CCPA Requesting the Consumer to Authorize the Sale of Information After Opt-Out (135.a.5)

Overview:
A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers: For a consumer who has opted-out of the sale of the consumer's personal information, respect the consumer's decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer's personal information.

Action Items:
1) Review existing privacy notices and verify that they meet the new requirements of the CCPA.
2) Ensure websites include a "Do Not Sell My Personal Information" link.
3) If no methods exist, establish appropriate methods for submitting opt-out requests to your organization that comply with the CCPA.
4) Draft an appropriate policy for the authentication of individuals that make opt-out requests.
5) Draft a "play book" that provides standard communications that can be sent to individuals that make opt-out requests.
6) Train employees on how to handle opt-out requests.
7) Verify that the policies in place facilitate the fulfillment of opt-out requests for the period of time required by the CCPA.
8) Create and make available to Consumers the Submission Options noted below: The Business must make available to Consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the Business maintains a website, a website address.
9) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected.
10) Create a process to readily access the specific Personal Information the Business has about each Consumer to satisfy this disclosure requirement.
11) Create a tracking system to ensure compliance with the Response Time and that the request complies with the Applicable Time Period. Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here. There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.
12) Create and post a list of the categories of Personal Information collected about Consumers in the preceding 12 months either within the Business' privacy policy or, if the Business does not have a privacy policy, on its website. Establish a process to update this information once every 12 months.
13) Create a tracking system of each disclosure request and how it was handled to be able to demonstrate compliance.
14) Create and post in the Business' privacy policy or on the Business' website if it does not have a privacy policy: (i) the categories of Consumers' Personal Information it has sold, or indicate it has not done so, and (ii) the categories of Consumers' Personal Information it has disclosed for a business purpose, or indicate it has not done so. This must be updated at least once every 12 months.
15) Develop a means of tagging, tracking and separately treating the Personal Information of Consumers who have exercised their opt-out rights.
16) Prominently display the opt-out button on the business website once requirements are released by the attorney general. The Business must provide, on its homepage, a clear link titled "Do Not Sell My Personal Information," which links to an opt-out page. A Business is permitted to create a separate homepage for California Consumers with this link (and omit it from the general homepage) if it takes reasonable steps to ensure California Consumers are directed to the California homepage. The foregoing link and a description of this right must also be disclosed in the Business' privacy policy and any California-specific description of Consumers' privacy rights.
17) Determine what Consumer information is necessary to effectuate an opt-out.
18) Where a Business has purchased Personal Information, develop a verification mechanism to confirm Consumer notification consent prior to further sale of such data.
19) Since a Business that willfully disregards the Consumers' age is deemed to have actual knowledge, Businesses may wish to develop a means of classifying a Consumer based on the Personal Information they have on them.
20) Develop a process allowing for a parent or guardian to opt in on behalf of a Consumer who falls within the age restrictions.
21) Identify whether your business is knowingly collecting information from children under the age of 16.
22) Identify whether your business may be unknowingly collecting information from children under the age of 16.
23) Institute a system for collecting parental consent prior to the collection of information from children.
24) Verify that the consent mechanism complies with the CCPA, COPPA, and/or the GDPR.
25) Train employees on how to handle inquiries relating to the information collected about a child.

Related Documents:
1) Privacy Notice
2) Documented process to manage and track users who have opted out of the sale of their personal information

Additional Guidance:
Notice to Consumers of Opt-Out Rights
The Business must provide, on its homepage, a clear link titled "Do Not Sell My Personal Information," which links to an opt-out page. A Business is permitted to create a separate homepage for California Consumers with this link (and omit it from the general homepage) if it takes reasonable steps to ensure California Consumers are directed to the California homepage. The foregoing link and a description of this right must also be disclosed in the Business' privacy policy and any California-specific description of Consumers' privacy rights.

Requesting New Consent
If a consumer has opted out, the Business cannot request authorization to sell the Consumer's Personal Information for 12 months.

Use of Opt-Out Request Information
Personal Information collected from the Consumer's opt-out request can only be used to comply with that request.

Opt-Out Applicability to Third Parties
A third party that has received Personal Information from a Business may not sell that Information unless the Consumer has received explicit notice and an opportunity to opt out.