CCPA Opt-Out: The Total Compliance Guide

In California and all of the United States, you are allowed to process personal information without asking for permission from anyone.

All you need to do before collecting the data from Californians is present them with a privacy notice. This notice should inform them that their data is being collected and processed. If you sell or share their data, you have to provide them with such a notice at the same time.

California, often at the forefront of consumer privacy legislation in the U.S., has enacted laws that give consumers more control over their data. The California Consumer Privacy Act (CCPA), which came into effect in January 2020, and its successor, the California Privacy Rights Act (CPRA), have been fully operational since 2023.

Under the CCPA and CPRA, California residents are granted several key rights concerning their personal data, including the right to opt out of the sale of their personal information.

For businesses, this means adapting to a new set of obligations. They must provide clear mechanisms for consumers to exercise their rights, including a visible and accessible "Do Not Sell My Personal Information" link on their website. This link is crucial for compliance, as it allows consumers to opt out of the sale of their personal information easily.

But, for most businesses, that's not the only link needed to be on the website. In this article, we'll get into the details of what the CCPA opt-out requirements mean for your company and what you have to do to comply with them.

Do I need to comply with the California Consumer Privacy Act?

The CCPA does not apply to all businesses, but only to those that do business in California, process the data of California residents, and:

• Have annual gross revenues over $25 million,

AND

• Buys, receives, or sells the personal information of 50,000 or more California consumers, households, devices, or
• It derives 50% or more of its annual revenues from selling consumers’ personal information.

If you do not meet these thresholds, the CCPA opt-out requirements do not apply to your business.

But if they do, keep reading. This is an important article for you.

What is an CCPA opt-out?

The CCPA relies on the opt-out principle, which means that you can process personal data without permission until a user opts out of the processing.

The CCPA opt-out right is the right of every California consumer to opt out of the selling or sharing of their personal information. By default, you have the right to sell or share personal information without consent. All you need to do beforehand to make the sale or share compliant is to show consumers a privacy notice to opt out of the sale of personal information.

Read in-depth about CCPA privacy notices.

CCPA opt-out requirements

The CCPA opt-out requirements include a duty to provide consumers with a link and another mechanism for opting out.

The Three CCPA Opt-Out Mechanisms

Under California's consumer privacy laws, individuals are granted the right to opt out of the processing of their personal information. To facilitate this, businesses are required to provide specific opt-out mechanisms on their websites. These mechanisms must be easily accessible and understandable to ensure that consumers can exercise their rights effectively.

Depending on their data processing practices, CCPA-covered businesses must provide consumers with the following links:

• Do Not Sell or Share My Personal Information button or link. This is obligatory for businesses that sell personal information for monetary compensation or other valuable considerations, such as discounts. It is also obligatory for businesses that share personal information with third parties. This link should be prominently displayed on your website, typically in the footer of the homepage, where it is easily visible to users. Clicking on this link should enable users to opt out of the sale or sharing of their personal information with third parties.
• Limit the Use of My Sensitive Personal Information button or link. If you process sensitive personal information, this link is also obligatory. This link should direct consumers to a dedicated page where they can find detailed information about how their sensitive data is used. Here, they should also be able to make informed choices about the use of their sensitive personal information and, if they wish, limit its use.

These may be too many links and could confuse consumers when exercising their rights.

That's why the CCPA permits the consolidation of these options into a single, comprehensive link. This link, titled "My California Privacy Choices," can house both the "Do Not Sell My Personal Information" and the "Limit the Use of My Sensitive Personal Information" options. This approach streamlines the process for users, making it more straightforward for them to manage their privacy preferences.

Aside from the opt-out links, businesses must also respond positively to requests to opt-out. Consumers can submit an opt-out request over email or another communication channel, too, not only by clicking the links. Businesses must comply with the CCPA opt-out requests submitted over other channels by consumers and not share or sell their personal information once they opt out of sale or sharing.

Finally, businesses must comply with signals from universal opt-out mechanisms, such as the Global Privacy Controls.

Global Privacy Controls (GPC) and Other Universal Opt-Out Mechanisms

In addition to the traditional methods of opting out through clickable links or toggles on websites, businesses operating in California must also comply with the universal opt-out mechanisms, such as the Global Privacy Controls (GPC). The GPC allows users to communicate their privacy preferences universally across websites through their browser settings. They set up their browsers in a way that signals to every website that they opt out of the sale or sharing.

When a user's browser is configured to send an opt-out signal, such as the GPC signal, businesses are required to recognize and honor this as a valid opt-out request. This requirement allows individuals to set out their preferences once and have them automatically applied across different online platforms.

Aside from California, there are a few other US states requiring website operators to comply with the GPC, such as Colorado and Connecticut. As the landscape of US consumer data privacy laws is continually evolving, we may see an increasing number of states adopting similar requirements for universal opt-out mechanisms.

Indirect ways to opt-out: CCPA consumer rights requests

The concept of a request to delete personal data, while not strictly an opt-out in the traditional sense, effectively results in a cessation of data processing for that individual. This is because, once a consumer's personal data is deleted, it is no longer available for processing, effectively removing the individual from any future data-related activities.

In most scenarios, when a consumer exercises their right to request the deletion of their personal data, it leads to an immediate halt in the processing of that information. The logic behind this is straightforward: if a business no longer possesses someone's personal data, it cannot engage in any form of processing of that data. This includes activities such as analysis, sharing with third parties, or using it for targeted advertising. The act of deletion effectively removes the data subject from the data lifecycle within that organization.

The right to data portability has a similar effect. It allows consumers to transfer the data to another business and indirectly opt out of the processing of the business that initially had their data.

CCPA right-to-opt-out checklist for 2024

A simple 2024 CCPA checklist for opting out requirements would involve:

• Add links for opting out of the sale or sharing of personal information as well as for limiting the processing of sensitive personal data.
• Provide consumers with other means to submit requests for opting out.
• Respond to universal opt-out mechanisms, such as the GPC.
• Respond to consumer privacy requests.