The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive - and complex - data privacy regulation in the United States.  The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects.  As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute.  While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects.  As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.

Quick Overview

The right to opt-in refers to the requirement within the CCPA that a business cannot sell the personal information of a consumer that is less than 16 years old unless the business has received “opt-in” consent – i.e., affirmative authorization for the sale of the information.  If a child is between the ages of 13 and 16 they can provide the necessary opt-in consent directly to the business.  If a child is under the age of 13, a parent or guardian must provide the consent. 

Comparison to Other Privacy Laws

The CCPA is not the first law to require that an organization obtain opt-in consent before taking certain actions with respect to information.  In the United States the Children’s Online Privacy Protection Act (“COPPA”) requires that companies inform parents about whether the company discloses a child’s information to third parties (e.g., whether they sell the information) and then obtain the opt-in consent of a parent or guardian.  Unlike the CCPA, COPPA only applies to information collected from children who are under the age of 13.

In Europe, the GDPR requires that an “information society service” may not collect information from a child under the age of 16 unless it inform parents about whether the company discloses a child’s information to third parties and then obtains the opt-in consent of a parent or guardian.  Member States are permitted to enact their own legislation that lowers the age requiring parental consent to 13 –functionally emulating the age requirement of COPPA.

To Do List

To comply with the CCPA companies should:

• Identify whether they are knowingly collecting information from children under the age of 16.
• Identify whether they may be unknowingly collecting information from children under the age of 16.
• Institute a system for collecting parental consent prior to the collection of information from children.
• Verify that their consent mechanism complies with the CCPA, COPPA, and/or the GDPR.
• Train employees on how to handle inquiries relating to the information collecte about a child.

How We Can Help

Companies across the globe have retained BCLP to draft their internal protocols for handling consumer opt-out requests, or to review existing protocols to spot red flags that might be of concern to a court or a regulator. 

Cross References

[View source.]