On March 15, 2021, the California Attorney General finalized modified regulations to the California Consumer Protection Act (the “CCPA”) that strengthen consumers’ ability to “opt out” of having their personal data collected, sold, or otherwise used. The California legislature passed the CCPA, a landmark piece of legislation that went into effect last year, in hopes of helping consumers regain control over their personal information. These modified regulations further the CCPA’s intent by addressing certain issues that have emerged over the past year.
Since the enactment of the CCPA, many businesses have designed so-called “dark patterns,” which are user interfaces that subvert or impair consumers’ ability to opt out of the sale of their personal information. The modified regulations ban dark patterns and require businesses to implement opt-out mechanisms that are easy for consumers to execute and require minimal steps for consumers to opt out of the sale of their personal information. The modified regulations list the following as examples of prohibited dark patterns:
- Using an opt-out request process that has more steps than opt-in request process.
- Using confusing language, such as double-negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers the choice to opt out.
- Requiring consumers to click through or listen to unnecessary reasons as to why they should not submit a request to opt-out before confirming their request.
- Requiring the consumer to provide personal information in connection with an opt-out request that is not necessary to implement the request.
In essence, the new regulations require that it be as easy to opt out of data collection, sale and sharing as it is to opt in.
The modified regulations provide the following final design for an optional opt-out icon that businesses may use on their websites to promote awareness of the opportunity to opt out of the sale of personal information.
The icon must be approximately the same size as any other icons used by the business on its webpage.
Use of the opt-out icon is optional, however, and may only be used in addition to, and not in lieu of, any requirement to post the notice of right to opt out or a “Do Not Sell My Personal Information” link as required by Cal. Civ. Code § 1798.135.
Brick & Mortar vs Online
The modified regulations also require businesses to inform consumers of their right to opt out of the sale of their personal information in the course of offline interactions with the consumers.
Brick-and-mortar stores that sell personal information collected in their stores may inform consumers of their right to opt out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the opt-out information can be found online.
Similarly, businesses that sell personal information that they collect over the phone may inform consumers of their right to opt out orally during the call when the information is collected.
The CCPA permits consumers to know what data has been collected about them, how it has been used and, under certain circumstances, to request that the data be deleted or destroyed. These rights are similar to those in the European privacy law, the GDPR. It is expected that consumer watchdogs (and class-action litigants) will send mass requests for data and data deletion in much the same way that automated programs scan websites for violations of the Americans with Disabilities Act and automate lawsuits for violations. The CCPA permits these demands for data and deletion to be done by “agents” of the data subject. The modified regulations permit businesses to demand proof by the agent that they have the written authorization of the consumer to submit a request to know or a request to delete personal information. This change not only protects the data collector but also the data subject against unscrupulous entities which may use the consumers’ right to know what has been collected as a means for collecting data about consumers.
If you have any questions about the protection of your personal information or the subjects mentioned above, contact Mark Rasch (firstname.lastname@example.org / 301.547.6925) or Andrew Wilbur (email@example.com / 216.736.7298).
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.