Consent Under the CCPA (CPRA)

Like most privacy laws, the California's Consumer Privacy Act (CCPA) as amended by the CPRA has some specific consent requirements.

Below, we'll talk about consent under the CCPA (CPRA), what is and isn't required, and then compare and contrast that with Europe's General Data Protection Regulation (GDPR).

What is the CCPA (CPRA)?

The California Consumer Privacy Act or CCPA (CPRA) is a privacy law enacted to strengthen privacy rights and data protection for California residents. Approved by California's Governor in June 2018, the CCPA took effect on January 1, 2020. It was amended by the CPRA, which took effect on January 1, 2023.

The CCPA (CPRA) grants consumers (i.e., California residents) a number of rights over their personal information, including the following:

• The right to know what information has been collected/is held
• The right to access the collected/stored information about them
• The right to correct any errors in this information
• The right to opt out of automated decision-making
• The right to limit the use of sensitive personal information
• The right request deletion of data both from the main company as well as any third parties who may have bought the information or had it shared with them
• The right to opt out of the processing, selling and sharing of the information
• The right to opt in (for minors)
• The right to data portability
• The right to non-discrimination

For more information about CCPA (CPRA) rights, check out our article Consumer Rights Under the CCPA.

Who Does the CCPA/CPRA Apply to?

Despite being a state-level law, the CCPA (CPRA) is extraterritorial and, therefore, applicable beyond California and even the United States.

Essentially, any entity anywhere in the world that falls under the CCPA/CPRA's definition of a "business" must comply with its provisions.

The CCPA (CPRA) defines a "business" as any legal entity that:

1. Pursues a profit
2. Operates in California
3. Decides why and how to process consumers' personal information, and

4. Satisfies at least one of the following thresholds

   • Its annual gross revenue exceeds $25 million
   • It annually buys, sells, receives, or shares the personal information of at least 100,000 consumers, households, or devices
   • It makes at least 50% of its annual revenue by selling or sharing consumers' personal information

What is Consent Under the CCPA (CPRA)?

Before the CPRA amendments, the CCPA used implied consent as its standard, with an opt-out approach.

Implied consent is when someone hasn't done anything to explicitly agree to anything (such as the processing of their personal information), yet consent is implied and assumed on the grounds of the user taking some relatively vague action such as simply browsing a website.

In short, people were assumed to have given consent based on very little, and were required to take steps to opt out to revoke consent.

However, the CPRA amended the CCPA by adding requirements for active and explicit consent when information is used for certain purposes.

Under the CPRA's amendment, consent is defined similarly as it is in the GDPR as follows:

“any freely given, specific, informed and unambiguous indication of the consumer’s wishes . . . such as by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.”

The CPRA (and thus CCPA) notes what types of actions do not count as valid consent, such as closing or hovering over content on a website or using dark patterns to obtain it.

When is Consent Required Under the CCPA (CPRA)?

The CPRA expanded the consent requirements of the CCPA to include different levels of consent based on the use of personal information.

Consent is required under the following circumstances.

When Selling or Sharing Personal Information After Someone has Opted Out

Suppose someone decides they don't want to allow a business to sell their private data, and they expressly "opt-out" (as opposed to "opting-in") through a button or link that gives them the option to do so.

In that case, express or explicit consent must be obtained before the person's personal information can be sold or shared in the future.

What is the CCPA/CPRA's Definition of a Sale?

According to the CCPA (CPRA), a "sale" means:

"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."

Simply put, you are conducting a sale if you disclose a consumer's personal information to a third party (in this case, through cookies) for money or any other benefit.

For more information, check out our article: CCPA: What Constitutes a "Sale" of Personal Information.

There are certain exceptions to the definition of sale. Let's take a look.

What are the CCPA/CPRA's Exceptions to the Definition of Sale?

The CCPA (CPRA) identifies a number of instances wherein your use of third-party cookies may not constitute "selling" personal information.

They are as follows:

• Consumer Direction: A sale has not occurred if the consumer tells you to intentionally disclose their personal information to a third party. In the context of cookies, this refers to a form of opt-in consent (i.e., getting user consent before activating cookies).

  Opt-in consent is not mandatory under the CCPA (CPRA). However, if you obtain opt-in consent from a consumer before enabling cookies, you will not be deemed to be selling that consumer's personal information.

• Third-party Notification: If you share the personal information of a consumer who has opted out of a sale to alert the third party of this opt-out, then you have not conducted a sale under the CCPA (CPRA).

• Service Provider: Finally, if you disclose a consumer's personal information to a "service provider," you have not sold personal information.

  A service provider is a legal entity that processes personal information on behalf of a business. The service provider must be bound by a contract with the business. However, the service provider must obtain consent before collecting, using or sharing personal information.

  For more information, see our article: The Complete Guide to CCPA Service Providers.

When Selling a Minor's Private Data

A business cannot knowingly sell the private information of anyone under the age of 16.

The only exception to this rule is if the minor (between the ages of 13 and 16) or the minor's parent (if the minor is below the age of 13) has "affirmatively authorized the sale" of personal information.

From the CCPA (CPRA) itself:

(c) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age. This right may be referred to as the "right to opt-in."

This applies to cookies placed knowingly to minors.

When Using Third Party Cookies

The CCPA (CPRA) brings cookies and similar identifiers under its definition of "personal information." This is because businesses can use cookies and similar identifiers to recognize a consumer or a device linked to that consumer.

Third-party cookies are stored on a user's internet device by external services incorporated into the website they visit. In other words, cookies from an analytics provider or payment platform integrated into the website a user visits are third-party cookies.

These cookies are considered a deterrent to privacy because they disclose users' data to external services and are typically used to track users' activities all over the internet. Consequently, top companies like Google have begun to phase them out.

The CCPA (CPRA) does not require businesses to get consent before using cookies unless they're third party cookies used for tailored advertising or being used with minors.

When it comes to cookies, the CCPA (CPRA) generally has an opt-out consent system.

In other words, you can automatically set cookies on your users' devices without their consent once they visit your website.

However, you must notify users of this practice and give them a simple way to opt out of selling or sharing their data within the context of cookies.

Importantly, you must let consumers know what categories of cookies you use on your website. You can do this by conducting a comprehensive cookies audit.

Finally, you must provide a detailed explanation of your cookie practices in your website policies.

It's important to note that consent is necessary for some situations, such as before you sell or share the personal information of minors.

This means you must first obtain opt-in consent from children under 16 and parental consent for children under 13 before placing cookies on their devices.

When it comes to third party cookie placement, applicable businesses are required to:

• Describe their use of third-party cookies for targeted advertising as a "sale," and
• Honor consumer opt-out requests, including requests sent through the Global Privacy Control (GPC) tool.

The GPC tool lets consumers opt out of data collection on the browser level rather than having to click individual businesses' opt-out buttons.

What are the CCPA (CPRA) Opt-Out Requirements?

To ensure compliance with the CCPA (CPRA), you'll need to "provide two or more methods for submitting requests to opt-out, including, an interactive form accessible via a clear and conspicuous link titled "Do Not Sell My Personal Information," or 'Do Not Sell My Info,' on the business' website or mobile application."

If you don't sell personal information at all, then you won't need to provide consumers with an opt-out form. However, you'll need to explain this in your Privacy Policy.

Opt-out forms should:

• Let consumers know that they have a right to opt out of the sale of their private data.
• Use language everyone can understand. Technical or legal terms should be avoided.
• Let consumers know exactly how they can submit requests to opt out.
• Be accessible to all consumers, and as much as possible to those with disabilities.

At one point, the CCPA (CPRA) had regulations stipulating that opt-out forms needed to include links to the company's Privacy Policy, but this has since been removed.

How to Comply with the CCPA (CPRA) Consent Requirements

Here's what you need to do to be compliant.

Obtain Appropriate Consent When Required

If you use personal information in any of the ways noted above, make sure you obtain the correct type of consent.

One of the easiest and most compliant ways of obtaining consent is by using an"I Agree" checkbox or clearly labeled button and asking users to click it to show they give consent to something.

Here's an example of this:

Disclose Your Privacy Practices in Your Privacy Policy

To comply with the CCPA (CPRA), including cookie requirements, you must prominently disclose key details about your use of personal data to consumers.

In any case, a CCPA/CPRA-compliant Privacy Policy must address the following:

• The categories of information you collect
• A detailed account of how you use this information
• How users can decline or opt out of data collection, including cookies placement
• The third-party cookies on your website and their purposes

For example, here's how Apple explains its use of cookies and similar technologies within its Privacy Policy:

And here's a clause that discloses the categories of information collected:

Provide a "Do Not Sell My Personal Information" Page

A distinctive feature between the CCPA (CPRA) and equivalent privacy laws is the "Do Not Sell My Personal Information" page requirement. If you sell personal information, you must observe this requirement.

It entails setting up a page that addresses consumers' right to opt out of the sale of personal information and providing simple instructions to help exercise this right.

After doing this, you must set up a link to this page reading "Do Not Sell My Personal Information" and place this link in prominent areas of your website or app (e.g., your website footer and Privacy Policy).

Here's how Coca-Cola includes this link in its Privacy Policy:

Here's an example of how you can place this link in your website footer section:

When consumers click the link, you can have them be directed to a webpage that explains how they can opt out of the sale of personal information as well as what happens when they do:

Here's how Victoria's Secret provides this link in its footer section:

Once users click the link, Victoria's Secret directs them to a page explaining how it collects data through cookies and how users can adjust their preferences or opt out of selling or sharing of personal information within the context of cookies:

Keep in mind that if you use or disclose sensitive personal information (including through cookies), the CCPA (CPRA) requires you to provide a second link titled "Limit the Use of My Sensitive Personal Information."

Set Up a Way for Consumers to Submit Opt Out Requests

In addition to your "Do Not Sell My Personal Information" page, you'll need at least one designated means for consumers to submit opt-out requests. A commonly used opt-out mechanism is the cookie consent banner.

Since the CCPA (CPRA) accepts opt-out consent, you can load cookies automatically on consumers' devices when they visit your website.

Note that your cookie consent banner must disclose this practice and include an "I decline" button or a link to your settings/preference center for consumers to opt out. You must also provide a link to your Privacy/Cookies Policy.

Here's an example:

Deloitte loads cookies automatically for consumers in its cookie banner and includes links to its Cookie Policy and settings:

Recall that you must obtain opt-in consent before selling children's personal information. This means you cannot automatically load third-party cookies for minors. They must click an "I accept" button before you are allowed to place cookies on their devices.

That said, you may be better off implementing the opt-in consent model for all consumers to err on the side of caution.

This model also puts you under the "consumer direction" exemption, thereby ensuring you don't accidentally sell personal information through third-party cookies.

Here's an example of opt-in consent:

Finally, in light of enforcement actions taken by the California AG, you must honor consumer opt-out signals sent through user-enabled Global Privacy Controls (GPC).

Provide a Notice at Collection

A "Notice at Collection" is one of the CCPA/CPRA's notices that businesses must present before or when collecting consumers' personal information (including via cookies).

You may wish to insert this notice into a section of your Privacy Policy or host it on a separate webpage.

This notice must include the following:

• The categories of personal information you collect from consumers
• Your commercial purposes for collecting it
• How long you plan to retain the information for (this can only be for as long as is "reasonably necessary" for the business purpose which it has been collected for)
• A link to your "Do Not Sell My Personal Information" page
• A link to your Privacy Policy

Here's how AGCO presents this notice:

CCPA (CPRA) Consent vs Consent from GDPR

In contrast to the CCPA (CPRA), the GDPR dictates a broad range of circumstances under which a business must gain a consumer's consent, which is defined as:

"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

The first thing that must be stated clearly is that consent is only one of the legal bases in the GDPR.

In other words, a company doesn't have to acquire consent from individuals before it can use their personal data for business uses as many believe. What businesses actually have to do if they're processing information, according to the GDPR, is to identify their legal basis for doing so.

The CCPA (CPRA) is not as strict as the GDPR. This is mainly because the CCPA (CPRA) uses an opt-out consent model for most cases.

Under the GDPR, consent has the following attributes.

• Consent must be freely given: Essentially, you cannot have manipulated or coerced the consumer into giving consent for you to use their private information.
• Consent must be specific: You need to be explicit in terms of stating what data processing activities you'll be conducting and give the consumer the opportunity to agree with each, specific activity.
• Consent must be informed: This means you've given the consumer information about who you are, what kind of information processing you'll be doing, why you're processing their information, and that they can take back their consent at any time.
• Consent must be unambiguous: In other words, there cannot be any question about whether the consumer gave consent. For example, the GDPR says, "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." Consent has to be actively given. It cannot be implied.
• Consent must be revocable: As noted above, a consumer has the right to withdraw their consent from your data processing activities at any moment. Additionally, it's your responsibility to make that removal of permission easy. A rule of thumb is that the ability to withdraw consent must be as simple as giving consent.

Here's an example of GDPR-compliant consent:

Some of the specific requirements for explicit consent requests according to the ICO are the following:

• Without an imbalance in the relationship: You'll need to ensure that there isn't an imbalance in the relationship between controller and the individual (e.g., an employer and employee, or a housing association and tenant).
• Easy to withdraw: You must inform consumers that they have the right to withdraw whenever they wish. You must also inform them as to how withdrawal can be accomplished. That means you'll need to have an effective means of withdrawal in place.
• Documented: You must keep records to show precisely what individuals consent to, when and how they consented, and what you told them to gain that consent.
• Named: You must provide the exact names of any organization that relies upon the consent of the consumer. You cannot simply make a list of the categories of third-party organizations that will receive data.
• Granular: Wherever appropriate, you must give a comprehensive explanation of consent options to various types of processing.
• Unbundled: You'll need to make sure that consent requests are not bundled up with other terms, conditions or agreements.

A great example of a company providing consumers with an explicit consent request as required by the GDPR, is this cookie's popup notice from the European Central Bank:

Pay attention to how the cookie notice gives the user an explicit choice as to whether they'll consent or not to the way the bank uses cookies.

The Bottom Line

The CCPA (CPRA) doesn't specifically require businesses to obtain consent for data processing although there are a few exceptions. The GDPR requires consent in just about all circumstances if one isn't using one of the other legal bases for legitimately processing data.

At the end of the day, business owners may want to opt for obtaining consent whether they do business in Europe or not. Even though the CCPA doesn't demand that business owners obtain explicit consent right now, American laws are evolving and could rapidly change to follow Europe's lead.