Call us at  970.744.3340

Decoding California’s Privacy Changes: 5 Must-Read Updates for Digital Marketers

Choozle March 05,2024 Education , How-to , Industry News , Regulatory Compliance

Meet Ben Isaacson, Choozle’s Fractional Privacy Officer

When navigating the amended CCPA and its expanded Regulations, it’s critical for businesses to be clear about all their data uses and vendor relationships, and take necessary steps to meet the Regulations’ prescriptions. Here at Choozle, we’re privileged to have Ben Isaacson as our Fractional Privacy Officer. In this blog, Ben explores the 5 essential privacy-compliance requirements that are now enforceable in California.

Updated Privacy-Compliance Requirements

1. Privacy policies must be transparent and instructive. The Regulations illustrate how privacy policies should be a place of actionable instruction and not merely a restating of the text of the law. For example, to meet “notice at collection” requirements, businesses can link to a dedicated ‘collection’ section of their privacy policy, leverage just-in-time mobile disclosures, and other such strategic prompts. Privacy Policies must also inform consumers of not just their rights, but how to exercise them.

Under the CCPA as amended by the CPRA, consumers have the right to opt-out of data ‘sales’ and also from their data being ‘shared’ with targeted advertising providers. Additionally, if a website or mobile app collects ‘sensitive personal information’ such as precise geographic location (GPS), ethnicity or citizenship status, consumers must also be allowed to specifically opt-out of those uses. The privacy policy must state these (and all other consumer privacy rights) and mechanisms to exercise such rights.

2. Third party advertising opt-outs are through prescribed links and need to be ‘controlled’ by the Business. Businesses must provide opt-out links that post either a “Do Not Sell or Share My Personal Information” and a “Limit the Use of My Sensitive Personal Information” link (if such information is used). Instead of both links, businesses have an alternative option to reference a “Your Privacy Choices” link.

The link(s) must live in the website’s footer. The link(s) should direct users to specific, granular choices to opt out of targeted ads (aka; ‘cross contextual behavioral ads’) associated with third parties disclosed from visits to that Business website or app. For opt outs of the use of sensitive personal information, a Business may choose to make the opt outs granular and use-case specific. 

To be clear; there is no requirement under California or any other state privacy laws to push a ‘proactive’ cookie consent banner to website or mobile app visitors, but many websites have chosen to do so as a best practice and simple way of providing user choices with targeted advertising.

However, we know from the CA AG’s enforcement examples that a Business must ‘control’ the opt-out, which means that websites or apps should enable a ‘one-stop shop’ mechanism where a consumer can opt-out and/or toggle their third-party advertising choices (such as through a consent management platform (CMP) ‘cookie banner.’)

Simply pointing visitors to the third party advertising service websites privacy pages or to industry opt outs like the Digital Advertising Alliance’s (DAA) opt-out from a privacy policy link may not be sufficient for compliance with these new regulations.  

See below for more information on what to look for in selecting a consent management platform.   

3. Websites must recognize ‘Opt-Out Preference Signals’ in addition to offering other opt-out mechanisms. Consumers may now be using privacy-forward browsers (eg. DuckDuckGo) or browser plugins (eg. Privacy Badger) to automatically broadcast their opt-out requests to all websites that may ‘sell or share’ personal information (under the CA or other state privacy laws). The Regulations confirm that Opt-Out Preference Signals like Global Privacy Control (GPC) are additive and not a replacement for the other designated opt-out mechanisms a Business must provide.

Every CMP should have simple options to enable these opt-out signals to now be honored, and to provide the user with a confirmation that their opt-out signal has been recognized. But note that many CMPs do not necessarily recognize opt out preference signals by default. Be sure to affirmatively enable your CMP to recognize and honor opt out preference signals, and to provide consumers with a confirmation notice that their signals are in fact being honored. 

4. Your advertising services contracts should be clear about whether the entity collecting or receiving personal information is a ‘service provider’ or a ‘third party business’ processing data related to ‘sales’ or ‘shares’. It’s imperative for companies to designate in their commercial agreements whether they are a ‘service provider’ (or ‘processor), and include the corresponding prescriptive language surrounding data disclosures that restrict any ‘selling or sharing’ without specific written instructions. The Regulations explicitly state that if the prescribed language is not included in the contract that the entity may be considered a ‘Third Party.’

For every other advertising and marketing service that is not classified as a ‘service provider’, they may then be classified as a ‘third party’ [as long as they meet the ‘business’ threshold under CA law]. Third party businesses are responsible for complying with Do Not Sell or Share opt-outs and other privacy requests they may receive from their clients (e.g., through a GPC-enabled CMP).  

For example, the California Attorney General has entered into settlements with both Sephora and Doordash for not providing these sale/share opt-outs related to their third party advertising efforts (Sephora was specifically cited for not respecting GPC).

5. The consent bar is high and consent uses are limited. The original CCPA did not define the term ‘consent’ and used the term haphazardly in describing when it must be obtained. The Regulations now clarify that valid consent must be informed and explicit, and details some scenarios when it may or may not be used.

The key takeaways from this are:

  • Overt, freely-given consent must be obtained when re-establishing a relationship following an opt-out, including for third party advertising.  
  • Implementing intrusive or overly proactive consent banners that may be attempting to coerce, mislead, or interfere with their ability to use a website or app may be deemed a ‘dark pattern’ which may also be enforced against by the CPPA or AG.
  • Consent may not be forced through bundled agreements to terms of service, privacy policies, or other unrelated use purposes, or implied through tangential actions like closing a consent pop-up or continuing to browse a site. 
  • The most critical use case for consent is with the collection and selling/sharing of children’s data under 16 years of age. This dramatically differentiates from the federal Children’s Online Privacy Protection Act (COPPA) that requires parental consent for childrens data under 13 years of age. The new CA requirement can be enforced against any website targeting teenagers that uses third party advertising services where a sale or share may be taking place. As a result, websites or apps that are either ad supported, or actively engage in advertising retargeting to teens are encouraged to use proactive consent–based approaches to share visitor information with third party advertising services.

The Bottom Line

To comply with the amended CCPA and its expanded Regulations, it’s critical for businesses to be clear about all their data uses and vendor relationships, and take necessary technical, presentational and contractual steps to meet the Regulations’ prescriptions. As California Attorney General, Rob Bonta, recently stated, “There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.” 

Picture of Ben Isaacson

Ben Isaacson

Ben Isaacson is a Principal at In-House Privacy. For more than 25 years, he’s been a leading privacy professional and trusted counsel. During the ‘Internet 1.0’ era, he was instrumental in launching the first self-regulatory guidelines for email marketing, addressable TV, and mobile marketing, as well as lobbying extensively for the CAN-SPAM Act as Executive Director of the Association for Interactive Marketing (acquired by the DMA). He then served as Experian’s global head of digital privacy for a decade, and then built/sold the first push notification filtering app/wearable platform. Ben was one of the first privacy professionals to get certified as a CIPP/US with the IAPP in 2005, and completed the CIPP/E after the GDPR came into effect in 2018. He is a member of the State Bar of California, holds a J.D. from the Thomas Jefferson School of Law, and a B.A. from the University of Kansas.

About the author:

Similar Posts