To Opt In, or Not to Opt In: What Is the Direct Marketing Rule Under the CCPA?
Friday, January 22, 2021

The CCPA generally does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information. Consent is, required, however, in the following situations:

  1. Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers in addition to the transfer of data in exchange for money. The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.1 In other words, if a consumer consents, or opts in, to an information transfer it is not considered a “sale” under the CCPA.

  1. Sale of information about minors. The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer (in the case of individuals between 13 and 16) or the guardian (in the case of individuals under the age of 13) has “affirmatively authorized the sale” of personal information.In other words, opt-in consent is needed to sell the information of a minor. Paradoxically, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph, technically the information transfer might not be a “sale” at all.

  1. Financial incentive programs. The CCPA provides that a business may only enter into a financial incentive program with a consumer if the consumer gives “prior opt-in consent.”3

  1. Re-soliciting the ability to sell. The CCPA states that if a person opts out of the sale of information (e.g., clicks a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt in) to a future sale for “at least 12 months.”4

  1. Re-soliciting the ability to share sensitive personal information. The CPRA modified the CCPA to provide that, by Jan. 1, 2023, if a person opts out of the sharing of their sensitive personal information (e.g., clicks a “Do Not Share My Sensitive Personal Information” link) a business is not permitted to solicit their consent (or opt in) to additional sharing of such information for “at least 12 months.”5


Cal. Civ. Code 1798.140(ad)(2)(A), (B). The CCPA originally indicated that the third-party recipient could not “also sell the personal information, unless that disclosure would be consistent with the provisions of [the CCPA].” Cal. Civ. Code 1798.140(t)(2)(A) (Oct. 2020). It is unclear whether that restriction applied to situations in which a consumer intentionally interacted with a third party, situations in which a consumer directed the business to disclose personal information to a third party, or both. In either case, the restriction was removed by the CPRA, although technically the amendment does not become effective until Jan. 1, 2023.

2 Cal. Civ. Code 1798.120(c).

3 Cal. Civ. Code 1798.125(b)(3).

4 Cal. Civ. Code 1798.135(c)(4).

Cal. Civ. Code 1798.121(b), 135(c)(4).

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins