Legal and data protection research writer at TermsFeed.
On this page
- 1. The Evolution of Consent
- 2. Consent and the CCPA (CPRA)
- 2.1. The Sale of a Minor's Private Data
- 2.2. Re-soliciting the Ability to Sell
- 2.2.1. Exemption from the Definition of "Sale"
- 2.3. CCPA (CPRA) Opt-Out Requirements
- 3. Consent and the GDPR
- 3.1. GDPR Consent Requirements
- 3.2. Explicit Consent Under the GDPR
- 4. The Bottom Line
Like most privacy laws, the California's Consumer Privacy Act (CCPA) as amended by the CPRA has some specific consent requirements.
Below, we'll talk about consent under the CCPA (CPRA), what is and isn't required, and then compare and contrast that with Europe's General Data Protection Regulation (GDPR).
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
The Evolution of Consent
Europe put the issue of consent squarely in the public's eye when it fined Google €50 million when the tech giant failed to obtain legitimate consent for its ad personalizations. The fine delivered by the French regulator, Commission nationale de l'informatique et des libertés (CNIL), became the first in a long line of actions against bad corporate actors.
British Airways was hit with an even larger penalty than Google, and the U.K. said it intended to fine the company £183 million, but ultimately only fined the company £20 million. That's obviously a significant drop, but officials suggested the fine was smaller due to the "economic impact of Covid-19."
Since CNIL penalized Google in 2019, some U.S. states began working on passing privacy legislation that includes the need for businesses to gain consumer consent in one way or another before collecting, using, sharing, selling, and storing sensitive data.
The most comprehensive of these in the USA is California's CCPA (CPRA), which still doesn't go to the lengths of the GDPR. For example, the CCPA (CPRA) doesn't require companies to obtain a specific "opt-in" from consumers, but the GDPR does.
In fact, consent in the CCPA arises as a concept only if the sale of consumer information is part of a company's business practices. Moreover, the definition of "sale of information" under the CCPA is vague at best.
Consent and the CCPA (CPRA)
The bottom line is that consent isn't demanded by the CCPA (CPRA) except under three very specific circumstances.
The Sale of a Minor's Private Data
A business cannot knowingly sell the private information of anyone under the age of 16. The only exception to this rule is if the minor (between the ages of 13 and 16) or the minor's parent (if the minor is below the age of 13) has "affirmatively authorized the sale" of personal information.
From the CCPA (CPRA) itself:
(c) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age. This right may be referred to as the "right to opt-in."
Re-soliciting the Ability to Sell
Suppose someone decides they don't want to allow a business to sell their private data, and they expressly "opt-out" (as opposed to "opting-in") through a button or link that gives them the option to do so. In that case, a company is prohibited from soliciting that individual's consent (through an opt-in, etc.) for "at least 12 months."
Exemption from the Definition of "Sale"
This might sound weird to some, but if a consumer opts-in, or gives their consent, then information transfers aren't considered "sales" under the CCPA (CPRA). Simply put, while the CCPA (CPRA) doesn't demand consent or an opt-in in most situations, it kind of provides an incentive for businesses to obtain it from consumers.
That's because when a consumer opts in, that individual has directed the business to "disclose personal information" to a third party:
(2) For purposes of this title, a business does not sell personal information when:
(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party.
CCPA (CPRA) Opt-Out Requirements
While there isn't any specific demand under the CCPA (CPRA) for a business to gain a specific opt-in before collecting or sharing data, it does require that companies provide consumers with the ability to opt-out.
To ensure compliance with the CCPA (CPRA), you'll need to "provide two or more methods for submitting requests to opt-out, including, an interactive form accessible via a clear and conspicuous link titled "Do Not Sell My Personal Information," or 'Do Not Sell My Info,' on the business' website or mobile application."
Opt-out forms should:
- Let consumers know that they have a right to opt out of the sale of their private data.
- Use language everyone can understand. Technical or legal terms should be avoided.
- Let consumers know exactly how they can submit requests to opt out.
- Be accessible to all consumers, and as much as possible to those with disabilities.
Consent and the GDPR
In contrast to the CCPA (CPRA), the GDPR dictates a broad range of circumstances under which a business must gain a consumer's consent, which is defined as:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
The first thing that must be stated clearly is that consent is only one of the six legal bases in the GDPR.
In other words, a company doesn't have to acquire consent from individuals before it can use their personal data for business uses as many believe. What businesses actually have to do if they're processing information, according to the GDPR, is to identify their legal basis for doing so.
With that said, if a business gains consent, then it can do pretty much as it pleases with that information. As long as the business in question explains what it's going to do with the consumer's private information and gains explicit permission, then that business is in compliance with the GDPR's consent requirements.
However, you can't cut corners. Google learned that the hard way. In the complaint filed by CNIL, they wrote that Google's methods for gaining consumer consent were neither "specific" nor "unambiguous" nor "informed."
GDPR Consent Requirements
- Consent must be freely given: Essentially, you cannot have manipulated or coerced the consumer into giving consent for you to use their private information.
- Consent must be specific: You need to be explicit in terms of stating what data processing activities you'll be conducting and give the consumer the opportunity to agree with each, specific activity.
- Consent must be informed: This means you've given the consumer information about who you are, what kind of information processing you'll be doing, why you're processing their information, and that they can take back their consent at any time.
- Consent must be unambiguous: In other words, there cannot be any question about whether the consumer gave consent. For example, the GDPR says, "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." Consent has to be actively given. It cannot be implied.
- Consent must be revocable: As noted above, a consumer has the right to withdraw their consent from your data processing activities at any moment. Additionally, it's your responsibility to make that removal of permission easy. A rule of thumb is that the ability to withdraw consent must be as simple as giving consent.
Explicit Consent Under the GDPR
In order not to cut corners, if you plan to gain consent instead of basing the legality of your data processing on one of the other means outlined in the GDPR, then your efforts must be explicit.
You can't leave room for misinterpretation, and that means you need to provide an explicit consent statement, whether spoken or written. That statement will need to be super specific about the element of data processing that demands explicit consent.
For instance, the ICO's guidance says that, "the statement should specify the nature of data that's being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer."
Some of the specific requirements for explicit consent requests according to the ICO are the following:
- Without an imbalance in the relationship: You'll need to ensure that there isn't an imbalance in the relationship between controller and the individual (e.g., an employer and employee, or a housing association and tenant).
- Easy to withdraw: You must inform consumers that they have the right to withdraw whenever they wish. You must also inform them as to how withdrawal can be accomplished. That means you'll need to have an effective means of withdrawal in place.
- Documented: You must keep records to show precisely what individuals consent to, when and how they consented, and what you told them to gain that consent.
- Named: You must provide the exact names of any organization that relies upon the consent of the consumer. You cannot simply make a list of the categories of third-party organizations that will receive data.
- Granular: Wherever appropriate, you must give a comprehensive explanation of consent options to various types of processing.
- Unbundled: You'll need to make sure that consent requests are not bundled up with other terms, conditions or agreements.
A great example of a company providing consumers with an explicit consent request as required by the GDPR, is this cookie's popup notice from the European Central Bank:
The Bottom Line
The CCPA (CPRA) doesn't specifically require businesses to obtain consent for data processing although there are a few exceptions. The GDPR requires consent in just about all circumstances if one isn't using one of five other legal bases for legitimately processing data.
At the end of the day, business owners may want to opt for obtaining consent whether they do business in Europe or not. Even though the CCPA doesn't demand that business owners obtain explicit consent right now, American laws are evolving and could rapidly change to follow Europe's lead.