Benchmark Your Company’s Handling of Personal Data. Click here for your free Privacy Grade. Read more about PrivacyGrader in our recent TechCrunch coverage.

X

Are You Complying with CPRA/CCPA Opt-Out Rights?

Under the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, California residents have the right to opt-out of a business selling or sharing any of their personal information.

That means that if you are a for-profit entity with an annual gross revenue in excess of $25 million and handling personal information of more than 100,000 California consumers or households, you are required by law to provide a clear and conspicuous way for your customers to opt-out. But what exactly does the right to opt out mean, how is it implemented, and how can you ensure your business complies?

What Does it Mean?

When you give customers the option to opt out, it limits the extent to which your company can sell or share a customers’ personal information. Under CCPA/CPRA, personal information is considered any information that identifies, relates to, or could be linked to an individual or household. This includes information like name, social security number, email or IP address, Internet browsing history, product purchases, geolocation data, and professional or employment-related information—essentially any information that is not publicly available via federal, state or local government records. According to Section 1798.140 of the CCPA, personal information also includes any information used to create a customer profile that reflects preferences, characteristics, behavior, or attitude.

The opt-out requirement doesn’t preclude you from collecting personal information in the normal course of doing business. After all, your business needs personal data to fulfill purchases and enable transactions. Opting out just means that you can’t sell or share this information with any other entity—unless it is a service provider that is necessary to perform a business function. 

It’s important to note that any disclosing of personal information deemed as providing monetary or other valuable consideration is considered a “sale” under CCPA. While often disputed, this broad definition includes the use of third-party advertising and analytics cookies that track a user’s browsing behavior. This does not apply to first-party cookies required to perform essential functions on your website, like remembering which products a customer has placed into an online shopping cart. 

How is it Implemented?

Under CCPA/CPRA, businesses needing to comply must provide two or more methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous “Do Not Sell or Share My Personal Information” link on the business’ homepage. Other acceptable methods include a toll-free phone number, designated email address, forms submitted in person or by mail, and user-enabled privacy controls such as a browser plugins or settings.

One way of providing an opt-out method is via an interactive cookie banner on a website that allows users to decline or accept any non-essential cookies that collect personal information. Some also get a bit more specific and allows users to select only necessary cookies that enable core functionality to help improve the customer experience while preventing the sale or sharing of data for marketing analytics or targeted advertising. 

CCPA/CPRA also has more restrictive “opt-in” requirements for children. This means that businesses cannot sell or share personal information for consumers less than 16 years of age without specific affirmative consent, with parental consent required for anyone under the age of 13. Unlike the opt-out option, opting in means that consumers are opted out by default and must take action to opt in. While this is contingent upon the business having knowledge of the age of the consumer, CCPA/CPRA does not allow a business to deliberately disregard a consumer’s age. Any business that targets children would therefore be wise to only use the “opt-in” option or implement a means to identify age to turn off any default selling or sharing of information for anyone under 16. 

A privacy policy is also mandatory under CCPA/CPRA Per CCPA/CPRA, and to collect any personal information, businesses must provide notice or disclosure about information being collected and for what purpose at or before the point of collection. If a business wants to collect different personal information than what was originally disclosed, they must provide a new notice. It therefore makes sense for privacy policies provided at the first point of collection to be broad enough to cover all information being collected. Businesses can meet the notice/disclosure requirement by providing a link to their privacy policy as part of an initial cookie banner. 

How Can You Ensure Compliance?

While providing customers with the option to opt out may seem straightforward, it isn’t enough to just include an opt-out option and privacy policy on your website—you also must immediately stop selling or sharing personal information as soon as a user chooses to opt out. You also need to wait a year before requesting authorization to once again sell or share their personal information. And if you are the third party purchasing information, it’s your responsibility to ensure that the data is from individuals who were given the opt-out option and clearly chose to opt in.

It is also recommended to conduct a thorough data mapping to identify all the ways your business and its systems handle personal information. This can help you determine if any third-party cookies are enabled on your website or if any of your data handling constitutes selling or sharing personal information. Because even if you think you aren’t selling or sharing personal information, it’s not always as obvious as disclosing data to third-party advertisers—think credit checking, identify verification services and other cloud-based services. And if you are unknowingly selling or sharing personal information, you’re still liable. 


To see just how compliant (or not) your business is with CCPA/CPRA opt-out rights, start with a free assessment of your website at www.privacygrader.com.

Introducing PrivacyGrader

Today the Ketch team is excited to introduce PrivacyGrader, a tool that helps solve the complex and critical problems of consumer data privacy and security.

It’s no secret that data protection is one of the biggest and hardest challenges we face today.  This year, data breaches continued to be constant headline news.  By one account, the average cost of a breach to a U.S. company is now more than $8.5 million

In addition to the direct costs of data breaches, the ripple effects of decreased consumer confidence in e-commerce and online media could have severe impacts on our economy – especially at a time when online experiences have never been more essential to our lives.  

This is a big, complicated problem that even the biggest companies struggle to manage.  Many small and medium-sized companies don’t even know where to begin.  

That’s where PrivacyGrader comes in.  It’s a starting point for companies to diagnose their data privacy performance, and then to begin the process of improving it.  With simple, practical steps. 

This is the kind of challenge our team loves:  Tackling big problems and coming up with elegant solutions that serve an important purpose.

PrivacyGrader works by analyzing your website’s collection and use of personal data.  It assesses multiple elements of your privacy procedures and doesn’t just help you find the problems – it identifies the steps you need to take to address them. We provide the analysis to any company at no cost.

Trust is vital for all of us as we deepen our commitment to an increasingly connected, digital lifestyle.  At Ketch, we don’t see a zero-sum world where consumer privacy is protected and online businesses lose. We believe that both consumers and businesses can prosper together, and we built PrivacyGrader to help bridge the divide.  We hope you’ll give it a try and let us know what you think.

Switchbit is now Ketch

The Switchbit team is driven by a belief in two key principles. First, privacy is an essential human right that all businesses should have the ability to respect and enforce. Second, data is property. Like land and other physical property, data must be protected and controlled according to the time, terms, and conditions of its owner’s choosing. 

We don’t see a zero-sum world where consumer privacy is protected and businesses lose. We believe that both consumers and businesses can prosper together. We’re determined to help businesses honor the data dignity of their customers, while also giving them the privacy and security tools that let them preserve and unlock the power of data for core operations and AI-enabled business processes.

Since our inception, we’ve been working hard to achieve the radical simplification of data privacy, which we believe is among the most critical imperatives facing our economy and our society. Undeniably, we are in the midst of the Data Rights Revolution.

As tends to be the case with revolutions, optimism and commitment are all mixed up with complexity and confusion. In our experience, most businesses want to embrace and implement a consumer-first privacy paradigm–the question is How to get there? 

We are committed to building powerful-but-simple infrastructure that guides our customers through the maze of laws and regulations, while at the same time recognizing and capitalizing on the opportunities along the way–opportunities hiding in plain sight.

Of course you need to achieve compliance and get the details right. But the companies that win this revolution will be those that go beyond, by creating privacy experiences that inspire customer satisfaction and trust. We help you imagine, design, and offer those experiences.

One of the many hurdles here is that the maze isn’t static. It changes as laws are born and evolve. All the energy you spent getting prepared for CCPA and GDPR? Congratulations! Your prize is…. CPRA and LGPD!. Data privacy is a dynamic challenge. That’s why we’re always focused on giving our customers a dynamic, deploy-once-comply-everywhere solution.

In this relentless pursuit of simplicity in the face of change, we’ll be with you every step of the way. And today, we’re practicing what we preach: We’ve decided our name adds more where less will do, and do better. Today, we’re saying goodbye to “Switchbit” and introducing you to “Ketch.” Strong and simple, just like our product and our mission. 

Ketch is blazing a path in the Data Rights Revolution. Join us in fighting for privacy as an essential human right, and data as property to be preserved and protected.

And if you don’t know, now you know.