CCPA Opt-Out Sometimes Tricky, Says Calif. Deputy AG
Consumers face common barriers to exercising their right to opt out of selling data under the California Consumer Protection Act (CCPA), said Deputy Attorney General Lisa Kim at a California Privacy Protection Agency (CPPA) virtual meeting Tuesday. It was the first day of informational sessions on the upcoming California Privacy Rights Act (CPRA) rulemaking. “Sometimes businesses are not clear with regard to their representations that they do not sell personal information, when in fact they do,” said Kim, who works for California DOJ, the department that enforces CCPA. CCPA doesn’t require verification to opt out of sale, but “oftentimes, businesses may require some type of verification,” said the deputy AG: Businesses may ask some questions to identify consumers, but “we often see abuses in this area.” Because CCPA requires businesses only to disclose the category of third parties with whom they shared or sold personal information, consumers seeking to opt out frequently don’t know who got their information, she said. “There’s no way to go down the stream and ensure that people that the first-party business sold information to also honors the consumer’s right under the CCPA.” A consumer can try by going through California DOJ’s data broker registry, but with more than 450 brokers registered, it can be difficult to opt out for every business that might have the individual’s personal data, said Kim. CPPA Chairperson Jennifer Urban said this week’s informational sessions are meant to provide background information potentially relevant to the agency’s CPRA rulemaking. CPPA will hold partially virtual pre-rulemaking stakeholder sessions in about a month, but exact dates aren’t set because CPPA hasn’t confirmed an in-person location, she said.