Seeking and obtaining lawful consent from individuals for the collection and processing of their data is critical to privacy compliance for US businesses. Unfortunately, this task is not easy because US consent requirements are embedded within a patchwork of federal and state laws, each tailored to address specific categories of data and even specific industries. Below is an overview of the current US consent regulatory framework.
Federal Regulations
Health Insurance Portability and Accountability Act (HIPAA): HIPAA mandates that healthcare providers, insurers, and their business associates obtain explicit patient consent before using or disclosing their protected health information (PHI). This consent must be informed and documented.
Children’s Online Privacy Protection Act (COPPA): COPPA requires operators of websites and online services directed at children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information belonging to children. This law emphasizes the need for clear and understandable privacy policies.
Gramm-Leach-Bliley Act (GLBA): Financial institutions under GLBA must provide consumers with privacy notices explaining their information-sharing practices and offer an opt-out mechanism for sharing personal data with non-affiliated third parties.
Federal Trade Commission (FTC) Act: The FTC enforces regulations against unfair or deceptive practices, including those related to privacy and data security. Organizations must obtain clear and conspicuous consent before collecting or sharing personal information in ways that deviate from their stated privacy policies.
Electronic Communications Privacy Act (ECPA): This act requires consent for the interception and disclosure of electronic communications. It applies to service providers and employers who monitor employees’ communications.
State-Specific Laws
California Consumer Privacy Act (CCPA): The CCPA grants California residents the right to know what personal data is being collected about them and to whom it is being sold. It requires businesses to obtain opt-in consent for the sale of personal information of minors under 16 and mandates an opt-out option for all consumers.
Virginia Consumer Data Protection Act (VCDPA): Similar to the CCPA, the VCDPA requires businesses to obtain consent before processing sensitive data, including data on racial or ethnic origin, religious beliefs, or health information.
As demonstrated above, federal laws like the HIPAA and the COPPA mandate explicit consent for the handling of sensitive information, such as health records and children’s data. These regulations ensure that individuals are informed about data practices and have the opportunity to agree to them before any data processing occurs.
Similarly, state laws, like Section 1798.100 of the CCPA, require businesses to inform consumers, at or before the point of collection, about the categories of personal information to be collected and the purposes for which the information will be used. This section emphasizes the concept of “transparency,” requiring businesses to disclose their data collection processes in a clear and accessible manner.
The CCPA also requires specific consent to collect and process personal data. For example, Section 1798.140(h) defines consent as:
…any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.
Next, Section 7002 of the California Consumer Privacy Act Regulations focuses on restrictions on the collection and use of personal information requiring:
Necessity and Proportionality: Businesses must ensure that the collection, use, retention, and sharing of personal information are reasonably necessary and proportionate to achieve the purposes for which the information was collected.
Purpose Limitation: Personal information should only be used for the purposes disclosed to the consumer at the time of collection, unless the consumer provides consent for additional uses.
Data Minimization: Businesses should collect the minimum amount of personal information necessary to fulfill the stated purpose.
Retention Limits: Personal information should not be retained for longer than necessary to fulfill the disclosed purpose.
Finally, the CCPA prohibits the use of “dark patterns,” which is expressly defined as:
… a user interface designed or manipulated with the substantial effectof subverting or impairing user autonomy, decision making, or choice, as further defined by regulation.
Earlier this year, the California Privacy Protection Agency (CPPA) issued “Enforcement Advisory No. 2024-02” providing the following guidance on dark patterns:
Definition of Dark Patterns: User interfaces are designed to subvert or impair user autonomy, decision-making, or choice. The advisory emphasizes that dark patterns are judged by their effect, not intent.
Clear and Understandable Language: Businesses must use clear and understandable language in their user interfaces to avoid misleading consumers.
Symmetry in Choice: The advisory stresses the importance of offering symmetrical choices to consumers. For example, the process to opt out of data sharing should not be more cumbersome than opting in.
Enforcement Observations: The advisory provides examples of non-compliant practices and encourages businesses to review their interfaces to ensure compliance.
Legal Context: The advisory clarifies that agreements obtained through dark patterns do not constitute valid consent under the CCPA.
This advisory serves as a reminder for businesses to design user interfaces that respect consumer autonomy and comply with privacy regulations.
Best Practices for Obtaining Consent
As demonstrated above, consent is a fundamental regulatory requirement/consideration in data privacy, serving as a means for individuals to control how their personal information is collected and used. However, consent is not just a legal requirement, but also a best practice that fosters trust between organizations and individuals. By obtaining clear and informed consent, businesses demonstrate their commitment to respecting privacy rights and adhering to ethical data management standards.
By satisfying the following, your business will achieve compliance with the diverse US legal landscape, while enhancing brand reputation.
Transparency: Clearly inform individuals about what data is being collected, how it will be used, and with whom it will be shared. Privacy policies should be easily accessible and written in plain language.
Affirmative Action: Ensure that consent is obtained through affirmative actions, such as checking a box or clicking an “I agree” button, rather than through pre-ticked boxes or implied consent.
Granular Consent: Provide individuals with options to consent to different types of data processing activities separately, allowing them to make informed choices about their personal information.
Revocation Mechanism: Offer a straightforward process for individuals to withdraw their consent at any time and ensure that this revocation is honored promptly.
As privacy regulations continue to evolve, businesses should stay informed about state-specific requirements and best practices to ensure legal compliance and maintain consumer trust. Reach out to an Advisori Privacy Professional to discuss your specific business needs.
Comments