Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-7.05 - CONSENT AFTER OPT-OUTA. The Consumer's decision to Consent to Processing activities from which the Consumer has previously opted-out using either a Universal Opt-Out Mechanism or directly with a particular Controller is subject to the requirements for Consent under 4 CCR 904-3, Rules 7.03 and 7.04.B. A Controller that wishes to obtain Consent to Process Personal Data for an Opt-Out Purpose after the Consumer has opted out of Processing for that Purpose shall not request Consent using schemes that cause consent fatigue, such as interface dominating cookie banners, high frequency requests, cookie walls, pop-ups, or other any other interstitials that degrade or obstruct the Consumer's experience on the Controller's web page or application. 1. A Controller may proactively request Consent to Process Personal Data for an Opt-Out Purpose after the Consumer has opted out, by providing a link to a privacy settings page, menu, or similar interface, or comparable offline method, that enables the Consumer to Consent to the Controller Processing the Personal Data for the Opt-Out Purpose, so long as the request for Consent meets all other requirements for valid Consent under this Part 7.2. If a Controller has a reasonable belief that a Consumer intended to opt back into the Sale of Personal Data or Processing of Personal Data for Targeted Advertising, the Controller may proactively send a link to a privacy settings page or other method to enable the Consumer to Consent to the Controller Processing the Personal Data for the Opt-Out Purpose directly to a Consumer.C. If a Controller conspicuously displays the status of the Consumer's opt-out choice on the website pursuant to 4 CCR 904-3, Rule 5.08 , the link to provide Consent may appear beside or in conjunction with the Consumer's opt-out status.D. If a Consumer has opted-out of the Processing of Personal Data for the Opt-Out Purposes, and then initiates a transaction or attempts to use a product or service inconsistent with the request to opt-out, such as signing up for a Bona Fide Loyalty Program that also involves the Sale of Personal Data to a Bona Fide Loyalty Program Partner, the Controller may request the Consumer's Consent to Process the Consumer's Personal Data for that purpose, so long as the request for Consent complies with all provisions of 4 CCR 904-3, Rules 7.03 and 7.04.E. Example: A Consumer opts out of the use of Personal Data for Sale or Targeted Advertising using a Universal Opt-Out Mechanism. The Consumer visits the website of a fashion retailer that routinely shares Consumer Personal Data for Targeted Advertising. The fashion retailer must obtain the Consumer's consent because the Consumer has already opted out of Processing for that purpose. The fashion retailer's website displays a pop-up banner seeking Consent to share the Consumer's Personal Data for Targeted Advertising. This is not a valid request for Consumer Consent because the request is made through a pop-up banner that degrades or obstructs the Consumer's experience on the Controller's web page or application.F. Example: A Consumer opts out of the use of Personal Data for Sale or Targeted Advertising using a Universal Opt-Out Mechanism. The Consumer visits a fashion retailer's website. The fashion retailer's homepage contains a message at the top of the webpage that displays the Consumer's opt-out status, stating, "you have opted out of targeted advertising" next to a link that states "Opt-in to Data Use". The linked webpage also meets all requirements of 4 CCR 904-3, Rules 7.03 and 7.04. Consent pursuant to this request is valid.46 CR 06, March 25, 2023, effective 7/1/2023