California’s New Privacy Act Requires Homepage Opt-Out Link
The California Consumer Privacy Act of 2018 requires – amongst myriad other things – that digital marketers that sell personal information of California consumers implement a clear and conspicuous “Do Not Sell My Personal Information” link on Homepages on privacy policies. The link must take consumers to another page where consumers can opt-out of the sale of their “personal information.”
“Personal information” is defined quite broadly by the CCPA.
The California Attorney General has been given the power to develop a recognizable and uniform opt-out logo or button in order to promote consumer awareness of the opt-out. It will be interesting to see what the California AG releases as part of the final regulations. State attorneys general are not the only regulators paying close attention to data privacy matters. FTC attorneys have been stepping-up privacy investigations and enforcement actions, as well.
It is anticipated that some businesses will maintain a separate Homepage dedicated to California consumers, and place the link on it. Of course, such businesses must ensure that California consumers are directed to that page and not a general Homepage without the link.
Importantly, the CCPA defines “Homepage” to include “any Internet Web page where personal information is collected.” Thus, the legislation suggests that the link be included on additional parts of the website where users provide data, or user data is tracked or collected.
This requirement applies to businesses that “sell” personal information about California consumers to third parties. “Sell” has a specific meaning pursuant to the CCPA, and essentially means sharing for any benefit. One of the CCPA’s purposes is to provide consumers with the ability to demand that companies stop transferring their personal data for value to others.
The new data privacy law is effective January 1, 2020.
It also requires, without limitation, the training of individuals for handling consumer inquiries and directing consumers to exercise the right to opt-out, and designing and implementing a system to ensure that companies do not solicit the sale data of an opting-out consumer for 12 months from the date of opting-out.
First-Party v. Third-Party Cookies
The CCPA’s expansive definition of “personal information” includes “unique personal identifiers” and “cookies” that are used to “recognize a device that is linked to a consumer or family, over time and across different services.”
Generally speaking, there are cookies that permit websites to function better, and cookies that provide information regarding browsing activity for any number of purposes, including, tracking users’ behavior to disseminate targeted advertisements.
The operative questions when considering the distinction between and a first- and third-party cookie is the entity that stores the cookie on the computer system. If it is the website being visited by a consumer, it is a first-party cookie. Third-party cookies are typically placed by code that is controlled by a third-party, and not the website operator itself. Third-party cookies are frequently used by ad agencies for targeted advertising purposes and is a practice attracting more attention by state attorneys general and FTC attorneys.
Richard B. Newman is a digital advertising attorney at Hinch Newman LLP. Follow FTC defense attorney on Twitter.
Attorney Advertising. Informational purposes only. Not legal advice.