Blog

California Enforcement Advisory Outlines Consent Dos and Don’ts

Julie Rubash, General Counsel and Chief Privacy Officer
September 9, 2024
CA Enforcement Advisory Outlines Consent Dos and Don'ts

USA

California Enforcement Advisory Outlines Consent Dos and Don’ts

The California Privacy Protection Agency (CPPA) issued an enforcement advisory titled “Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.” The advisory highlights enforcement observations where consent user interfaces or “choice architectures” have the substantial effect of subverting or impairing a consumer’s autonomy. Some examples include when the business’s process for opting out of the sale/sharing of personal information takes more steps than the process to opt back in or when the path to exercise a more privacy-protective option is longer or more difficult than the path to exercise a less privacy-protective option (referred to as “symmetry in choice,’ such as when the opt-in process only gives the choice of “yes” or “ask me later” (rather than “yes” or “no”)). The advisory also reminds businesses that methods for submitting CCPA requests and obtaining consumer consent should use easy-to-understand language and should avoid technical or legal jargon.

TAKEAWAY

The requirements outlined in the enforcement advisory are not new (they are clearly set forth in Section 7004 of the CCPA regulations); however, the CPPA’s highlighting of these requirements may indicate an area of focus or an area that the CPPA has noticed companies are overlooking. Although the CCPA is primarily an opt-out law, the desire for companies to give consumers the option to opt back in after opting out may become increasingly relevant if opt-out rates increase. This may particularly be the case if the California governor signs AB 3048 this month, mandating that all browsers and mobile operating systems support opt-out preference signals.

Sourcepoint has a consent management platform that can help you with your CCPA compliance, especially its requirements for Do Not Sell and Data Subject Access/Deletion Requests. Read more here.

EUROPE

Irish DPC Withdraws Action Against X Based on AI Data Undertaking

The Irish Data Protection Commission announced its withdrawal of its action against X over use of certain personal data from user posts for training X’s AI ‘Grok.’ The withdrawal was made based on X’s agreement to apply its previous suspension of such processing on a permanent basis. 

TAKEAWAY

This decision may kickstart a broader exploration as to the application of the GDPR in the AI context. In conjunction with its withdrawal of its action against X, the DPC announced its request for an opinion from the European Data Protection Board (EDPB) for clarity in this area, including (1) the extent to which personal data is processed at various stages of the training and operation of an AI model, including both first party and third party data and (2) what particular considerations arise, in relation to the assessment of the legal basis being relied upon by the data controller to ground that processing.

GDPR requires that companies obtain freely given consent in order to collect or use consumer data. Sourcepoint’s CMP can help organizations with delivering highly customized consent messages and meet your GDPR compliance and advertising, marketing and monetization needs. Find out more.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

CPPA Settles With Unregistered Data Brokers

November 18, 2024

Following an investigative sweep of unregistered data brokers, the...

Paramount Hit With VPPA Class Action

November 5, 2024

A class action complaint was filed in NY alleging...

Noyb Complaint Alleges Pinterest Personalized Advertising Violates GDPR

October 28, 2024

Noyb Complaint Alleges Pinterest Personalized Advertising Violates GDPR

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]