New standard for consent
Historically, privacy laws in the United States have required opt-in consent for specific types of personal information, such as personal information collected from websites directed at children under age 13, health information, or student records. Now California has changed that paradigm, with the CPRA requiring a heightened standard of consent for the collection or use of any type of personal information, when used for certain purposes.
The CPRA defines consent as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes . . . such as by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.” The definition also makes it clear that certain actions do not qualify as consent, including:
- General actions undertaken by the consumer, such as agreeing to broad terms of use that describe personal information processing alongside unrelated information;
- “Hovering over, muting, pausing, or closing a given piece of content”; or
- Using so-called “dark patterns” to manipulate or mislead consumers into providing consent (defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice”).
The core elements of the new CPRA consent standard largely mirror those of consent as defined in Article 4 of the GDPR. While forthcoming regulations may clarify how the California Attorney General (AG) will interpret each element, lessons learned about obtaining consent under the GDPR may be instructive as businesses prepare for the CPRA.
The phrase “freely given, specific, informed and unambiguous indication” is used in both the CPRA and GDPA consent definitions. Under the GDPR, “freely given” has been interpreted to mean there must be a true choice offered to the consumer. So-called “take it or leave it” consent, including cookie walls, or other types of services that are conditioned on consent are generally not considered valid. Additionally, it should be just as easy for a consumer to withdraw their consent as it is to give it. “Specific and informed” consent under the GDPR means consumers should have a clear understanding not only of the entity requesting consent, but also of what data will be collected from them and the specific purposes for which it will be used. To ensure this is the case, consent should not be bundled with other terms and conditions, separate consents should be obtained for distinct uses of data, and consumers should be able to understand how their data will be used from the description provided.
Finally, “unambiguous” consent under the GDPR has been interpreted to mean that an affirmative step must be taken by the consumer. Consent may not be inferred from silence or inactivity, or from using pre-ticked boxes in a form that assumes the consumer has opted in. The action taken must be a clear indication of consumer choice.
Given the similarities between the language of the CPRA and the GDPR, businesses should not be surprised if the California AG or California Privacy Protection Agency (CPPA) also carry over similar interpretations of the consent standard. Other parts of the CPRA consent standard, such as the phrases “clear affirmative action” and “narrowly defined particular purpose”, further support a reading of the CPRA consent standard similar to that of the GDPR.
When is affirmative consent required?
The CCPA appears to require affirmative consent for certain use cases, but does so using a collection of undefined terms. The CPRA extends and clarifies the use cases for which consent is required, and in each case the requisite consent refers to the newly defined standard. Given this shift, when the CPRA goes into effect, businesses will need to update their current consent processes for each of these use cases to meet the new, heightened standard.
| Use Case |
CCPA |
CPRA |
| Sale or sharing of personal information after consumers exercise the right to opt out (§ 1798.120(d)) |
“express authorization” |
new consent standard |
| Sale or sharing of personal information of minors (§ 1798.120(c)-(d)) |
“affirmatively authorized” or “express authorization” |
new consent standard |
| Participation in financial incentive program (§ 1798.125(b)(3)) |
“opt-in consent” |
new consent standard (despite carrying over the references to “opt-in consent”) |
| Additional use or disclosure of “sensitive personal information” after consumers exercise the right to limit use or disclosure (§ 1798.121(b)) |
n/a |
new consent standard |
| Research exemption (§ 1798.105(d)(6)) |
“informed consent” |
new consent standard |
Assess current manner of consent
Not only was “consent” not defined by the CCPA, but the CCPA used different terms across use cases to describe the requisite consent. The new consent standard set by the CPRA will bring some clarification to when consent is required and what actions do (and do not) satisfy the requirement.
In light of this new consent standard, businesses should assess existing consent mechanisms to determine whether those mechanisms should be revised to incorporate the type of “freely given, specific, informed and unambiguous indications” mandated by the CPRA. In particular, businesses should consider current methods for obtaining consent from users who have previously opted out of the sale of personal information. For example, the CPRA’s definition of consent expressly excludes general acceptance of broad terms of use, which has been a preferred method of obtaining consent for many businesses.
“Dark patterns” will also not be permitted under the CPRA. While the statute promises that this concept will be clarified in forthcoming regulations, businesses should prepare to part with common dark patterns, such as disguised ads, unannounced continuity of a subscription from a free trial, or pre-selected preferences embedded within other, unrelated content. The latest amendment to the CCPA, which effectively prohibited some dark pattern practices for opt-out requests, may further illustrate the kinds of practices that should be avoided: the use of double negatives, requiring consumers to review reasons to give consent, or burying consent within longer text.
Businesses also likely will want to better understand how they currently tag consumers who have opted out, including by using a global privacy control, and what mechanisms need to be put in place to ensure sufficient consent is obtained before the further collection and sale of those consumers’ data. In practice, this may require changes to a business’s website, mobile application, or privacy policy to support an affirmative consent process when a consumer has previously opted out. In situations where a pop-up or targeted email may be required to gain consent, it will also be important for businesses to think through how to make any changes without inviting the cookie consent fatigue that followed similar opt-in consent requirements under the GDPR.
To read the previous installment in our CPRA series on new obligations and challenges around “sensitive personal information,” click here.
To read our previous installment on the changes to the definition of “personal information,” click here.
To read our previously-published summary of the CPRA’s key provisions, click here.
For additional context we provided in June 2020 at the time the CPRA was certified to appear on the November 2020 ballot, click here.
Authored by Melissa Bianchi, Morgan Perna, and Stevie DeGroff.
