November 26, 2022

Volume XII, Number 330


Under the CPRA will companies be required to offer consumers the ability to opt-out of behavioral advertising if they have already received opt-in consent?

The California Privacy Rights Act, which is scheduled to go into effect in 2023, states that if a company “shares” personal information with a third party that is engaged in cross-context behavioral advertising, the company must provide the consumer with the ability to “opt-out” of the sharing.1 Furthermore, under the CPRA a business must either (1) provide a link on the business’s homepage titled “Do Not Sell or Share My Personal Information” or (2) recognize “opt-out preference signal[s]” that are sent with the consumer’s consent pursuant to a technical specification that is to be created by the California Privacy Protection Agency.There is, however, an exception built into the CPRA for instances in which a consumer consents (i.e., opts-in) in the first instance to the use of behavioral advertising. Specifically, the CPRA states that if a consumer “uses or directs” a business to “intentionally disclose personal information or intentionally interact with one or more third parties” then such disclosures do not constitute “sharing” for the purposes of the CPRA.3 If an activity does not constitute sharing, then the CPRA’s requirement to provide an opt-out mechanism does not apply.

The net result is that there is a strong argument that if a company obtains opt-in consent from a consumer for the use of third party behavioral advertising in the first instance (e.g., through an opt-in cookie banner) then the company is not required to post a Do Not Sell or Share My Personal Information link and is also not required to comply with opt-out preference signals.4


1 Cal. Civ. Code §1798.120(a) (West 2021).

Cal. Civ. Code § 1798.135(a), (b)(1) (West 2021).

3 Cal. Civ. Code § 1798.140(ah)(2)(A) (West 2021).

4 It is worth noting that the CPRA does not state that in order for an intentional use or direction from a consumer to be effective, a business must provide the consumer with a means to revoke, or withdraw, that direction. Put differently, there is nothing within the CPRA that suggests that for consent to be effective a consumer must be given the ability to withdraw the consent at a later time. It is possible, however, that the CPPA may attempt to follow jurisdictions outside of California that have held that effective consent requires the ability of a consumer to withdraw.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 301

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...