- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
The Right to Opt-Out of Information Selling
The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive – and complex – data privacy regulation in the United States. The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects. As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute. While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects. As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.
To help address the confusion caused by the CCPA, Bryan Cave Leighton Paisner is publishing this multi-part Practical Guide to the California Consumer Privacy Act.
The right to opt-out refers to the ability of a person to direct that a company that sells personal information to third parties, cannot sell the personal information that the company holds about them.
Comparison to Other Privacy Laws
The CCPA is not the first law to confer upon individuals a right to opt-out form an organization’s use or disclosure of their information. Other federal laws, including Gramm-Leach-Bliley Act (“GLBA”) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”) contain certain opt-out requirements. Similarly, the GDPR confers a limited right to object to processing of personal data in certain circumstances. Notably, however, none of these privacy laws specifically address selling personal information.
To Do List
To comply with the CCPA companies should:
- Review existing privacy notices and verify that they meet the new requirements of the CCPA.
- Ensure websites include a “Do Not Sell My Personal Information” link.
- If no methods exist, establish appropriate methods for submitting opt-out requests to your organization that comply with the CCPA.
- Draft an appropriate policy for the authentication of individuals that make opt-out requests.
- Draft a “play book” that provides standard communications that can be sent to individuals that make opt-out requests.
- Train employees on how to handle opt-out requests.
- Verify that the policies in place facilitate the fulfillment of opt-out requests for the period of time required by the CCPA.
How We Can Help
Companies across the globe have retained BCLP to draft their internal protocols for handling consumer opt-out requests, or to review existing protocols to spot red flags that might be of concern to a court or a regulator.
|Cal. Civil Code 1798.120
Under the CCPA, can a company send follow-up emails after hosting a trade show or conference?
In the United States, a company can send follow-up emails after hosting a trade show.
On the federal level, the CAN-SPAM Act governs commercial use of email. While the CAN-SPAM Act prohibits the transmission of deceptive communications, and requires that companies include an unsubscribe link in commercial messages, it does not prohibit a company from transmitting email follow-ups following a trade show or conference, nor does it require that a company obtain opt-in consent to communicate a marketing message.
In California, the CCPA does not specifically address the use of email to communicate with attendees following a trade show or conference. The CCPA does, however, generally require that a company that collects email addresses from California-resident conference attendees provide the attendees with a privacy notice that discloses that the email addresses may be used for follow-up communications. Assuming that the privacy notice is provided, and California residents are informed about other CCPA-based rights (such as the right to request that their email address be deleted from the conference host), nothing within the CCPA prohibits a conference host from using the emails to transmit follow-up or marketing communications. Note, however, that if the attendee list is given to a third party to handle the follow-up emails, the conference-host should ensure that the third party is a “service provider” as defined by the CCPA or risk that the information transfer could be classified as a “sale” of personal information, which would trigger an obligation to honor “do not sell” requests.
In Europe, whether a follow-up email can be sent depends in part upon the nature of the communication. If the communication includes information relating to the event itself, the use of the email address may be permitted under GDPR Article 6(1)(a) (if consent had been obtained from the data subject), Article 6(1)(b) (if the follow-up communication is necessary to complete a transaction with the attendee), or Article 6(1)(f) (if the follow-up communication relates to other conference-related information, and the organizer failed to obtain consent to communicate). If the communication includes marketing content, the transmission could theoretically be permitted under GDPR Article 6(1)(a) (if consent had been obtained), or Article 6(1)(f) (the legitimate interest of the conference host to send marketing communications). It should be noted, however, that in order for a conference-host’s interest in marketing to be considered “legitimate” under the GDPR, the conference host must comply with other European laws that regulate marketing. Some Member States may have legislation implementing the ePrivacy Directive that requires a conference-host to obtain the consent of an attendee prior to the transmission of a marketing communication. The net result is that in many situations, a conference-host must obtain some form of consent before sending marketing communications to conference attendees.
Co-authored by Jason Schultz and David Zetoony
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.