The Opt Out Mistakes Costing Companies Money

We’re seeing a steady stream of California Consumer Privacy Act (CCPA) enforcement. Businesses across many industries, including automotive, media, app development, and retail, have found themselves on the wrong end of these enforcement actions. A common theme in these penalties is opt-out functionality on websites and apps. The law requires businesses to provide consumers with an easy way to opt out of the sale or sharing of their personal data and the use of web trackers.

In this article, you’ll find an explanation and examples of the common opt-out mistakes businesses are making that result in costly CCPA penalties.

Apps Without Opt-Out Functionality

The CCPA requires businesses to provide an opt-out mechanism that reflects how the business interacts with the consumer. This means companies with apps must provide users with a way to opt out within their apps.

Examples of violations

• Jam City, a mobile gaming company, paid a $1.4 million settlement for violating the CCPA. An investigation found that Jam City did not provide a CCPA-compliant opt-out link within its apps. 20 of Jam City’s 21 apps did not provide an option to opt out of the sale and sharing of personal information. One of Jam City’s apps had a “Data Privacy” link, but it did not reference the CCPA and did not clearly state if it would stop the sale or sharing of personal information.
• The majority of Sling TV customers access the platform through an app on devices such as their smart television or gaming console. The app did not provide users with an easy-to-use avenue to opt out. Instead, they had to use a long URL in a web browser, usually on a different device. Sling TV was fined $530,000 for this and other violations.

Banners Missing a Decline Button

Notice banners that appear on websites and apps informing users and visitors about the collection and use of personal data must include a “Decline” or opt-out button. Forcing users to click “Agree” to close the banner is a violation.

Examples of violations

• PlayOn is a company that designs platforms for high schools to sell and manage digital tickets, stream events, track scores, player bios, stats, etc. The notice banners on its websites required consumers to click “Agree” to the use of tracking technologies and provided no other way to close the notice banner.
  

  

  
  When using PlayOn’s GoFan ticketing platform on a mobile device, the notice banner covered the portion of the screen that allowed consumers to redeem their ticket. This forced consumers to click “Agree” on the notice banner before they could use their tickets.
  

  

  
  These violations were a part of PlayOn’s $1.1 million CCPA fine.

Requiring Users to Verify Their ID or Email

The CCPA prohibits businesses from requiring identity verification, such as email confirmation, as a condition of opting out of the sale or sharing of personal information. To avoid creating “unnecessary friction,” businesses are only allowed to ask for information strictly necessary to honor the opt-out request.

Examples of violations

• Ford provided an interactive form for consumers to opt out of the sale/sharing of their data on its website. The form captured enough information for Ford to process the request, but Ford displayed a message directing consumers to check their “email for confirmation.” The company then sent an email telling consumers it had received the request, but before completion, they must confirm their email and identity by clicking a button. Ford further explained that “Once we have confirmed your identity,” it would “respond to your request within the legally required time period.” If a consumer did not click “Confirm Email,” Ford deemed their request as “expired.” This resulted in Ford not processing dozens of opt-outs within the timeframe (15 business days) required by the CCPA. The email verification process was a major factor in Ford’s $375,000 settlement.

• Honda’s “Submit a Privacy Request” link took consumers to a “Consumer Privacy Rights Request Form” that required the same information for five different requests: Do Not Sell or Share My Personal Information, Limit Use of My Sensitive Personal Information, Opt-Out of Automated Decision Making and Profiling, and Delete My Personal Information. Honda required consumers to provide their first name, last name, address, city, state, zip code, preferred method to receive updates, email, and phone number to submit the request. Under the CCPA, opting out does not obligate consumers to verify their identity. Honda was fined $632,500 for this and other CCPA violations.

• Todd Snyder’s privacy policy included a link to a Privacy Portal where consumers could submit CCPA requests. People were redirected to a Data Request Form that allowed them to select a request type, including “Do Not Sell or Share to a Third Party.”  Regardless of the selected request type, the Data Request Form required consumers to provide their first and last name, email, country of residence, and a photograph of the consumer holding their “identity document.” Under the CCPA, government identification (driver’s license, passport, etc.) is considered sensitive personal information. Todd Snyder was fined $345k.

Failing to Honor Opt-Outs Across all Platforms

Businesses that operate multiple platforms must honor opt-out requests on all platforms. If a logged-in user opts out of tracking or sharing on platform A, that opt-out must also apply when the user is using platform B.

Examples of violations

• Disney paid a $2.75 million settlement for various CCPA violations, including failing to apply opt-outs across platforms. Disney owns the Disney+, Hulu, and ESPN+ (collectively known as the Disney Bundle) streaming services. Consumers could use the same login information for all three services. Under Disney’s setup, consumers could only fully opt out if they completed Disney’s opt-out web form and used the opt-out toggle for each service on each device the consumer used. For customers with the Disney Bundle, this means they may have had to express their opt-out choice up to ten times. This was the case even though Disney was aware of which devices were associated with the user or connected to their account.

Links Must Provide Easy Opt-out Options – Not Just Instructions to Call or Email

A business that sells or shares personal information must also provide Notice of Right to Opt-out of Sale/Sharing by either posting a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link on its websites. The link must either take consumers to a webpage that provides an easy opt-out method or immediately recognize the opt-out.

Examples of violations

• PlayOn’s “Your Privacy Choices” link directed consumers to call or email PlayOn to place an opt-out request.
• Jam City also did not provide a CCPA-compliant opt-out link on its website. The only CCPA opt-out rights mentioned on the website were found under a section titled “Cookies and Interest Based Advertising.” There, consumers were told they could email Jam City to stop targeting advertising.
• Tractor Supply provided a “Do Not Sell My Personal Information” link in its website footer, which directed consumers to a web form. This form didn’t give consumers the ability to opt out of sale/sharing with third-party trackers or inform them how to opt out. Tractor Supply was fined $1.3 million.

Opting In Takes More Steps than Opting Out

The CCPA has a “Symmetry Rule,” meaning the number of steps to opt-out must be the same as or fewer than the steps to opt-in.

Examples of violations

• The cookie management tool on Honda’s website gave consumers the ability to opt out of targeted advertising and tracking. As seen in the images below, the cookies identified in the cookie management tool are “allowed” or “active” by default. To turn off the Advertising Cookies, consumers had to complete two tasks: toggling the button off and clicking the “Confirm My Choices” button. Consumers could opt back into Advertising Cookies in one step by clicking the “Allow All” button. This resulted in an asymmetrical choice.

At CompliancePoint, we’re dedicated to helping businesses ensure the opt-out functionality and user interfaces on their websites comply with the CCPA and any other applicable laws. Reach out to us at connect@compliancepoint.com to learn more about our Cookie Management Services.

To learn more about website privacy functionality and the CCPA, watch our “Lessons Learned from CCPA Enforcements” podcast episode.