LevelUP Consulting Partners guides clients through the murky waters of data privacy compliance and risk management into the clear seas of information governance. In this journey, an area that is growing in importance is consumer consent management.
The combination of new privacy regulations emerging in the U.S. and abroad with often conflicting obligations and record keeping requirements, make it seem like properly gathering consumer consent is functionally impossible. Nationally and globally, privacy regulations requiring compliance via consumer consent vary from vague to overly detailed. This adds tough administrative efforts to your already heavy workload. But not to fear. LevelUP has developed methodologies, tools, and techniques to steer our clients through these challenges into operational solutions that satisfy legal demands.
One of the key questions organizations ask when sifting through consent requirements is, do the relevant jurisdictions require opt-in or opt-out consent? It’s an important question. One technique assumes a default of consent, while the other explicitly requires active assent. The opt-out versus opt-in question is also the central differentiator between U.S. state privacy law requirements and international regulations like the GDPR.
Five states across the U.S. either have new data privacy laws in force or have passed laws that will come into effect in 2023. These states are California, Virginia, Colorado, Utah, and Connecticut. With the economic behemoth, California, first entering the privacy regulation ring, other states have quickly followed suit and largely followed its lead in writing their laws, with a few nuances of note.
In general, Americans tend to lean toward the opt-out framework when dealing with consent, assuming consent unless the consumer explicitly states otherwise.
For example, California’s CCPA Section 1798.120(a-b) reads: “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out,” and, “A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.” Although California appears to remain the strictest of the five state policies currently passed into law, the other four also follow an opt-out framework for consent.
In stark contrast, as the widely considered world leader on data privacy management, the European Union applies an opt-in framework when it comes to consent.
The GDPR specifically states: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
Following suit, many other countries and jurisdictions have utilized the opt-in framework for collecting consent. Argentina, Brazil, China, and India being good examples, all having also implemented an opt-in strategy for gathering consent to collect user data.
To the untrained eye, opt-in jurisdictions may look like an overwhelming design and maintenance burden on already overtaxed business admin resources. And that the ubiquitous pop-up banners and questionnaires are the only solution. But that is not always the case.
First, remember that opt-in jurisdictions do not require consent for strictly necessary data collection, which exempts mandatory business information from processing procedures. Additionally, most consent can be gathered in a straightforward way online through the right legal language crafted with counsel.
Record keeping and legal language are intertwined and must be consistent when gathering and documenting consent. With proper design of your organization’s policies and procedures to show due diligence, good record keeping practices, thoughtful risk management, and understanding of jurisdiction requirements you will be on the right side of defensible information governance standards.
Over the years LevelUP has leveraged our compliance expertise to provide clients steady navigation through uncertain waters and arrive to safe compliance shores. We help clients create and implement customized, comprehensive, yet straightforward consumer consent programs which demonstrate compliance and build consumer trust.
For more information on this topic or how LevelUP Consulting partners can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at: firstname.lastname@example.org
In our previous post, New State Privacy Laws – What’s Required?, we commented that although California led the way, Virginia and Colorado passed privacy laws on the heels of this landmark legislation, and twenty states had privacy legislation in the works. Since this writing, Utah has become the newest state to pass privacy legislation. Utah’s Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law on March 24, 2022. And, although the law does not take effect until December 31, 2023, there are compliance obligations to keep an eye on. Here’s a look at how to begin preparing for the country’s newest state privacy requirements.
The UCPA was signed into law on March 24, 2022 and will take effect on December 31, 2023. The law defines consumers as individuals who are residents of Utah and acting in an individual or household manner. Notably, it does not include individuals acting in employment or commercial contexts. It defines controllers as persons doing business in the state who determine the purposes for which, and the means by which, personal data is processed. Processor is defined as a person who processes personal data on behalf of a controller, thus borrowing terms from the GDPR.
The UCPA applies to any controller or processor who:
The UCPA grants consumer rights to access and delete personal data. It also requires written agreements between controllers and processors. Finally, it treats consumer rights as largely opt-out.
Although the UCPA is largely based on Virginia’s privacy legislation, it is distinct and arguably narrower than its predecessors. For starters, it appears to be the least restrictive of the four state data privacy laws passed to date. First, the UCPA has a narrower scope of applicability than the other states’ laws. For a business to be in scope, it must meet the criteria above, AND satisfy one or more of the following thresholds:
1) during a calendar year, controls or processes personal data of 100,000 or more consumers, or
2) derives over 50% of gross revenue from selling personal data and controls or processes personal data of at least 25,000 consumers.
The UCPA exempts non-profits, higher education, government entities, or entities processing personal data subject to federal privacy laws. Additionally, the UCPA does not apply to personal data of employees or business contacts, de-identified data, aggregated data, or information generally available to the public.
Second, like other state privacy laws, the UCPA grants consumers rights to access and delete personal data. It does not, however, grant consumers a right to correct personal data. In addition, it only allows for deletion of information obtained from the consumer by the controller. It does not allow for deletion of information inferred from what a consumer has provided, or from third-party information. The UCPA allows for an opt-out of targeted advertising like other laws, however it sticks to opt-out for sensitive data, instead of creating an opt-in provision like the Virginia and Colorado laws.
Thirdly, the UCPA is lighter on security and data processing agreements than its predecessors in other states. Unlike California, Virginia, and Colorado, the UCPA does not require controllers to conduct formal data processing risk assessments prior to processing personal and even sensitive data. It also does not include provisions on dark patterns. Like the other laws, the UCPA does require a controller to execute an agreement with a processor but does not require provisions in the agreement allowing controllers to audit the processor or give controllers rights to object to a processor’s use of a subcontractor.
Finally, enforcement looks slightly different under the UCPA than its predecessors in other states. Under the UCPA, consumers are required to first submit complaints to the Utah Division of Consumer Protection, which then has the power to elevate a UCPA complaint to the Utah Attorney General’s office. In California, Colorado, and Virginia, the process starts in the Attorney General’s office.
As more and more states pass data privacy laws like these four, it is only natural for companies to be intimidated by the potential of a tsunami of fifty separate privacy laws. While Utah clearly added its own twist to American privacy laws, and has some unique requirements, many have remained similar to established state laws.
Since the UCPA is narrower than its predecessors in California, Virginia, and Colorado, if a company is compliant or working towards compliance with any of these privacy laws, some work will have been accomplished toward compliance with the UCPA.
As always, reviews, updates, and implementation of robust privacy programs, data mapping, consent practices and similar good data stewardship practices will serve companies well in complying with the UCPA, as it has for the other state privacy laws.
For more information on U.S. state privacy laws or how LevelUP Consulting partners can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at: email@example.com
The use of dark patterns is a common practice that e-commerce sites have implemented for years, however, it has recently caught the attention of lawmakers and regulators. This now means it should also be on the radar for compliance professionals.
Not only has The Federal Trade Commission (“FTC”) signaled its clear intention to regulate the use of dark patterns through enforcement actions, states such as California and Colorado have included mention of the use of dark patterns in their respective comprehensive privacy bills.
The term is derived from the concept of a ‘design pattern’, which is a user interface design element that can be used repeatedly in other interface designs with a measure of success. Design pattern elements fall within two categories: (1) user interface and (2) persuasive.
The first category contains more functional elements that make the interface familiar and easier to work with. For example, a reaction button to a blog post or the navigation tabs on a website are user interface design patterns. The second category includes those elements that are designed to change the user’s perception and/or encourage the user to act.
Issues arise when these patterns are more manipulative than persuasive. User interface expert Harry Brignull first coined the term ‘dark pattern’ in 2010, to describe a broad range of characteristics, practices, and attributes in a user interface that are designed to manipulate or deceive users.
Brignull identified a number of dark patterns, including:
These strategies probably sound familiar to you. Those of particular concern to both users and legislators are dark patterns designed to:
The CPRA requires that consent be “freely given, specific, informed” and constitute an “unambiguous indication” of the consumer’s intent. The law expressly states that: “agreement obtained through the use of dark patterns does not constitute consent.” A dark pattern is defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”
Furthermore, CCPA regulation § 999.315 prohibits the use of dark patterns as a method to subvert the consumer’s choice to opt out. The regulation provides some guidance through the following examples:
Please note that the finalized CPRA regulations may provide more guidance.
Colorado: Colorado Privacy Act
Like its California counterpart, the Colorado Privacy Act (“CPA”) expressly prohibits the use of dark patterns as a method to obtain consent. The CPA adopts the same definition of dark pattern as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”
The major difference in the regulations is the penalties. Under California law, a business may be fined up to $7,500 per violation. However, the penalties under the CPA increase to a crushing $20,000 per violation with a maximum penalty of $500,000.
Senator Mark Warner first introduced the Deceptive Experiences to Online Users Reduction Act (“DETOUR Act”) to Congress in 2019 and just reintroduced the bill in December 2021. The Detour Act sets to prohibit large online platforms from (1) using dark patterns for the purpose of manipulating consumers into handing over personal data and (2) from using features that promote compulsive usage by children. The primary goal is to preserve the consumer’s autonomy and legitimate decision-making capabilities in relation to their personal information.
Not all agree though that these practices should be illegal. The Vice President of the Network Advertising Alliance, David LeDuc, argues against legislation around dark patterns. LeDuc believes the existing authorities and self-regulatory frameworks are sufficient and instead the FTC should be provided with more resources to bring enforcement actions against unfair and deceptive trade practices.
Regardless of your stance on more or less regulation, businesses should proceed with caution when designing the user interfaces for online platforms, and when considering any of these “dark pattern” strategies.
For more information on this topic or how LevelUP Consulting Group can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at: firstname.lastname@example.org
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; LevelUP Consulting Partners does not recommend or endorse the contents of the third-party sites.
We provide specialized consulting services focused on managing risk in an efficient, scalable manner so you can grow your business confidently.
Eric Dieterich, Managing Director
LevelUP Consulting Partners
100 SE Third Avenue, Suite 1000
Fort Lauderdale, FL 33394