Answers to some questions on CCPA opt out compliance
14 August 2020
(update 28 Aug 2020: when a company can contact a consumer directly)
I have been getting some interesting questions about how GDPR compliance doesn't necessarily get you CCPA compliance.
Q: CCPA opt-outs do not have to be verified? Does that also apply to Right to Know and Right to Delete?
A: No. The standards for opt out and for other CCPA requests are different.
Deletion or Right to Know have to be either verified, (or, in the case of an agent request, done with a power of attorney).
|opt out (Do Not Sell)||no verification||no verification|
|Right to Know||verification||verification with the consumer or power of attorney|
|Right to Delete||verification||verification with the consumer or power of attorney|
Q: Don't companies have to verify requests in order to avoid risks?
A: Yes, this is why there is a verification (or power of attorney) requirement for Right to Know and Right to Delete. The customer doesn't want to risk having their record sent to the wrong person, and they don't want to risk having their loyalty program deleted right when they were on their 9th paid sandwich and they have a free sandwich coming.
But an opt out is different. The regulations require no verification here because the risk is lower. The only consequence to the consumer of accepting an opt out erroneously is that a "do not sell" bit in their customer record gets set. Nobody's info will get compromised or deleted.
Q: If a company does come up with a good-faith reason to deny an opt out, can they use the same verification process as for GDPR?
A: No. A slightly different workflow is needed. Let's review the regulations again...
A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requestor that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent.
So you can't just treat a CCPA opt out that you suspect is fraudulent as if it was an incoming GDPR Article 21 objection that you can verify. This is one of two ways that a CCPA opt out is different from a GDPR Article 21.
For Article 21, a company can verify just based on "reasonable doubts". For CCPA opt-out, the company can only deny if they can meet the higher standard of "good-faith, reasonable, and documented belief."
Even if the company does have a belief that meets the CCPA standard, they can't just redirect to the verification form that they use for Article 21. An explanation of why they believe the opt out is bogus has to come with the denial. And the explanation goes to the requestor, which is the authorized agent in the case of an agent request.
A lot of vendors still get this wrong, likely because they are still repurposing GDPR code for CCPA. This is something you have to check.
Q: When a company receives an authorized agent opt out, when can they contact the consumer directly?
A: For opt outs that come in from an authorized agent, there are two situations where the company can go to the consumer for verification.
If the opt out is missing some of the required paperwork. The agent is required to provide written permission from the consumer. If this is missing, the company can deny the opt out.
As for other opt outs, when the company has a "good-faith, reasonable, and documented belief" that the request is fraudulent. The company can't go to the consumer to re-check a legit agent opt out, but an agent that claimed permission in a consumer's name would be fraud.
Either way, the response is different from what the company would do to verify a GDPR Article 21 objection.
If an agent opt out is missing the required written permission, you can just drop it on the floor. There's no requirement to let either the agent or the consumer correct it.
If a company chooses not to act on an agent opt out, they have to provide the full "explanation of why it believes the request is fraudulent."
Yes, this means that if a company did all the work of making user stories and code for GDPR Article 21, they won't be able to re-use them unmodified for CCPA.
Q: Why did they make CCPA so different, and not just copy GDPR or a subset of it?
A: That goes back to why CCPA is opt-out-based, and not consent-based like GDPR. The authors of CCPA anticipated that an opt out system would be more likely to hold up in court in the USA than a consent-based system.
So in order to make opt-out workable at all, they had to make the process reasonably lightweight for the consumer. Under GDPR the consumer can just choose not to consent, but under CCPA the consumer has to choose to do something to get the equivalent result. That action that the consumer takes by choice has to be feasible.
Q: Which service providers are getting it right?
A: Implementing the opt out code path correctly is likely to be a differentiating advantage for service providers in 2020. A lot of the first wave of CCPA services just copied GDPR and made best guesses on the regulations, but now there is an opportunity for services to get the difference between opt out and other request types correct.
Watch this space.
Q: If verification is not required, why do authorized agents still put their users through a verification process?
A: Verification for opt out is manageable if you do it once per agent relationship and not once per logo on the Lumascape.
But still, if an opt out does not have to be a verified consumer request, why do authorized agents go ahead and verify emails and phone numbers? Because if we don't verify, then pranksters will sign up with fake names, the agent will look silly sending opt-outs from Mickey Mouse, and all those bogus opt-outs will eventually help companies form a good-faith reason to believe that opt-outs from this agent are fraudulent, and start denying them.
Doing verification on the agent side means that by the time the company sees the opt-out it will be verified to a standard strong enough that there is no reasonable way that the company could have a good-faith belief that it's fraudulent. So they have to handle it in one step without looping in the consumer.