As of October 2022, California has the fourth largest economy in the world, rivaling Germany, and is considered the United States of America’s leader in developing consumer privacy protections. (The Office of the Governor Gavin Newsom, ICYMI: California Poised to Become World’s 4th Biggest Economy, Oct. 24, 2022 (published). The California Consumer Privacy Act (“CCPA”) has set the U.S.A.’s standard for data privacy and it rivals the comprehensive EU General Data Protection Regulations (“GDPR”) as a more business friendly option to consumer personal data protection because of the use of opt-out consent. California’s advocacy to provide its citizens with comprehensive privacy protections, has resulted in the national government’s commitment to passing a national privacy act entitled the American Data Privacy Protection Act (“DPPA”) and several States passing their own privacy regulations.(Brookings TechTank, Will California be the death of national privacy legislation, Nov. 18, 2022.). The national government and the States seem to have chosen opt-out consent as the U.S. national standard but with the growing number of authoritative privacy regulations being implemented, U.S. global and multinational businesses, are finding it challenging to navigate the complex privacy compliance landscape using opt-out consent. Opt-out consent is beginning to show weaknesses in providing adequate privacy protections for the consumer’s personal data by not allowing for an informed choice and is misaligned with global consent standards. Companies primarily implement principle-based approaches to privacy compliance by attempting to meet all applicable regulatory standards or accept the monetary implications of non-compliance with certain regulations. Since the U.S. national standard for personal data processing based on consent is misaligned with the global standard, U.S. global and multinational businesses must consider whether opt-in consent, or a hybrid consent option, provides better protections for the consumers and should become the new U.S. standard. California, as the U.S.’s leader in implementing consumer privacy protections, is already headed in that direction by blurring the line between sell/share and prohibiting the selling/sharing of personal data for cross context behavioral advertising purposes based upon the opt-in consent mechanism of “Do Not Sell My Information”.
To sell or to share?: That is not the question.
When the CCPA was first passed it introduced the concept of sell/share to the privacy arena. The concept of sell/share was to allow for the free secure flow of consumer personal data between businesses based on the consumer’s opt-out consent choices. (Opt-out consent is described as soft opt in, default opt in, assumed, deduced, deemed, or implicit consent. Jane Clyne, CIPP, “Privacy Consent Glossary”. IAPP; California Privacy Rights Act of 2022 §14: Definitions; defining the terms sell/share based on valuable consideration where if no monetary or valuable consideration is exchanged than the business has “shared” consumer personal data). The CCPA went with an opt-out consent protocol because at the time experts opined that an opt-out consent procedure provides more privacy protection based on a consumer’s informed choice. Experts later found that it merely prevents the sale of a consumer’s personal data, rather than protect how the data is processed. Now, data processing experts agree, that the globally accepted standard of an opt-in and/or hybrid consent process provides clear transparent mechanisms to unequivocally obtain the consumer’s informed consent, whether active or implied, eliminating the need for the business to interpret the consumers choice based on their interaction with the business. (Sarah Rippy, “Opt-in Versus opt out approaches to personal information processing”. IAPP).
The premise that a strict opt-out consent process merely prevents the sale of a consumer’s personal data is bolstered by the recent Sephora settlement decision where it was found the lines between “sell/share” do not impact whether the personal data was compliantly processed but rather whether a consumer’s informed consent to process personal data indicates that the consumer unequivocally consented to this personal data processing. (California v. Sephora settlement decision). This decision should indicate to company’s doing business in California that it may be time to reconsider whether an opt-out approach adequately obtains informed consent or whether an opt-in or hybrid approach better meets privacy compliance obligations. Opt-out concepts for activities like direct sales for consideration and data sharing for cross context behavioral advertising (with a corresponding ‘do not sell my information’ button) are inadequate methods to allow an individual to control how its personal data is processed because opting-out of these rules merely allow for individual agency over an individual’s own personal information rather than providing objective boundaries to businesses for the proper collection and use of a consumer’s personal data.(The Editorial Board, America, Your Privacy Settings are All Wrong: Using an opt in approach will help curb the excess of Big Tech., March 6, 2021. https://www.nytimes.com/). The blurring of the sell/share concept by the Sephora settlement decision forces U.S. companies to reconsider whether they are engaged in the compliant collection and use of consumer personal data by evaluating whether the consumer has given informed consent through the consent protocol.
To opt-in or opt-out?: That is the question
The United States, as led by the CCPA, relies on an opt-out concept of data protection focusing on allowing the transfer and control of a consumer’s personal information through a consumer’s informed choices. However, the opt-out, soft opt in, default opt in, assumed, deduced, deemed, or implicit consent, concepts of data protection can cause businesses to run-afoul of global privacy regulations, including the CCPA, solely because consumer’s choices were uninformed; leading to a lack of consent given. U.S. businesses claim an opt-in privacy regime would lead to more inefficiencies in business, however an opt-in privacy or hybrid consent regime can result in informed consent without requiring the consumer to opt-out of certain activities, read privacy notices, and read security policies, because the opt-in or hybrid consent regime focuses on how the personal information is collected and used versus how consent was obtained, managed and monitored.
In contrast to the U.S., the European Union, United Kingdom, Brazil, Canada, India, Colombia, Chile, Morocco, Malaysia, South Africa, South Korea, Japan, and Taiwan all have opt-in regimes built into their regulations because opt-in privacy regimes do not rely on user consent selections, but rather make the businesses assess the collection and use of an individual’s personal information within all applicable regulatory boundaries. This creates the assessment and proof of informed consent without leaving it up to interpretation of the business.
U.S. companies should strongly consider whether opt-in or a hybrid consent regime is the better option to compliantly maintain a consumer’s privacy for their business, while still allowing for the free flow of information between businesses. Opt-in consent places more onus on the business that initially collects and uses your personal information forcing them to use it more responsibly. If a business chooses to use opt-out consent, like most U.S. companies, for activities like direct sales for consideration or sharing data for cross context behavioral advertising, they risk running afoul of the CCPA because the passive nature of an opt-out consent mechanism does not allow for an individual’s informed choice in making personal data processing selections. An opt-in or hybrid consent protocol allows an individual to make informed choices as can be seen by California’s requirement of having a “Do Not Sell My Information” option. The individual’s interaction with the website and/or choosing the cookie selection to receive targeted advertising, functional, and or personalized cookies is proof positive that the consumer made informed choices when selecting these options; the opt-in consent protocol essentially forces an individual to agree to certain personal data processing activities only after they have been informed about their selection whereas the passive opt-out consent protocol that pre-selects a individual’s choices for them, fails to show that an individual relied on informed consent to make their choices and therefore there is a question as to whether the personal data was compliantly processed under any global privacy regulation, including the CCPA.
