SPI beyond that which is “necessary” or “reasonably expected,” or outside statutorily prescribed business purposes. To the extent a business uses SPI beyond those constraints, it must notify consumers and provide a second “clear and conspicuous link” labeled “Limit the Use of My Sensitive Personal Information.”

That link will need to direct consumers to a page that (1) explains what SPI is; (2) specifies the additional purposes for which SPI will be used; (3) informs consumers that they have a right to limit the business from using SPI for those additional purposes; and (4) describes how consumers may exercise that right.

Too much information? I’d say so.

Option B: One Link

If the two-link option seems like businesses will have a lot of explaining to do, the one-link option differs only in the number of links. All of the same information must be conveyed behind a “single, clearly-labeled” link, and that link must “easily allow” a consumer to opt out of the sale or sharing of personal Information and limit the use or disclosure of SPI.

The CPRA does not specify how to “clearly label” a link that conveys two distinct messages, nor does it indicate how to “easily” permit consumers to perform both tasks.

Presumably, the yet-to-be-formed California Privacy Protection Agency—the new enforcement authority created by the CPRA—will issue regulations clarifying such matters, but those regulations are not due for another 16 months. July 1, 2022, to be exact.

Can’t wait that long? See Option A.

Option C: No Link

As for the no-link option, again, you’ll need to wait until the summer of ’22.

In lieu of providing any opt-out links, the CPRA permits businesses to recognize an “opt-out preference signal” sent with the consumer’s consent by a “platform, technology, or mechanism.”

Unfortunately, the CPRA does not clearly define what an “opt-out preference signal” is, but it’s likely synonymous with a “user-enabled global privacy control,” which the CCPA regulations describe as “a browser plug-in or privacy setting, device setting, or other mechanism” that communicates the consumer’s choice to opt-out. See 11 CCR § 999.315.

In any event, for CPRA purposes, the signal should permit consumers to opt out of the sale and sharing of their personal information and limit the use of their SPI in one fell swoop.

Curiously, businesses employing the no-link option have a further option—drumroll, please—to provide a link (I’m not making this up) to a special webpage that enables consumers to consent to the business ignoring the opt-out preference signal.

In other words, businesses choosing to employ a technology that automatically recognizes a consumer’s opt-out preferences have the option to create a link that would facilitate authorization for the business to override the technology and disregard those preferences.

While you’re wrapping your head around that, be advised that the preference signal option must be based on technical specifications set forth in regulations not yet proposed, i.e., the aforementioned regulations not due to be adopted until July of 2022.

Can’t wait that long? See Option A.

Next Steps

Waiting for the draft proposed regulations would be a prudent first step before committing to an opt-out approach, but now’s the time to familiarize yourself with the options and identify business practices that may affect your ultimate choice. Do you “share” personal information? Do you use “sensitive personal information”? If so, for what purposes?

If you anticipate that a CPRA opt-out notice will be required, now’s also the time to start drafting “easy to read and understandable” language related to your consumer data practices. I’d be particularly interested in seeing a consumer-friendly description of “cross-context behavioral advertising.” Please share!

Bloomberg Law subscribers can find related content on our In Focus: CCPA page.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.

To read more articles log in. To learn more about a subscription click here.