California Enforcement Advisory Outlines Consent Dos and Don’ts

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

California Enforcement Advisory Outlines Consent Dos and Don’ts

The California Privacy Protection Agency (CPPA) issued an enforcement advisory titled “Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.” The advisory highlights enforcement observations where consent user interfaces or “choice architectures” have the substantial effect of subverting or impairing a consumer’s autonomy. Some examples include when the business’s process for opting out of the sale/sharing of personal information takes more steps than the process to opt back in or when the path to exercise a more privacy-protective option is longer or more difficult than the path to exercise a less privacy-protective option (referred to as “symmetry in choice,’ such as when the opt-in process only gives the choice of “yes” or “ask me later” (rather than “yes” or “no”)). The advisory also reminds businesses that methods for submitting CCPA requests and obtaining consumer consent should use easy-to-understand language and should avoid technical or legal jargon.

TAKEAWAY

The requirements outlined in the enforcement advisory are not new (they are clearly set forth in Section 7004 of the CCPA regulations); however, the CPPA’s highlighting of these requirements may indicate an area of focus or an area that the CPPA has noticed companies are overlooking. Although the CCPA is primarily an opt-out law, the desire for companies to give consumers the option to opt back in after opting out may become increasingly relevant if opt-out rates increase. This may particularly be the case if the California governor signs AB 3048 this month, mandating that all browsers and mobile operating systems support opt-out preference signals.

Sourcepoint has a consent management platform that can help you with your CCPA compliance, especially its requirements for Do Not Sell and Data Subject Access/Deletion Requests. Read more here.

EUROPE

Irish DPC Withdraws Action Against X Based on AI Data Undertaking

The Irish Data Protection Commission announced its withdrawal of its action against X over use of certain personal data from user posts for training X’s AI ‘Grok.’ The withdrawal was made based on X’s agreement to apply its previous suspension of such processing on a permanent basis. 

TAKEAWAY

This decision may kickstart a broader exploration as to the application of the GDPR in the AI context. In conjunction with its withdrawal of its action against X, the DPC announced its request for an opinion from the European Data Protection Board (EDPB) for clarity in this area, including (1) the extent to which personal data is processed at various stages of the training and operation of an AI model, including both first party and third party data and (2) what particular considerations arise, in relation to the assessment of the legal basis being relied upon by the data controller to ground that processing.

GDPR requires that companies obtain freely given consent in order to collect or use consumer data. Sourcepoint’s CMP can help organizations with delivering highly customized consent messages and meet your GDPR compliance and advertising, marketing and monetization needs. Find out more.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.