The Statute

In contrast to the opportunity given to California consumers to opt-out of the sale of their personal information, consumers who are minors must opt-in for such sale. Section 1798.120(c) of the CCPA statute establishes a 2-tier structure for determining who must give consent:

  • Minors under 13 years of age. A parent or guardian must affirmatively authorize the sale.
  • Minors 13-16 years of age. The minor can authorize the sale.

Note that this authorization structure applies to a business only if it “has actual knowledge that the consumer is less than 16 years of age” but that “[a] business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. 1” This “actual knowledge” requirement is also cited in the CCPA Regulations.

The Regulations

Section § 999.330 of the CCPA Regulations addresses particulars of the opt-in process:

  • Verifying the authorizing parent or guardian. A business must have a process in place to verify that the parent or guardian authorizing the sale of a minor’s personal information is who they say they are: “A business that has actual knowledge that it sells the personal information of children under the age of 13 shall establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or
    guardian of that child. This affirmative authorization is in addition to any verifiable parental consent required under COPPA [i.e. the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501, et seq].” [emphasis added]
  • Options for verification. The Regulation offers multiple options for verifying the putative parent or guardian:
    • Providing a consent form to be signed physically or electronically…under penalty of perjury[];
    • Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
    • Having a parent or guardian call a toll-free telephone number staffed by trained personnel;
    • Having a parent or guardian connect to trained personnel via video-conference;
    • Having a parent or guardian communicate in person with trained personnel; and
    • Verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information[ ].
  • Verification in the context of a request to know or to delete. The options cited above for verification also apply when a parent or guardian executes a request to know or to delete on behalf of the minor: “A business shall establish, document, and comply with a reasonable method, in accordance with the methods set forth…[above]…for determining whether that a person submitting a request to know or a request to delete the personal information of a child under the age of 13 is the parent or guardian of that child.”
  • Notice requirements to the parent or guardian. A business must provide notice to a parent or guardian opting-in how to later opt-out: “When a business receives an affirmative authorization pursuant to…[this regulation]…the business shall inform the parent or guardian of the right to optout and of the process for doing so on behalf of their child pursuant to section 999.315(a)-(f) [i.e., the specifics regarding the opt-out process applicable to all consumers].”

1. Cal. Civ. Code §1798.120(c).