Obtaining Consent for Privacy Practices
By now, most businesses are aware of the growing requirements to provide notice to consumers regarding how a business uses and discloses personal information. In addition to existing regulations, five new privacy laws will go into effect in 2023, signaling an increasing level of scrutiny, by both consumers and regulators, around whether consent is “clearly” obtained. While each law has the same general theme of consumer transparency and control, each has different thresholds regarding applicability, and many differ in how consent must be obtained. This article will discuss the different consent thresholds and options that businesses may consider to ensure compliance with applicable laws.
Generally, consent may be obtained in an implicit or explicit manner, requiring businesses to consider numerous aspects of their notice and privacy practices, such as: Acceptance methods (e.g., click-wrap vs. browse-wrap), locations where data is collected, pre-checked or unchecked consent checkboxes, acceptance language and proximity to consent checkboxes, policy locations on a webpage or application, and consent regarding policy modifications. To understand your businesses’ requirements, it is helpful to consider the language of applicable privacy laws. We consider a few of these laws below:
The Virginia Consumer Data Protection Act (VCDPA), effective Jan. 1, 2023, requires a “clear affirmative act” from consumers prior to businesses processing personal information. See definition of “consent.” Va. Code Ann. 59.1-575 (2022).
The California Privacy Rights Act (CPRA), effective Jan. 1, 2023, imposes a variety of consent standards for the processing of personal information, including "affirmatively authorized" consent for the sale of personal information of minors (Cal. Civ. Code 1798.120(c) (2022)) and "subsequent express authorization" if a consumer who has already opted out of the sale of personal information later decides to participate in the sale of the same (Cal. Civ. Code 1798.120(d) (2022)). The CPRA supplements the 2018 California Consumer Privacy Act (CCPA).
The Colorado Privacy Act (ColoPA), effective July 1, 2023, requires consent to be evidenced by a "clear, affirmative act." Co. Code 6-1-1303(5) (2022). Note the similarity of this standard to the VCDPA.
The Connecticut Data Privacy Act (CTDPA), effective July 1, 2023, requires a "clear affirmative act" for consent. (See definition of "consent" in Section 1(6) of the CTDPA, Pub. Act. 22-15, 2022 Ct. ALS 15 (2022).) While similar to the ColoPA and the VCDPA, the CTDPA's definition of "consent" expressly excludes consent obtained through the use of "dark patterns." (CTDPA Section 1(6).) Under the CTDPA, "dark patterns" refer to user interfaces that subvert or impair user autonomy. (CTDPA Section 1(11).)
Under the Utah Consumer Privacy Act (UCPA), effective Dec. 31, 2023, consent is not required for the processing of sensitive data. However, consumers may still opt-out of the processing of their personal data. Utah Code Ann. 13-61-302 (2022).
The EU’s General Data Protection Regulation (GDPR) requires consent be freely given, verified using a clear, affirmative action, informed, specific, and unambiguous. See Article 4(11) of Council Regulation 2016/679, 2016 OJ. L. 119.
Based on new and existing laws and the changing expectations of consumers and regulators, obtaining express consent for your business’s data collection and processing practices may be necessary.
Just as with recording and tracking initial consent, it is important that your business logs any renewed or additional consent. Providing proof that consent to your business’s updated data collection and processing policies was obtained may prevent consumer claims to the contrary.
Due to the ever-changing patchwork of privacy laws and business’s desire for transparent relationships with their consumers, obtaining explicit consent from consumers for collecting and processing their personal data is becoming more frequent. Regardless of the method your business elects to use, it is important to keep privacy policies up-to-date and to communicate any updates to customers in a clear and transparent manner.
Franklin Chou also contributed to this article.