Opting-Out: A Business’s Summary of the CCPA Opt-Out Requirements

With the California AG’s proposed edition of the CCPA regulations, many commentators are puzzled about–what appears to be–a moving target for businesses’ compliance. For the games industry, these regulations pose some unique challenges, not the least being the opt-out mandate. 

The CCPA creates the right for a California-consumer to demand businesses to stop selling their personal information. This right is known as opting-out, and businesses are required to notify consumers that such a right is available. 

Who has to provide opt-out notice?

The purpose of providing notice is to inform a business’s customers of their right to direct the business to stop selling their personal information. 

Under the CCPA, a business “sells” personal information when it transfers (by a variety of different ways) consumers’ information to another business or third party for something of value. This definition is not limited to data for money swap but could also include other types of transfers, like the release of customers’ information for an advertising service or for product recommendations.  

If a business does not sell personal information, and that fact is stipulated in the business’s privacy policy, then the business does not have to provide notice on how to opt-out. Otherwise, businesses that fall under the CCPA’s clutches–and for the games industry it’s most–they must provide notice to their customers.  

Notice Accessibility 

  • Opt-out notices must be presented in a way that is easy to read.  (No legalese or other industry-specific jargon.)
  • Notices must be available in languages in which the business ordinarily provides contracts to California consumers. 
  • Notices must be reasonably accessible to consumers with disabilities. 

Notice on a Website or App

Businesses must have a link on their company webpage that says “Do Not Sell My Personal Information” or “Do Not Sell My Info.” When a customer clicks the link, it must direct them to a web page or landing page of a mobile app that contains the company’s opt-out notice. Gaming app developers can also provide this notice on the app’s initial download page. 

If a company substantially interacts with consumers offline, then the company must include an offline method of notification, including but not limited to paper notice to consumers.

Notice Requirements 

The regulations require three specific elements of an opt-out notice: 

  1. A description of the consumers’ right to opt-out of the sale of their personal information.
  2. An interactive form for customers to submit their opt-out request.
  3. Instructions for any other opt-out methods. 

These requirements can also be in the company’s privacy policy, in lieu of providing them in the actual notice, so long as the privacy policy is linked to the opt-out notice. 

Opt-Out Procedures 

Businesses must have two or more designated methods for submitting opt-out requests. Those methods should be consistent with the methods the business uses to communicate to its customers. For example, if a website sends periodic email updates about new features, then an email detailing the opt-out methods would be sufficient.  

Opt-out requests should require minimal steps. A simple toggle button in an app’s privacy settings would suffice. 

Businesses can deny an opt-out request if the business “has a good-faith, reasonable, and documented belief” the request was made in fraud.   

Global Privacy Controls

A browser plug-in that sets and monitors a user’s privacy settings over various webpages, like Privacy Badger, is considered a valid consumer request to opt-out of the sale of their information. 

If a global privacy control conflicts with a businesses’ other controls, then the global control wins out. In that case, the business may notify the customer of the conflict and ask for the customer’s preferred setting. This is similar to the ad blocker pop-up message on many paid advertisement sites. 

Opting-In

After a customer has opted-out, they may elect to opt back into the sale of their personal data.  Unlike opting out, the regulations require that opt-in requests be an affirmative, two-step process: (1) the consumer clearly requests to opt-in and (2) the consumer must separately confirm their choice to opt-in. This would be the equivalent to the “Are you sure?” pop-up messages.  

For consumers who are younger than thirteen, then a parent or guardian is required to give their consent to the sell of the minor’s information. 

If a customer who previously opted-out is attempting to participate in a company’s product or service that requires the sale of their personal information, then the business may provide instructions on how to opt-in. Businesses should proceed with caution in any incentive-based pricing structure or service, as discriminating against customers who exercise their rights under the CCPA is a violation of the law. 

For help crafting your company’s privacy policy or opt-out notice, reach out to us at Odin Law and Media.