Obtaining Consent for Privacy Practices
Friday, January 27, 2023

By now, most businesses are aware of the growing requirements to provide notice to consumers regarding how a business uses and discloses personal information. In addition to existing regulations, five new privacy laws will go into effect in 2023, signaling an increasing level of scrutiny, by both consumers and regulators, around whether consent is “clearly” obtained. While each law has the same general theme of consumer transparency and control, each has different thresholds regarding applicability, and many differ in how consent must be obtained. This article will discuss the different consent thresholds and options that businesses may consider to ensure compliance with applicable laws.

Generally, consent may be obtained in an implicit or explicit manner, requiring businesses to consider numerous aspects of their notice and privacy practices, such as: Acceptance methods (e.g., click-wrap vs. browse-wrap), locations where data is collected, pre-checked or unchecked consent checkboxes, acceptance language and proximity to consent checkboxes, policy locations on a webpage or application, and consent regarding policy modifications. To understand your businesses’ requirements, it is helpful to consider the language of applicable privacy laws. We consider a few of these laws below:

  • The Virginia Consumer Data Protection Act (VCDPA), effective Jan. 1, 2023, requires a “clear affirmative act” from consumers prior to businesses processing personal information. See definition of “consent.” Va. Code Ann. 59.1-575 (2022).

  • The California Privacy Rights Act (CPRA), effective Jan. 1, 2023, imposes a variety of consent standards for the processing of personal information, including "affirmatively authorized" consent for the sale of personal information of minors (Cal. Civ. Code 1798.120(c) (2022)) and "subsequent express authorization" if a consumer who has already opted out of the sale of personal information later decides to participate in the sale of the same (Cal. Civ. Code 1798.120(d) (2022)). The CPRA supplements the 2018 California Consumer Privacy Act (CCPA).

  • The Colorado Privacy Act (ColoPA), effective July 1, 2023, requires consent to be evidenced by a "clear, affirmative act." Co. Code 6-1-1303(5) (2022). Note the similarity of this standard to the VCDPA.

  • The Connecticut Data Privacy Act (CTDPA), effective July 1, 2023, requires a "clear affirmative act" for consent. (See definition of "consent" in Section 1(6) of the CTDPA, Pub. Act. 22-15, 2022 Ct. ALS 15 (2022).) While similar to the ColoPA and the VCDPA, the CTDPA's definition of "consent" expressly excludes consent obtained through the use of "dark patterns." (CTDPA Section 1(6).) Under the CTDPA, "dark patterns" refer to user interfaces that subvert or impair user autonomy. (CTDPA Section 1(11).)

  • Under the Utah Consumer Privacy Act (UCPA), effective Dec. 31, 2023, consent is not required for the processing of sensitive data. However, consumers may still opt-out of the processing of their personal data. Utah Code Ann. 13-61-302 (2022).

  • The California Online Privacy Protection Act (CalOPPA) requires that your Privacy Policy be displayed "clearly and conspicuously" and that the link to it contains the word "Privacy."

  • The EU’s General Data Protection Regulation (GDPR) requires consent be freely given, verified using a clear, affirmative action, informed, specific, and unambiguous. See Article 4(11) of Council Regulation 2016/679, 2016 OJ. L. 119.

Based on new and existing laws and the changing expectations of consumers and regulators, obtaining express consent for your business’s data collection and processing practices may be necessary.

Implementing checkbox consent on your business’s properties may help ensure your business’s privacy policy is enforceable. Checkbox consent consists of a statement that the user is agreeing to the privacy policy, an unchecked box next to that statement, and a link to the full text of the privacy policy. For example, acceptance can be obtained with an unchecked box and the accompanying statement: "By selecting 'Continue' you are confirming that you have read, understand, and agree to the [linked privacy policy]." Ensuring that acceptance is required in your business’s operational workflow for consumers to create accounts or enroll for the services your business provides can head off disputes of whether consent was actually obtained.

In addition, keeping clear records indicating that each consumer saw the privacy policy and agreed to it of their own free will, avoids privacy disputes in which a consumer claims that they did not see or did not know about the privacy policy, and can overturn claims from consumers alleging they did not understand how their personal information was being used by the business.

As your business evolves, how consumer data is processed may change which may require additional or renewed consent from consumers. Generally, you only need to collect renewed or additional consent from your consumers if there is a material change in their privacy rights. For example, you don’t need to update consumers when the structure or formatting of your privacy policy changes, but you do need to obtain consent when you start collecting a new category of personal data or when introducing new third‑party sub processors.

Renewed or additional acceptance can be obtained by email, pop-up notification, or push notification (if your business is also providing services through a mobile app). In each instance, the notification should include: the updated privacy policy effective date, a link to the full text of the updated privacy policy, and, just as when obtaining initial consent, a checkbox or button that creates an affirmative action evidencing consent. Although not required, it may also be helpful to include a link to the prior policy, a summary of how the updated privacy policy differs, and what to do if the consumer doesn't accept the changes. For example, renewed acceptance can be obtained via a pop-up notification on the website when the consumer next logs in with the accompanying statement and “Accept” button: "We’re updating our [linked privacy policy] to include changes to how we use your personal data to bring you more relevant content from our third‑party advertisers. These changes will take effect on [the effective date]. By clicking 'Accept,' you are confirming that you have read, understand, and agree to our privacy policy. If you don’t agree to these changes, it may affect our ability to personalize your experience."

Just as with recording and tracking initial consent, it is important that your business logs any renewed or additional consent. Providing proof that consent to your business’s updated data collection and processing policies was obtained may prevent consumer claims to the contrary.

Due to the ever-changing patchwork of privacy laws and business’s desire for transparent relationships with their consumers, obtaining explicit consent from consumers for collecting and processing their personal data is becoming more frequent. Regardless of the method your business elects to use, it is important to keep privacy policies up-to-date and to communicate any updates to customers in a clear and transparent manner.

Franklin Chou also contributed to this article.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins