The California Consumer Privacy Act (CCPA) is focused on giving consumers greater control over the personal information collected about them. An important part of this is being able to opt out or refuse permission to personal data being used in particular ways.
What rights to opt out should consumers be given under the CCPA, and what do you need to do to ensure you comply with the legislation?
Key Components of CCPA Opt-Out Requirements
CCPA states that consumers have ‘the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information.’
The rules apply to for-profit businesses handling the personal information of California residents (see here for more about which organizations CCPA applies to and the type of data it covers).
Businesses are required to feature a ‘do not sell my personal information’ link on their homepage and any other web page that collects data. The opt-out link must give full information of consumer rights and allow them to opt out of their information being sold. Being able to opt out of the sale of their personal information is a fundamental CCPA right.
In addition to this opt-out link, CCPA requires businesses to offer at least two other opt-out request methods. This might include a free phone line, a preference center with privacy controls, an online form or a dedicated email address.
The California Privacy Rights Act (CPRA) further developed opt out rights, extending them to the sharing as well as sale of personal information. CPRA came into effect on January 1 2023.
CPRA also gives consumers rights to limit the use of sensitive personal information – for example, social security numbers, payment card details, precise geolocation, racial origin, religious affiliation, union membership, genetic data or biometric information.
Consumers must not be put at a detriment or treated differently because they exercise their right to opt out of the sale of their personal information.
CPRA requires:
– Customers must be told that a business sells personal information to third parties and they have the right to opt out
– A ‘do not sell or share my personal information’ link must be added to the homepage and any other page that collects personal information – there should also be a ‘limit the use of sensitive personal information’ link
– Consumers must be allowed to opt out of the sale or sharing of personal information or limit the use of sensitive personal information without needing to create an account
– An online privacy policy must set out the do not sell/share rights and the right to limit use of sensitive personal information
– When a consumer opts out of sale or sharing of information or use of sensitive personal information, this decision should apply for a minimum of 12 months before they are asked again
– There must be adequate training of workers who are handling consumer privacy rights enquiries and opt-out requests to ensure legal compliance
Implementing CCPA Opt-Out Requirement
What is the best way to implement CCPA cookie banner requirements? This is just one element of your business’ approach to privacy. Having a strong system for managing data is crucial; for example, having a data inventory that records consumer choices and the privacy policy that was in place at the time the choice was made.
There are different approaches to implementing cookie consent on your website – CookieHub can support you with whatever you choose. The decision between different approaches really rests on how much time and expertise you have to manage the system.
One option is to use Google Tag Manager to track data and manage consents. You can do this without having to write or change any code yourself. The downside is that setting up your tags, triggers and variables can be complex – CookieHub can help lead you through the process.
If you know a little about code, you might choose to manage your system manually. This saves the burden of having Google Tag Manager running in the background; you just simply insert code into your site code. CookieHub can help provide the code you need.
CookieHub’s scanner can read your site and automatically analyze the cookies you are using, categorize them and generate a declaration that states what a cookie does. This helps to give customers information about which data is collected and for what purposes and gives you an overview of how your site operates.
Steps to Ensure Compliance with Opt-Out Requirements
Although the CCPA Opt-Out Requirements primarily focus on providing consumers with the option to opt-out of the sale of their personal information. Follow these steps to help your business comply with these requirements:
1. Verify if your business falls under CCPA.
2. Update your privacy policy to include opt-out information.
3. Implement a “Do Not Sell My Personal Information” link or mechanism on your website.
4. Establish a process to receive and respond to opt-out requests.
5. Provide multiple methods for consumers to submit opt-out requests.
6. Offer an opt-out for minors and obtain opt-in consent for selling their information.
7. Maintain records of opt-out requests for at least 24 months.
8. Ensure non-discrimination against consumers who opt-out.
Check out our in-detail CCPA compliance checklist that can help you make sure you’ve got it covered. You can also read about every aspect of CCPA in our Ultimate Guide.
Potential Penalties for Non-Compliance
It’s important to remember why compliance with CCPA matters. Firstly, being careful with your customer data is an essential part of your relationship with them, and any breaches could see your reputation suffer – leading to a swift reduction in customer base.
A breach of CCPA opt-out requirements could result in a considerable penalty. You can be charged $2,500 for unintentional violations or $7,500 for intentional violations per breach – with no cap on the maximum amount you can be asked to pay. In some cases, consumers can also seek damages for violations.
Why not get in touch with CookieHub for support in ensuring your website follows best practice in CCPA compliance?