In 2022, companies prepared for three new privacy rights to take effect January 1, 2023, under the amended CCPA.
The Right to Opt Out of Sharing
The amended CCPA includes a new defined term — “sharing” — and provides consumers the right to opt out of sharing. The term “sharing” was added to address arguments that behavioral advertising is not a sale. Sharing means “disclosing… a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration….” “Cross-context behavioral advertising” means targeting of advertising to a consumer based on the consumer’s personal information obtained from their activity across businesses, different websites, applications, or services, other than the business, with which the consumer intentionally interacts. There are two key components to the definition of sharing: (1) The explicit language that sharing, unlike selling, does not require any consideration, and (2) the purpose for the transfer must be cross-context behavioral advertising.
Businesses that engage in sharing are required to provide a link on their websites titled, “Do Not Sell or Share my Personal Information,” which must immediately effectuate the consumer’s right to opt out of sales/sharing or direct them to where they can learn more about the right and make that choice. Businesses must provide two or more designated ways for consumers to submit a request to opt out of the sales/sharing of their personal information to third parties for cross-context behavioral advertising. Usually, this is effectuated through a cookie preference center and/or a request form that consumers can access by clicking on the “Do Not Sell or Share my Personal Information” link but must also be recognized via an opt-out preference signal. Lastly, access and transparency obligations apply to shared personal information as if it was sold personal information.
The Right to Correction
The amended CCPA provides a new right for consumers to request that a business correct personal information that it maintains about the consumer. The right is similar to what exists under the GDPR and also exists under the new 2023 privacy laws in Virginia, Colorado, Connecticut, and Utah. When a business receives a request to correct, they need to consider the nature of the personal information and the purposes for processing it. Businesses must disclose to consumers that this right exists and must use commercially reasonable efforts to fulfill verifiable requests.
The Right to Limit Use and Disclosure of Sensitive Personal Information
The amended CCPA provides a new defined term of “sensitive personal information” and imposes new obligations on businesses processing sensitive personal information, which now includes:
- Social Security, driver’s license, state identification card, or passport numbers;
- Account log-in, financial account, debit card, or credit card numbers in combination with any required security or access code, password, or credentials allowing access to an account;
- Precise geolocation (radius ≤ 1,850 ft.);
- Racial or ethnic origin, religious or philosophical beliefs, or union membership;
- The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication;
- Genetic data;
- Biometric information processed for the purpose of uniquely identifying a consumer;
- Personal information collected and analyzed concerning a consumer’s health; and
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
The amended CCPA provides consumers the right to request that a business limit the use and disclosure of their sensitive personal information. Specifically, a consumer can direct a business to use sensitive personal information only for purposes necessary to perform the service or provide the goods requested or as set forth in 1798.140(e)(2)(4)(5), and (8). Businesses that process sensitive personal information for purposes that are not necessary to perform the service or provide the goods requested or as set forth in 1798.140(e)(2)(4)(5), and (8) will be required to provide a link on their homepage(s) titled, “Limit the Use of My Sensitive Personal Information.”
Four More State Privacy Laws Take Effect in 2023
In 2022, companies began preparing for four new comprehensive privacy laws in Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (effective July 1, 2023), and Utah (effective December 31, 2023). Inspired primarily by the CCPA and the GDPR, these laws extend data privacy rights to consumers in their respective states, including the right to access, right to delete, right to correct, and right to opt out of targeted advertising. Although all four laws – and the CCPA – appear to share common goals of consumer protection, greater transparency, increased control over personal data and limiting targeted advertising, there are significant differences among each of these laws related to the right to opt out of profiling, recognition of automated browser signals, and Data Protection Impact Assessments (DPIAs).