On March 15, 2021, the California Attorney General finalized modified regulations to the California Consumer Protection Act (the “CCPA”) that strengthen consumers’ ability to “opt out” of having their personal data collected, sold, or otherwise used. The California legislature passed the CCPA, a landmark piece of legislation that went into effect last year, in hopes of helping consumers regain control over their personal information. These modified regulations further the CCPA’s intent by addressing certain issues that have emerged over the past year.
Dark Patterns
Since the enactment of the CCPA, many businesses have designed so-called “dark patterns,” which are user interfaces that subvert or impair consumers’ ability to opt out of the sale of their personal information. The modified regulations ban dark patterns and require businesses to implement opt-out mechanisms that are easy for consumers to execute and require minimal steps for consumers to opt out of the sale of their personal information. The modified regulations list the following as examples of prohibited dark patterns:
- Using an opt-out request process that has more steps than opt-in request process.
- Using confusing language, such as double-negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers the choice to opt out.
- Requiring consumers to click through or listen to unnecessary reasons as to why they should not submit a request to opt-out before confirming their request.
- Requiring the consumer to provide personal information in connection with an opt-out request that is not necessary to implement the request.
- Requiring a consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting an opt-out request after the consumer has already clicked a “Do Not Sell My Personal Information” link.
In essence, the new regulations require that it be as easy to opt out of data collection, sale and sharing as it is to opt in.
Opt-Out Icon
The modified regulations provide the following final design for an optional opt-out icon that businesses may use on their websites to promote awareness of the opportunity to opt out of the sale of personal information.
The icon must be approximately the same size as any other icons used by the business on its webpage.
Use of the opt-out icon is optional, however, and may only be used in addition to, and not in lieu of, any requirement to post the notice of right to opt out or a “Do Not Sell My Personal Information” link as required by Cal. Civ. Code § 1798.135.
Brick & Mortar vs Online
The modified regulations also require businesses to inform consumers of their right to opt out of the sale of their personal information in the course of offline interactions with the consumers.
Brick-and-mortar stores that sell personal information collected in their stores may inform consumers of their right to opt out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the opt-out information can be found online.
Similarly, businesses that sell personal information that they collect over the phone may inform consumers of their right to opt out orally during the call when the information is collected.
This closes a loophole where companies collect personal data from a brick-and-mortar or telephone interaction with a consumer, but rely on terms of a website or privacy policy that may not be readily available to the consumer to inform the consumer about how the company will use the data and provide the consumer a means to opt out of specific uses.
Authorized Agents
The CCPA permits consumers to know what data has been collected about them, how it has been used and, under certain circumstances, to request that the data be deleted or destroyed. These rights are similar to those in the European privacy law, the GDPR. It is expected that consumer watchdogs (and class-action litigants) will send mass requests for data and data deletion in much the same way that automated programs scan websites for violations of the Americans with Disabilities Act and automate lawsuits for violations. The CCPA permits these demands for data and deletion to be done by “agents” of the data subject. The modified regulations permit businesses to demand proof by the agent that they have the written authorization of the consumer to submit a request to know or a request to delete personal information. This change not only protects the data collector but also the data subject against unscrupulous entities which may use the consumers’ right to know what has been collected as a means for collecting data about consumers.
The CCPA and the newly enacted California Privacy Rights Act provide the nation’s most comprehensive data privacy laws and may serve as a model for other states and the country. We expect data privacy to be at the forefront of regulatory practices and litigation in the coming years and, as a result, any entity that collects personal information should be prepared. While full compliance may be burdensome, there are steps that every entity should take to ensure that their privacy policies are clear, defined, and compliant. A well-written privacy policy accompanied by a well designed data-collection, classification and use program, which includes clear and unambiguous statements regarding data use and an ability to effectively opt out, not only makes companies compliant with laws like CCPA and CPRA, but can act as a shield against litigation for violation of the privacy or data security provisions of these statutes. Indeed, since the CCPA went into effect at the beginning of last year, there have reportedly been 62 proposed federal class action lawsuits and 14 California state lawsuits filed against companies for violations of the data security provisions – many of which do not include an indication of an actual data breach. With the statute providing a limited private right of action and up to $750 per violation (per consumer) there will be increased pressure on companies to implement comprehensive privacy and data security programs.
If you have any questions about the protection of your personal information or the subjects mentioned above, contact Mark Rasch (mdr@kjk.com / 301.547.6925) or Andrew Wilbur (ajw@kjk.com / 216.736.7298).
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.