The Statute

Consent of a data subject to the proposed processing of his/her personal data is one of six possible legal bases for processing under Article 6 of the EU GDPR. Under the CCPA, however, consent plays a comparatively lessor role. There are three contexts under which consent applies under the CCPA statute:

  • Under §1798.120(d), “[a] business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited…from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.”
  • Under §1798.125(b)(3), “[a] business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.130 that clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.”
  • Under § 1798.105(d)(6), a business does not have to delete consumer personal information upon request if it is “[e]ngag[ing] in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.”

[all emphasis added]

The Regulations

Consent features more prominently in the CCPA Regulations. Relevant citations include:

  • §999.305(5). A business shall not use a consumer’s personal information for purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
  • §999.318. If a member of a household is a minor under the age of 13, a business must obtain verifiable parental consent before complying with a request to access specific pieces of information for the household or the deletion of household personal information pursuant to the parental consent provisions in section 999.330.
  • §999.330(a)(1). A business that has actual knowledge that it sells the personal information of children under the age of 13 shall establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child. This affirmative authorization is in addition to any verifiable parental consent required under COPPA [i.e., the Children’s Online Privacy Protection Act,
    15 U.S.C. sections 6501, et seq.].

[all emphasis added]