As the calendar turned to 2023, it wasn’t just a new year but also a new era of privacy ushered in with the California Privacy Rights Act (CPRA) becoming effective on January 1. The CPRA was passed in November 2020 and includes a number of updates to the California Consumer Protection Act (CCPA). For marketing and advertising professionals, one of the consequences of these changes is the expansion of rights for Californians as it relates to opt-out.
What do users have the right to opt-out of?
Beginning January 1, 2023 California users’ right to opt-out expands to the “sharing” as well as the “selling” of their personal information. This is a change from the CCPA requirements previously in place which only required the opt-out ability to be for the “sale” of personal information.
What does it mean to “share” someone’s personal information?
From the CPRA text, “sharing” is:
“sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
In layman’s terms: any sending of a consumer’s personal information to another entity for advertising based upon the user’s observed or inferred behavioral preferences would be “sharing” under the new requirements (basically all personalized advertising activities).
What is the difference between a “sale” and a “share”?
Again from the CPRA text, “selling” is:
“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”
Put simply, a “sale” is the transfer of a consumer’s personal information to a third party in which the business receives some sort of direct value in return, while a “share” is any transfer of a consumer’s personal information to a third party for advertising purposes.
Users have the right to opt out of the transfer of their personal information for either of these purposes via the same opt-out mechanism. It is important to note the distinction, however, for disclosure purposes.
What marketing and advertising activities are impacted when a user opts-out?
When a user opts-out of the “sale and/or sharing” of their personal information they are precluding you from sending their information to a third party for a direct monetary benefit and for personalized advertising purposes. Activities like adding a user to an audience list or retargeting list, or sending a user identifier along with behavioral information for profile creation to further advertising would be precluded.
Put simply: any kind of sharing of the user’s personal information meant to help target them with ads based upon their past observed behavior would be impacted for opted-out users.
What marketing and advertising activities are not impacted?
The opt-out for sharing is specific to cross-context behavioral advertising. This means targeting the user on another domain based upon their observed behavior. If you are doing personalization on your own site with product recommendations, content personalization based upon observed user behaviors, or collecting interaction information for analytics—these activities are still allowed even for users who have opted out of selling/sharing (so long as the platforms used to execute are operating as service providers).
How do I provide the ability to opt-out?
Again from the CPRA text: “Provide a clear and conspicuous link on the business’s internet homepages, titled “Do Not Sell or Share My Personal Information,” to an internet web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer’s personal information.”
If any personal information is being sold and/or shared, you must have a link with the wording “Do Not Sell or Share My Personal Information” on all pages of your website. This link can then go to a page which enables the user to execute their opt-out request. Many organizations will use a Consent Management Platform to manage this user experience and the request.
In addition to the “Do Not Sell or Share My Personal Information” link, the CPRA also introduced the requirement to respect global opt-out preference signals such as the Global Privacy Control. Users can enable these global opt-out signals within their browser which provide an indication to the website being accessed of their opt-out wishes. These global opt-out signals must also be respected.
Upon submission of the request to opt-out (via the explicit indication via the link or via a global opt-out signal), the technical architecture should be in place to cut off any selling and sharing behavior from platforms in use.
How can I understand if the platforms I am using are in scope for this?
To understand your website’s needs as it relates to CCPA opt-out requirements, we suggest starting with a tag audit using a platform like Tag Inspector. This process will help you surface information about all of the platforms loading on your site and the data each is collecting. From there you need to ask a series of questions for each platform present:
- Is personal information being collected? If so, the platform will be in scope of the CCPA.
- Is personal information being sold and/or shared? If so, you’ll need an opt-out mechanism.
- Is there a compliant means of opting out? Make sure there is the “Do Not Sell or Share My Personal Information” link available to the user on all pages of the site.
- Is the user’s opt-out request respected? Upon submission of the request to opt-out, does the behavior of platforms actually change in order to preclude the selling and/or sharing of the consumer’s personal information?
- Is the global opt-out mechanism respected? Ensure global opt-out signals such as the Global Privacy Control are also respected as a valid opt-out.
The expanded opt-out requirements now in place for California consumers will have an impact on your marketing and advertising activities. It is important to get a compliant architecture in place to respect the privacy preferences of your users to build trust and reduce the strategic impacts of these changes.