It depends.

The CCPA applies to the personal information of California employees of a business that is subject to the statute.  The specific rights afforded to employees were set to phase-in throughout 2020.

Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” ¹  While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures.  These only apply to employee-privacy notices beginning on January 1, 2021.  The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:

The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents.  In essence, it can be thought of as a “short form” privacy notice.  After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.

No.

Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.¹

Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.²

The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.

Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.

No.

The CCPA requires businesses that sell personal information to, among other things, explain that consumers have a “right to opt-out” of the sale,¹ and provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information,” which takes the consumer to a mechanism that permits the exercise of the opt-out right.²  If a business does not sell personal information, and if the business affirmatively states that it does not sell personal information in its privacy notice, it is not required to provide a notice of [the] right to opt-out” or post the “Do Not Sell” link.³

No.

The CCPA does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information.  The concept of consent only arises within the CCPA if a company intends to sell information.  In that context, consent applies in two situations when dealing with employees:

1. Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood.  The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.¹  In other words, if an employee consents, or opts-in, to an information transfer it is not considered a “sale” under the CCPA.²
2. Sale of information about minors.  The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer has “affirmatively authorized the sale” of personal information.³ In other words, opt-in consent is needed to sell the information of a minor-employee.  Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph the information transfer might not be a “sale” at all.
3. Re-soliciting the ability to sell.  The CCPA states that if a person opts-out of the sale of information (E.g., click a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt-in) to a future sale for “at least 12 months.”⁴ As a result, if a company sells the information of its employees, and provides employees a do not sell option, it is not permitted to ask those employees that opt-out for permission to sell for 12 months.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code § 1798.140(t)(2)(A).

2. Cal. Civil Code § 1798.140(t)(2)(A).

3. Cal. Civil Code § 1798.120(c).

4. Cal. Civil Code § 1798.135(a)(5).

No.

The CCPA does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information.  The concept of consent only arises within the CCPA if a company intends to sell information.  In that context, consent applies in three situations:

1. Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood.  The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.¹  In other words, if a consumer consents, or opts-in, to an information transfer it is not considered a “sale” under the CCPA.²
2. Sale of information about minors. The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer (in the case of individuals between 13 and 16) or the guardian (in the case of individuals under the age of 13) has “affirmatively authorized the sale” of personal information.³ In other words, opt-in consent is needed to sell the information of a minor.  Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph technically the information transfer might not be a “sale” at all.
3. Re-soliciting the ability to sell. The CCPA states that if a person opts-out of the sale of information (E.g., click a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt-in) to a future sale for “at least 12 months.”⁴

The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing.  Its members include both media companies and advertising technology (“adTech”) companies.

In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “Draft IAB Do Not Sell Framework”).¹  The draft proposed that website owners would provide consumers with a “do not sell” link, transmit a do not sell signal to IAB framework participants if a consumer opted-out, and the framework participants would agree to abide by a “Limited Service Provider Agreement” in their treatment of such data.  The proposal was presented as a means of complying with the CCPA’s requirement that companies disclose if they sell personal information, and, if a sale is occurring, include a “Do Not Sell My Personal Information” link on their website.²

Numerous questions and concerns were raised by privacy advocates and the business community with the draft.  In December, the IAB released a final version of the framework (the “IAB Do Not Sell Framework”) which addressed some (but not all) of those concerns.  The following are some of website owners’ concerns with the viability of the framework as it was finalized:

1. Website owners would be contractually limited to dealing with adTech companies that participate in the framework.  The IAB Do Not Sell Framework effectuates a do not sell request by attempting to convert adTech companies that have joined the framework, and that have executed a “Limited Service Provider Agreement” provided by the IAB, into “service providers” when such companies receive a do not sell signal from a website owner.  From a website owner’s perspective, however, if they participate in the IAB Do Not Sell Framework they are effectively self-restricting the adTech companies with whom they can partner to those that have joined the framework.  Specifically the Limited Service Provider Agreement that website owners are required to accept requires that they represent and warrant that if a consumer clicks their do not sell link the website owner will “only” transmit “bid requests . . . to Downstream Participants that are Signatories” of the IAB Do Not Sell Framework.³ Given uncertainty concerning how many companies in the behavioral advertising ecosystem will join the framework, many website owners are concerned about the cost, and the potential disruption, that could be involved in (1) identifying which of their behavioral advertising partners have joined the framework, (2) terminating relationships with behavioral advertising companies that choose not to participate in the framework, and (3) conducting ongoing monitoring of behavioral advertising partners to ensure that they continue their framework participation.
2. Website owners that continue to transmit data to non-IAB participants could be alleged to have engaged in deceptive practices.  The IAB Do Not Sell Framework requires that website owners post a “do not sell my personal information” link on their website, and disclose in their privacy notice that by clicking the link a consumer’s information will no longer be sold.  To the extent that the website owner continues to transmit data to non-IAB participants (i.e., companies that have neither entered the IAB Do Not Sell Framework, or agreed via a separate contract to refrain from using, sharing, or disclosing information that they receive from the website owner for their own purpose if the website owner broadcasts the IAB do not sell signal) it is possible that a regulator or a privacy advocate may allege that the website owner has misrepresented the effect of clicking on the Do Not Sell link.
3. The effectiveness of the Limited Service Provider Agreement is unknown.  In order for a company to be considered a “service provider” under the CCPA the Act states that there must be a “written contract” and implies that the contract must be “with the business.”⁴ Although the “Limited Service Provider Agreement” published by the IAB purports to be a contract between and among “all other Signatories to this Agreement” there is ambiguity about whether a court will interpret such an arrangement as a sufficient “contract” between a website owner and downstream adTech companies.⁵  Furthermore, although the Limited Service Provider Agreement purports to take precedence over pre-existing contracts entered into between a website owner and its adTech partners, the order of precedence identified in the Limited Service Provider Agreement may itself conflict with priority designations within those existing contracts.⁶ Existing contracts may also prohibit, or nullify, contractual arrangements, like the Limited Service Provider Agreement, that are created without bilateral signatures from both parties.
4. IAB, and the adTech participants, refuse to accept any liability for the effectiveness of the framework. The “Limited Service Provider Agreement” disclaims any representation that the the IAB Do Not Sell Framework complies with the CCPA.  To the contrary it states that “changes in the interpretation of the CCPA by an enforcement authority or court of competent jurisdiction . . . may hold that this Agreement, in whole or in part, is not permissible.”⁷  The IAB reiterates its reluctance to warrant that its framework complies with the CCPA in the IAB CCPA Compliance Framework for Publishers & technology Companies document itself where it states that the “IAB make[s] no representations or warranties, express or implied, as to the completeness, correctness, or utility of the information contained in this Framework and the accompanying Agreement and assume no liability of any kind whatsoever resulting from the use or reliance upon its contents.”⁸  The reluctance to assume any monetary liability if a CCPA penalty is assessed as a result of the use of the framework is reiterated in the Limited Service Provider Agreement where it states in all CAPS that “IN NO EVENT WILL A SIGNATORY BE LIABLE TO ANY OTHER SIGNATORY . . . FOR ANY DAMAGES OF ANY KIND . . . ARISING FROM OR RELATING TO THIS AGREEMENT, REGARDLESS OF WHETHER SUCH SIGNATORY WAS ADVISED, HAD OTHER REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF.”⁹ It is unclear to what extent website owners who may be directly liable for a violation of the CCPA will be comfortable relying upon a compliance framework that ascribes no liability to their adTech partners.
5. The Limited Service Provider Agreement may erode existing liability protections.  To the extent that a website owner has entered into a separate contract with an adTech partner that provides contractual remedies (e.g., damages) if the adTech partner fails to comply with data privacy laws, the Limited Service Provider Agreement may erode those protections. Specifically, the Limited Service Provider Agreement states that in the face of a conflict with pre-existing contract terms, the Limited Service Provider Agreement will take precedence in connection with the “Sale and/or use of Personal Information.”¹⁰ As the Limited Service Provider Agreement states that “IN NO EVENT WILL A SIGNATORY BE LIABLE TO ANY OTHER SIGNATORY . . . FOR ANY DAMAGES OF ANY KIND” an adTech company may attempt to argue that any monetary recovery permitted by an underlying agreement is eroded by the Limited Service Provider Agreement.¹¹
6. Device/Browser level opt-out may not comply with the CCPA.  The IAB Do Not Sell Framework appears to contemplate that when a user clicks on a website owner’s Do Not Sell My Personal Information link it would typically trigger a “Device/Browser Level Opt Out.”¹² A “Device/Browser Level Opt Out means that the consumer’s instruction for their information not to be sold would only apply “to the particular device (e.g., mobile or desktop hardware unit) or browser on which the applicable Consumer has Opted Out.”¹³  It is unclear whether a device-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and the requirement that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”¹⁴ Put differently, while the CCPA prohibits a business from selling a consumer’s personal information after they click a Do Not Sell link, under the IAB Do Not Sell Framework it would appear that a consumer’s personal information would continue to be sold each time they visit a website owner’s site from a different device or a different browser.
7. Failure to adequately disclose device/browser level opt-out could result in allegations of deception.  The draft IAB Do Not Sell Framework suggested that websites notify consumers who opted out under the framework that if they visited the website from a different device (e.g., a work computer instead of a smartphone, or a smartphone instead of a personal computer) their information would again be sold until, or unless, the consumer submitted a new opt-out request on the new device.¹⁵ Specifically it required website owners to state in their privacy notices that “opt out is at a device level and how to opt out across different devices.”¹⁶  Interestingly, the final IAB Do Not Sell Framework does not contain such an explicit requirement and instead requires the website owner to generally explain “the effective scope of the opt out.”¹⁷  If a website owner does not accurately describe to consumers that the IAB Do Not Sell Framework’s opt-out mechanism appears to be limited to the device/platform used by the consumer to submit an opt-out request, privacy advocates may attempt to allege that the website owner has misrepresented the consumers’ ability to opt-out.”¹⁸
8. Non-persistent opt-outs may not comply with the CCPA.  When a user clicks on a website’s Do Not Sell My Personal Information link, it appears that the framework contemplates that the user’s preference would be recorded in a cookie placed on the user’s machine.¹⁹ If a user clears their browser’s cache, that preference selection would, presumably, be erased and, as a result, the user’s personal information would again start to be sold by a business.  Put differently, by suggesting that website owner’s utilize cookies to store user Do Not Sell requests, the framework appears to be endorsing a non-persistent system for recording consumer preferences.  It is unclear whether a non-persistent opt-out mechanism fully complies with the CCPA’s requirement that a business “refrain from selling personal information collected . . . about the consumer” after receiving an initial opt-out request and wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”²⁰
9. Offline to online sales.  The CCPA arguably requires a company that receives a do not sell request to cease the selling of information that is collected by the business both online and offline.  The IAB framework’s focus on the online collection, and transmission, of do not sell requests does not appear to anticipate that many organizations may not collect sufficient information about a consumer to effectuate the request in the offline environment.
10. Admission that most website visitors are “consumers.” The CCPA applies to “consumers” a term defined under the Act as including only residents of the state of California.  Many website owners have struggled with how to identify whether a website visitor is, in fact, a California resident.  While data points that are sometimes collected by website owners (e.g., IP address, shipping information, or billing information) might bear some correlation to residency, such data points are far from conclusive.  For example, a resident of Colorado who works for a company that is headquartered in Los Angeles might ship information to a California office address, present with a California billing address, and even have a California IP address (e.g., via a corporate VPN), but would not be a California resident.  The Limited Service Provider Agreement requires that website owners represent and warrant that they have “undertaken commercially reasonable efforts to determine that the User [that clicks on a Do Not Sell My Personal Information Link] is a Consumer” for the purposes of the CCPA, or that the website owner “has assumed that all Users on the Digital Property are Consumers.”²¹ Both representations may be problematic.  The former may state or imply that some effort has been undertaken to verify the residency of website visitors when most websites do not collect residency, or take efforts to verify residency.  The latter would require that the website confer upon all visitors the rights of Californians.  It also raises the specter that the California attorney general might use the contractual representation in an enforcement action to prevent a company from arguing that a particular visitor was not a Californian.

As the CCPA’s effective date approaches, businesses are actively monitoring how companies will update their websites and privacy notices to comply with the new disclosure requirements of the Act.  While many companies are prepared to update their websites at the end of the year, websites that are preemptively changed before year-end are reviewed and scrutinized for signs of emerging industry standard practice.

To-date, the placement of a “do not sell” link on a website has not arisen to the level of an industry practice. 

In order to help companies understand and benchmark standards and practices, BCLP analyzed a random sample of the privacy notices of Fortune 500 companies.¹ Based upon that sample, and as of December 20, 2019, only 4% of the total sample population had placed a “Do Not Sell My Personal Information” link either within their privacy notice or on their homepage.² The percentage is slightly higher when viewed as a function of only those websites that have already updated their privacy notices for the CCPA.  Within that sub-sample, 18% of companies have included a “Do Not Sell My Personal Information” link.

Interestingly, none of the companies that have included such a link appear to have a working mechanism for effectuating a “do not sell” request.  One company’s link takes users to a data subject request portal that does not contain a “do not sell” option; the other company’s link takes users to an online chat bot that does not respond to requests for information not to be sold.  It remains to be seen whether regulators and the plaintiff’s bar will view the inclusion of a link that is not functional as raising legal concerns under the Federal Trade Commission Act (“FTCA”) and state Unfair and Deceptive Trade Practice Acts (“UDTPA”).

Co-authored by Zach DeFelice.

The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing; its members include both media companies and advertising technology companies.

In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “IAB Do Not Sell Framework”).¹  The IAB Do Not Sell Framework proposed a system for companies that participate in third party behavioral advertising to provide consumers with an option for expressing their preference that their information not be sold.  The proposal was presented ostensibly as a means of complying with the CCPA’s requirement that companies that sell personal information include a “Do Not Sell My Personal Information” link on their website, and honor the preference of consumers that opt out of such sales.²

Numerous questions and concerns have been raised by privacy advocates and businesses with the IAB Do Not Sell Framework.  These include, but are not limited to, the following issues:

1. Websites would be limited to dealing with adTech companies that participate in the framework. The IAB Do Not Sell Framework attempts to effectuate a do not sell request by converting any adTech company that has joined the framework, and that has executed a “Limited Service Provider Agreement” provided by the IAB, into a “service provider” when they receive a do not sell signal from a participating website.  From a website’s perspective, however, if they participate in the IAB Do Not Sell Framework they may be effectively restricting the adTech companies (including the behavioral advertising network providers) with whom they can partner to those that have joined the framework.  Websites may incur significant disruption if they are forced to terminate current adTech partners that decide not to join.
2. The terms of the Limited Service Provider Agreement are unknown. Advertising technology companies that participate in the framework (e.g., third party behavioral advertising networks) would contractually agree to be bound by a “Limited Service Provider Agreement.”  Although the IAB provides a high level description of the provisions that might be included in the Limited Service Provider Agreement, as of November 20, 2019, the agreement itself had not been published.³  As a result, it is not possible to determine whether the agreement comports with the service provider requirements of the CCPA.
3. The effectiveness of the Limited Service Provider Agreement is unknown. In order for a company to be considered a “service provider” under the CCPA the Act states that there must be a “written contract” and implies that the contract must be “with the business.”⁴  Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that the agreement will not be entered into between a website and a technology company directly as “Digital Properties lack privity with many Downstream Framework Participants.”⁵  It may be that the IAB anticipates that adTech companies will agree to a set of industry rules or terms to which a website will be a third party beneficiary.  Assuming that is the case it is unclear whether a court will interpret such a contractual arrangement as a “contract” between the parties sufficient to create a service provider relationship.
4. The Limited Service Provider Agreement will contain no indemnification of websites. Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that it will include “no indemnification provisions.”⁶ It is unclear to what extent websites that may be directly liable under the CCPA will be comfortable with the risk that arises from service providers that are unwilling to provide any indemnification for privacy-related violations.
5. The Limited Service Provider Agreement will impose no liability on adTech companies. Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that it will include “a complete limitation of liability.”⁷ It is unclear to what extent websites that may be directly liable under the CCPA will be comfortable with the risk that arises from service providers that are unwilling to assume any liability for privacy related violations.
6. Device level opt-out may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would trigger a device-level opt-out.⁸  Among other things, the IAB Do Not Sell Framework suggests that websites notify consumers that if they visit the website from a different device (e.g., a work computer instead of a smartphone, or a smartphone instead of a personal computer) their information will again be sold until, or unless, the consumer submits a new opt-out request on the new device.  It is unclear whether a device-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and the requirement that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”⁹
7. Browser level opt-out may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would trigger a browser–level opt-out.¹⁰  Among other things, the IAB Do Not Sell Framework suggests that websites notify consumers that if they visit the website from a different browser (e.g., Chrome instead of Safari) their information will again be sold until, or unless, the consumer submits another opt-out request on the new device.  It is unclear whether a browser-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”¹¹
8. Non-persistent opt-outs may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would record their preference in a cookie placed on the user’s machine.¹²  If a user clears their browser’s cache that preference selection would, presumably, be erased and, as a result, the user’s personal information would again start to be sold by a business.  It is unclear whether a non-persistent opt-out mechanism fully complies with the CCPA’s requirement that a business “refrain from selling personal information collected . . . about the consumer” after receiving an initial opt-out request and wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”¹³
9. Offline to online sales. The CCPA arguably requires a company that receives a do not sell request to cease the selling of information both online and offline.  The IAB framework’s focus on the online collection, and transmission, of do not sell requests does not appear to anticipate that many organizations may not collect sufficient information about a consumer to effectuate the request in the offline environment.
10. Misrepresentation and deception litigation risk. Some privacy advocates have asserted that the IAB framework would, if adopted, “result in significant misrepresentations of the law.”¹⁴ It is not precisely clear what misrepresentations they believe would be made through the framework. However, their statements may be a signal that they intend to work with plaintiff attorneys to test whether use of the framework might be the foundation of a deception claim in litigation.