As readers of this blog know, businesses face significant liability if they fail to take their consumer privacy obligations seriously. These obligations can vary widely based on the kind of information a business collects and where a consumer is located. Privacy compliance is an essential consideration for many businesses, and properly obtaining consumer consent to collect, use and/or share consumer data is critical.

How Should Businesses Obtain Consumer Consent?

Existing Privacy Frameworks

The global trend toward increased consumer privacy protections continues, and jurisdictions across the world are developing new laws and updating existing frameworks to regulate the collection, use and sharing of consumer data. California and the European Union ("EU") are unquestionably leading the pack on this front. On May 25, 2018, the General Data Protection Regulation ("GDPR") went into effect in the EU. To date, the United States has not passed comprehensive federal privacy regulations, but privacy legislation has been proposed or enacted in several states. Most notably, on January 1, 2020, the California Consumer Privacy Act ("CCPA") went into effect. Both the GDPR and CCPA significantly changed businesses' obligations regarding consumer data.

When it comes to consumer consent, the GDPR can generally be described as an opt-in regime. The GDPR requires that consent be "freely given, specific, informed and unambiguous." For US-based businesses, the GDPR may be of limited application, as it generally only applies to businesses that collect, retain or use the personal data of EU residents. By contrast, virtually all US-based businesses must carefully analyze (and most likely, implement) the CCPA's various requirements. The CCPA imposes an opt-out regime on businesses that collect, use or share the data of California residents. Under the CCPA, businesses must allow California consumers to opt-out of the sale of their personal information. Businesses must post "clear and conspicuous" opt-out language on their websites, allowing consumers to exercise their rights under the CCPA.

Within the United States, the CCPA is seen as the standard of privacy legislation. In large part, this is due simply to California's size. The CCPA sets out specific requirements for how a company must honor consumers' right to know, deletion and opt-out elections; and a number of other states are following suit. For example, in 2019, the New York Privacy Act was introduced by the State Legislature. The bill, in many respects, mirrored the GDPR's opt-in consent requirements. However, the New York measure went further, requiring businesses to act as "data fiduciaries" for consumers. Under this proposal, businesses would have been required to place the best interests of consumers before any duties owed to its owners or shareholders. Although the bill did not gain sufficient traction during a recent legislative session and ultimately failed to become law, new data privacy compliance legislation is likely to pass in New York in the near future.

Consent and Privacy Compliance

Many of the most significant privacy laws are relatively new, and the exact requirements are still evolving. Moreover, new legislation is proposed all the time. It is impossible to predict exactly what the privacy landscape of the future will look like. However, there are steps that businesses can take today to ensure that they are flexible and able to adapt.

  • Only collect, use or share whatever consumer data is necessary to operate your business. Other than data obtained with the consumer's consent, the GDPR sets forth five acceptable bases to collect, use or share consumer data. All of these bases have one thing in common: collect only what is necessary. This limits potential liability and will help streamline data management.
  • Use clear language. All privacy legislation seeks to increase transparency and empower consumers. Businesses should, therefore, ensure that their privacy policies are clear and unambiguous. In addition, privacy-related information should not be hidden within websites, but should be prominently featured and built into the consent portion of the online registration/purchasing process.
  • Create and maintain systems for consumers to revoke and limit their consent. The concept of "Privacy by Design" has spread beyond the EU, and there is every reason to expect that legislation in other jurisdictions will require businesses to afford consumers far greater data privacy rights than exist today.

Businesses' privacy compliance obligations are always changing. To that end, it is important to work with counsel experienced in this space.

Similar Blog Posts:

Comparing the California Consumer Privacy Act (CCPA) and the EU's General Data Protection Regulation (GDPR)

Tips for GDPR Compliant Privacy Policies

CCPA Compliance Preparation – Must all Businesses Comply?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.