For businesses across the globe, collecting consumer data plays an integral role in various strategies related to increasing a business’ value. For example, businesses that collect consumer data may use such data to engage in targeted advertising, which involves using the collected consumer data to understand what devices consumers are using and where a business should direct its advertising efforts. Businesses may also sell the consumer data it collects to third parties, like ad-tech partners, that want to engage in cross-contextual advertising, a profitable form of targeted advertising focused on understanding how consumers are engaging with platforms across the web. These are just a few examples that illustrate the significant role that consumer data plays in modern advertising strategies, particularly with regards to understanding consumer behavior and consumer devices.
When businesses sell and share a consumer’s personal information, this may create a heightened and undesirable sense of surveillance for consumers. The California Consumer Privacy Act (“CCPA”) addresses this issue by offering consumers who desire to protect their personal information an opportunity to protect such information across multiple devices via opt-out methods.
Many businesses believe they currently offer a CCPA compliant opt-out method for consumers and have an appropriate protocol for handling consumer opt-out requests. However, considering the rise of CCPA fines lodged against large and small companies for failing to offer CCPA compliant opt-out methods, many businesses would benefit from re-evaluating whether they actually offer CCPA compliant opt-out methods and have compliant protocols in place for its consumers’ protection. Offering sufficient protections to consumers may seem like an arduous task, but the rise of highly publicized fines issued against companies for failing to comply with the CCPA’s provisions may offer some additional incentive and guidance to businesses that engage in consumer data collection and targeted advertising.
What is the CCPA?
Drafted with the privacy rights of California residents in mind, the CCPA imposes requirements on businesses that collect or share a consumer’s personal information, including through websites. This statute, which was enacted in 2018, prioritizes a consumer’s right to control their personal information by offering a wide range of protections to consumers, such as the right to delete, right to know what personal information is collected, the right to correct inaccuracies, right to data portability, and the right to opt-out of the sale or sharing of personal information. Under the CCPA, the right to opt-out of the sale or sharing of personal information authorizes consumers to prevent businesses – and the business those businesses share personal information with – from continuing to collect or sell their personal information.
Compliance with the CCPA’s opt-out provisions requires businesses that collect a consumer’s personal information to offer a straightforward, user-friendly opt-out method that allows a consumer to opt-out of data collection. Additionally, a CCPA compliant protocol must include mechanisms for accepting and incorporating opt-out preference signals, like the Global Privacy Control signals, that users send.
Examples of Conduct that Violates the CCPA
Many modern businesses offer consumers a way to watch their favorite content through streaming. Unsurprisingly, these streaming platforms may own multiple streaming websites and platforms that rely on targeted advertising techniques to advertise their platforms or to advertise other businesses on their own platforms.
In 2024, California Attorney General Rob Bonta announced an investigative sweep intended to effectuate CCPA compliance, targeting businesses that offer streaming services or sell or share consumer personal information. During this investigation, California’s Attorney General assessed whether the businesses implemented effective opt-out methods and measures for effectuating a consumer’s choice. Considering the 2024 investigative sweep and recent fines related to inadequate CCPA opt-out methods, here are four pitfalls that your business should avoid when seeking to create compliant CCPA opt-out methods:
Deceptive opt-out methods:
Businesses that offer opt-out methods that fail to achieve the intended outcome may violate the CCPA. During the investigative sweep, the California Attorney General found that some businesses offered opt-out methods that led consumers to believe they had opted out of a business’ data collection process. In reality, these consumers were only opted-out of data collection processes on a specific device or on a specific website, rather than all of the business’ websites. Or, consumers were only opted-out of data collection on the business’ website but still subjected to having their data shared with ad-tech partners.
Dysfunctional opt-out methods:
Businesses should be aware that a website feature that does not work properly will not excuse a business from CCPA compliance. If an opt-out method fails to work properly because the website does not work properly, or a third-party vendor failed to properly create a website feature, a business will still be held responsible for violating the CCPA.
Offering inadequate opt-out methods:
When a consumer indicates their desire to opt-out of a business’ data collection process, a business has a responsibility to honor the consumer’s request across all of its platforms. This means that a business that receives a consumer request to opt out should opt that consumer out of data collection on each of its websites and apps. This is aligned with the CCPA’s goal to completely opt out a consumer who desires to opt-out of data collection. In recent decisions, the California Attorney General found that some businesses had the ability to opt-out consumers across all of its websites but failed to do so after receiving an opt-out request on one of its websites. This conduct was deemed a CCPA violation.
Fragmented or additional opt-out processes:
Businesses should not require consumers to complete multiple forms or steps to exercise their choice to opt-out. To comply with the CCPA, a business’ website should offer one method that completely opts the consumer out of data collection processes on the website. During the 2024 investigative sweep, it was determined that some violating websites required consumers who wanted to opt-out to complete multiple forms or to navigate to multiple websites. It was counterintuitive and unrealistic to expect the average consumer to complete multiple forms and steps to exercise their right to opt-out.
How Can Businesses Comply with the CCPA?
To comply with the CCPA, businesses should take the appropriate measures to offer easily identifiable and usable opt-out options that allow consumers to understand and invoke their right to opt-out. Once a business has knowledge of the consumer’s decision, businesses should refrain from collecting or sharing a consumer’s personal information. For companies offering multiple services, this means taking the appropriate measures to ensure a consumer’s request is honored across its multiple services and platforms. Likewise, for businesses that can identify the other devices a consumer is using, the business should implement measures that honor a consumer’s request across each of the devices they use.
If your business needs assistance maintaining compliance with the CCPA, check out our other article Businesses Should Consider How They are Impacted by the California Consumer Privacy Acts.
[View source.]