USA: Practical considerations for meeting opt-out requirements under US state privacy laws - Part one
In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.
Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.
These state privacy laws include the California Consumer Privacy Act of 2018 ('CCPA'), as amended by the California Privacy Rights Act of 2020 ('CPRA')1, the draft CCPA Regulations2, the Colorado Privacy Act ('CPA')3 and the draft Colorado Rules4, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA')5, the Utah Consumer Privacy Act ('UCPA')6, the Virginia Consumer Data Protection Act ('CDPA')7 (all five of these state laws jointly defined as the 'Five US State Privacy Laws'), and a Nevada privacy law8.
Please note that this article relies in part on regulatory guidance (much of it still in draft form) as of the beginning of December 2022.
In considering the various state law requirements discussed below, an organisation should first assess which state's laws apply to it (and whether it is possible to segregate data concerning one state's residents from data concerning residents of other states and countries). An organisation may not be subject to a state's law if the organisation is not 'doing business' in the state, or if the organisation does not meet a revenue or volume of processing threshold, or for some other reason. Once applicability has been determined, an organisation can make an intentional, informed decision to voluntarily comply with some, all, or none of the requirements with respect to data concerning residents of particular states (or all states).
For scoping purposes, it is important to remember that only the California law applies to employee and business contact data. Thus, for states other than California, the opt-out rights and other requirements below only apply to consumers acting in their individual capacity residing in a given state (assuming that other thresholds for applicability are met).
Rights to opt-out of certain personal information processing activities
Under state privacy laws, opt-out rights apply to certain types of processing activities - the 'sale' of personal information, the use or disclosure of personal information for behaviour-based, targeted advertising (called 'sharing' under the CCPA), profiling, and processing sensitive personal information. When individuals exercise their right to opt-out, organisations are required to comply with valid opt-out requests and are prohibited from discriminating or retaliating against the individuals because of the exercise of such rights9. Examples of unlawful discrimination or retaliation could include denying goods or services, charging different prices, or providing a different quality of goods or services to individuals who have opted out10.
Opt-out of the 'sale' of personal information
The Five US State Privacy Laws and the Nevada privacy law grant state residents the right to opt-out of the 'sale' of personal information11. The state laws employ two slightly different concepts of 'sale'. The Nevada, Utah, and Virginia laws define 'sale' as disclosing or making available personal information 'for monetary consideration'12, which aligns with the commonly understood meaning of the term.
However, the California, Colorado, and Connecticut privacy laws more broadly define 'sale' to mean disclosing or making available personal information 'for monetary or other valuable consideration'13. The laws do not define 'other valuable consideration', but the California Attorney General ('AG') has concluded that a 'sale' occurs when an organisation provides 'third parties including "advertising networks, business partners, [and] data analytics providers" with access to its customers' data in exchange for services from those entities'14. An organisation that 'sells' the personal information of residents of any of these states may be required to provide those residents with one or more mechanisms to opt-out of the 'sales'.
Opt-out of targeted advertising/sharing of personal information
The Five US State Privacy Laws grant state residents the right to opt-out of sharing personal information for targeted advertising (or 'sharing' under the CCPA15; that is, disclosing or making available personal information for this purpose)16. 'Targeted advertising' means displaying online ads to individuals based on personal information obtained or inferred over time from their activities across non-affiliated websites, applications, or online services17.
An organisation that directly or with the assistance of third parties collects, uses, discloses, or otherwise processes personal information for the purposes of targeted advertising may be required to offer an opt-out mechanism to state residents under the Five US State Privacy Laws. Note that contextual advertising, or even behaviour-based advertising, by the organisation itself using data from its own website would not be covered by these requirements or the associated opt-outs.
Opt-out of 'profiling' of consumers that could produce a significant effect
The Colorado, Connecticut, and Virginia privacy laws require organisations to offer state residents an opportunity to opt-out of certain 'profiling' activities18. Profiling under these laws means automated processing of personal information to evaluate, analyse, or make predictions based on an individual's economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements19.
Notably, these state laws do not provide an opt-out right for all profiling. Rather, the opt-out right under these laws applies only to profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer20. Unlike the opt-out right for third-party targeted advertising (discussed above), the profiling opt-out applies to an organisation itself (i.e. the opt-out is not limited to sharing activities).
Limit or opt-out of the use or disclosure of sensitive personal information
Sensitive personal information under the Five US State Privacy Laws includes both US and European concepts of personal information that warrants heightened protection. As such, the definition of the term extends to social security numbers, drivers' license numbers, financial account numbers with access credentials, precise geo-location, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of communications, genetic data, biometric data, physical or mental health diagnosis, sexual orientation, citizenship, or immigration status21.
In other respects, the regulation of organisations' use of sensitive personal information is not handled consistently under the Five US State Privacy Laws. The Colorado, Connecticut, and Virginia privacy laws require consent to collect and process sensitive personal information22. The Utah privacy law requires clear notice and an opportunity to opt-out of the processing of sensitive personal information23. California law expressly permits organisations to use and disclose sensitive personal information for most purposes without offering an opt-out mechanism. Such uses of sensitive personal information for which an opt-out does not have to be offered under California law, include the following:
- to perform the services or provide the goods reasonably expected by an average consumer who requests them;
- for the business purposes of ensuring the security and integrity of personal information, short-term, transient use under certain conditions;
- to perform its services, or maintain the quality or safety of products or services;
- to prevent, detect, and investigate security incidents;
- to resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions;
- to ensure the physical safety of natural persons; or
- where such collection or processing is not for the purpose of inferring characteristics about a consumer24.
Note, however, that a California resident does have the right to opt-out of an organisation's use or disclosure of sensitive personal information for purposes other than those listed above if it collects or processes sensitive personal information for 'the purpose of inferring characteristics' about that California resident25.
Disclosures related to opt-out rights
The Five US State Privacy Laws and the Nevada privacy law require organisations to describe in their privacy notices how they collect, use, disclose, and otherwise process personal information, including the processing described above26. Organisations are also required to describe how individuals can exercise their privacy rights, including their opt-out rights27. The Five US State Privacy Laws further require organisations to present such privacy notices in the same manner as they collect personal information, which means that organisations may need to provide information about their processing and opt-outs online, at physical locations, and by telephone, for example. Notably, the Five US State Privacy Laws and the Nevada privacy law do not expressly require a cookie banner, but a cookie banner is a potential method for compliance with notice obligations.
In addition to a general privacy notice, the CCPA requires a 'notice at collection', a 'notice of right to opt-out of sale/sharing', and a 'notice of right to limit', and that an organisation respond to 'right to know' requests with information about an organisation's 'selling' and 'sharing' practices28. There are specific requirements for presenting these notices, but as a general matter they can be part of, or separate from, a general privacy notice.
CCPA - 'notice at collection'
An organisation is required to notify California residents 'at or before the point of collection' about the categories of personal information collected from them, and associated purposes29. If an organisation 'sells' or 'shares' personal information, the organisation is also required to include in the 'notice at collection' a list of each category of personal information sold or shared and a link to the notice of right to opt-out of sale/sharing (discussed next)30.
CCPA - 'notice of right to opt-out of sale/sharing'
If an organisation 'sells' or 'shares' personal information, the CCPA requires that the organisation post a 'notice of right to opt-out of sale/sharing' to inform California residents about their opt-out right and instructions on how to exercise that right31. This notice can include information about an individual's previously made opt-out choice and permit the individual to change the choice (e.g. to opt into the 'sale' and/or 'sharing' of personal information)32. If this notice is necessary, this notice must be available by a link from an organisation's privacy notice (or within the privacy notice) and possibly from a link on the organisation's websites (see below for a discussion on the use of links).
CCPA - 'notice of right to limit'
If an organisation collects or processes sensitive personal information for 'the purpose of inferring characteristics' about California residents, the CCPA requires that the organisation post a 'notice of right to limit' to inform California residents about their opt-out right and instructions on how to exercise that right33. This notice can include information about an individual's previously made opt-out choice and permit the individual to change the choice (e.g. to opt into the additional uses and disclosures of sensitive personal information). If this notice is necessary, this notice must be available by a link from an organisation's privacy notice (or within the privacy notice) and possibly from a link on the organisation's websites (see below for a discussion on the use of links).
CCPA - response to 'right to know' requests
As part of the CCPA's 'right to know', the CCPA grants California residents the right to request that an organisation that 'sells' and/or 'shares' personal information provide additional information about such selling and/or sharing34. Upon such request, an organisation is required to include the following information in its response to a verifiable request35:
- the categories of personal information collected about the individual; and
- the categories of personal information 'sold' or 'shared' correlated with the categories of recipients of the sale/sharing.
This right is akin to the right to obtain information about third parties with whom personal information was shared for their own direct marketing activities, as provided by the California Shine the Light Law that was enacted over 15 years ago36.
The Five US State Privacy Laws and the Nevada privacy law require organisations to provide a mechanism for state residents to opt-out of the processing described above37. California and Colorado require at least two opt-out methods and are the most prescriptive for how the opt-out mechanisms should operate38. Opt-out methods that organisations have used include online forms, email, telephone, and website cookie controls. The CCPA requires that one method be a toll-free telephone number39.
Before responding to certain opt-out requests, organisations may be permitted to use the same verification process they use for when responding to requests to exercise other types of privacy rights, but an organisation is not permitted to require individuals to create accounts to exercise their opt-out rights and generally cannot charge a fee (unless the requests are excessive or repetitive, for example)40. Organisations can require existing account holders to log into that account to exercise their opt-out rights41.
Further, under the California, Colorado, and Connecticut privacy laws, residents can permit an authorised agent to make an opt-out request on their behalf42. Additional, specific requirements associated with opt-out mechanisms are described below.
Global privacy controls
Organisations that sell personal information or that use targeted advertising or 'share' personal information for targeted advertising purposes are, or will be, required to respond to user choices made through online universal opt-out mechanisms or global privacy controls ('GPC') pursuant to the California, Colorado, and Connecticut privacy laws43. This GPC requirement does not apply to the opt-outs for other processing.
As defined in the draft CCPA Regulations, a GPC is an online mechanism that emits a signal 'in a format commonly used and recognized by businesses' to indicate an individual's intent to opt-out (e.g. a browser setting broadcasted to visited websites)44. The draft Colorado Rules indicate that the GPC must be 'recognized by the Colorado Attorney General' and can be either a signal delivered by a platform, developer, or provider (e.g. a browser setting) or a repository of opt-out choices that can be queried by organisations (e.g. a do-not-sell registry)45. To comply with the GPC requirements, organisations may need to update their websites to receive and respond to these signals and to query the opt-out databases approved by the Colorado AG.
CCPA - Links to opt-out mechanisms
The CCPA uniquely requires that organisations post certain opt-out links clearly and conspicuously on their websites46. When an organisation 'sells' or 'shares' personal information, an organisation is normally required to post a 'Do Not Sell or Share My Personal Information' link on its homepage that either immediately effectuates the opt-out or directs the user to the notice of right to opt-out of sale/sharing.
Likewise, if an organisation collects or processes sensitive personal information for 'the purpose of inferring characteristics' about California residents, it is required to post a 'Limit the Use of My Sensitive Personal Information' link on its homepages that either immediately effectuates the opt-out or directs the user to the notice of right to limit.
As an alternative to the links described in the preceding paragraph, an organisation can post a 'Your Privacy Choices' or 'Your California Privacy Choices' link next to an opt-out icon created by the California AG48 on its website homepages (instead of the two separate links) to allow visitors to exercise both their right to opt-out of sale/sharing and their right to limit the use and disclosure of sensitive personal information47. The link should direct the user to a webpage that combines the content from the notice of right to opt-out of sale/sharing and the notice of right to limit, if they are required49.
And, another alternative may be available. An organisation that automatically processes the GPC signal without the individual seeing any notice or taking any other action (i.e. in a 'frictionless manner') does not need to post the 'Do Not Sell or Share My Personal Information' link on its website homepage (but the opt-out mechanism or link to it must be included in the privacy notice)50.
Note that taking this approach would not address an opt-out right to limit the use of sensitive personal information (if applicable) and would not permit 'granular' opt-out rights as to cookies or other categories.
Self-regulatory opt-out mechanisms
Many organisations are already complying with the self-regulatory targeted advertising opt-out requirements and mechanisms currently provided by the Digital Advertising Alliance ('DAA') and Network Advertising Initiative ('NAI'). Organisations can continue to use these opt-out methods, as long as organisations comply with the additional requirements imposed by the Five US State Privacy Laws and the Nevada privacy law. It remains to be seen how these self-regulatory mechanisms will be impacted by state regulation.
1. Cal. Civ. Code § 1798.100 et seq. Available at: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
2. Cal. Code Regs. tit. 11, § 7000 et seq. Available at: https://cppa.ca.gov/regulations/pdf/20221102_mod_text.pdf
3. Colo. Rev. Stat. § 6-1-1301 et seq. Available at: https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
4. 4 CCR 904-3. Available at: https://coag.gov/app/uploads/2022/10/CPA_Final-Draft-Rules-9.29.22.pdf
5. PA 22-15. Available at: https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF
6. Utah Code § 13-61-101 et seq. Available at: https://le.utah.gov/xcode/Title13/Chapter61/13-61.html?v=C13-61_2022050420231231
7. Va. Code Ann. § 59.1-575 et seq. Available at: https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/
8. Nev. Rev. Stat. § 603A.300 et seq. Available at: https://www.leg.state.nv.us/nrs/nrs-603a.html
9. See CCPA, § 1798.125(a)(1); CPA, § 6-1-1308(6); CTDPA, § 6(a); UCPA, § 13-61-302(4); VCDPA, § 59.1-574 (A)(4).
10. See CCPA, § 1798.125(a)(1).
11. See CCPA, § 1798.120(a); CPA, § 6-1-1306(1)(a)(I); CTDPA, § 4(a)(5); NRS, § 603A.345; UCPA, § 13-61-201(4); VCDPA, § 59.1-577(A)(5).
12. NRS, § 603A.333(1); UCPA, § 13-61-101(31); VCDPA, § 59.1-575.
13. CCPA, § 1798.140(ad)(1); CPA, § 6-1-1303(23); CTDPA, § 1(26).
14. People of the State of California v. Sephora USA, Inc., Complaint, Section 12. Available at: https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf
15. See CCPA, § 1798.140(ah)(1).
16. See CCPA, § 1798.120(a); CPA, § 6-1-1306(1)(a)(I); CTDPA, § 4(a)(5); UCPA, § 13-61-201(4); VCDPA, § 59.1-577(A)(5).
17. See CPA, § 6-1-1303(25); CTDPA, § 1(28); UCPA, § 13-61-101(34)(a); VCDPA, § 59.1-575.
18. See CPA, § 6-1-1306(1)(a)(I); CTDPA, § 4(a)(5); VCDPA, § 59.1-577(A)(5). California residents may also soon have this right. The CCPA requires regulations governing opt-out rights with respect to a businesses' use of automated decision-making technology, including profiling. However, such regulations have not yet been published.
19. See CPA, § 6-1-1303(20); CTDPA, § 1(22); VCDPA, § 59.1-575.
20. See CPA, § 6-1-1306(1)(a)(I); CTDPA, § 4(a)(5); VCDPA, § 59.1-577(A)(5).
21. See CCPA, § 1798.140(ae)(1); CPA, § 6-1-1301(24); CTDPA, § 1(27); UCPA, § 13-61-101(32)(a); VCDPA, § 59.1-575.
22. See CPA, § 6-1-1308(7); CTDPA, § 6(a)(4); VCDPA, § 59.1-578(A)(5).
23. See UCPA, § 13-61-302(3). However, under the Utah privacy law processing personal information of a known child requires compliance with the Children's Online Privacy Protection Act of 1998 ('COPPA'), 15 U.S.C. 482 Sec. 6501 et seq., including its consent requirements.
24. See CCPA, § 1798.121; see also CCPA, § 1798.140(e)(2), (4), (5), (8); CCPA Regulations, § 7027(m).
25. See CCPA, § 1798.121(a), (d).
26. See CCPA, § 1798.130(5); CPA, § 6-1-1308(1)(a)-(b); CTDPA, § 6(c); NRS, § 603A.340(1); UCPA, § 13-61-302(1)(a); VCDPA, § 59.1-578(C).
27. See CCPA, § 1798.130(5); CPA, § 6-1-1306(1)(a)(III); CTDPA, § 6(d); NRS, § 603A.340(1); UCPA, § 13-61-302(1)(b); VCDPA, § 59.1-578(D).
28. See CCPA, §§ 1798.100(a), 1798.110, 1798.115; CCPA Regulations, §§ 7012(e), 7013(f), 7014(f).
29. See CCPA, § 1798.100(a).
30. See CCPA, § 1798.100(a); CCPA Regulations, § 7012(e).
31. See CCPA, § 1798.135(a)(1); CCPA Regulations, § 7013.
32. See CCPA Regulations, § 7028.
33. See CCPA, § 1798.135(a)(2); CCPA Regulations, § 7014.
34. See CCPA, § 1798.115(c).
35. See CCPA, § 1798.115(a)-(b).
36. See Cal. Civ. Code § 1798.83. Available at: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.83.&lawCode=CIV
37. See CCPA, § 1798.130(a)(1)(A); CPA, § 6-1-1308(1)(b); CTDPA, § 6(d); NRS, § 603A.340(1); UCPA, § 13-61-302(1)(b); VCDPA, § 59.1-578(D).
39. See CCPA, § 1798.130(a)(1)(A).
40. See CCPA, §§ 1798.130(a)(2)(A), 1798.135(c)(1); CPA, §§ 6-1-1306(1), 6-1-1306(2)(c); CTDPA, §§ 6(e)(1), 4(c)(3); UCPA, § 13-61-203(4)(a); VCDPA, §§ 59.1-578(E), 59.1-577(B)(3).
41. See CCPA, §§ 1798.130(a)(2)(A), 1798.135(c)(1); CPA, § 6-1-1306(1); CTDPA, §§ 6(e)(1); VCDPA, § 59.1-578(E).
42. See CCPA, § 1798.135(e); CPA, § 6-1-1306(II); CTDPA, § 5.
43. The California AG has taken the position that this requirement currently is in effect, and the draft CCPA Regulations are consistent with this position. CCPA Regulations, § 7025(e). The Colorado requirement to honour GPC signals takes effect on 1 July 2024 (CPA, § 6-1-1306(B)), and the Connecticut requirement takes effect on 1 January 2025 (CTDPA, § 6(e)(1)(A)(ii)).
44. See CCPA Regulations, § 7025(b).
45. See CPA Rule 5.06(A).
46. See CCPA, § 1798.135(a)(1-2).
47. See CCPA Regulations, § 7015(b).
48. The icon is available for download at: https://oag.ca.gov/privacy/ccpa/icons-download
49. See CCPA Regulations, § 7015(c).
50. See CCPA, § 1798.135(b); CCPA Regulations, §§ 7013(d), 7025(e).