Compliance Glossary

The California Privacy Rights Act (CPRA) updates the CCPA by clarifying what counts as consent: it’s a consumer’s freely given, clear, and informed choice about how their personal data is used. 

While the CCPA generally operates on an opt-out basis—meaning businesses can handle most personal data without explicit permission as long as consumers have the option to say no—there are situations where explicit consent is a must.

Explicit consent is needed, for instance, when a consumer has already opted out of having their personal information shared or sold. It’s also required when dealing with the personal information of minors aged 13 to 16, especially if that information is being exchanged or sold. Furthermore, if sensitive personal data is being used in ways not explicitly allowed by law, businesses need to get a clear “yes” from the consumer.

Consent, in this context, can’t be assumed or coerced. It has to be a conscious and voluntary action. This means no pre-checked boxes, no taking silence as agreement, and no assuming that inactivity is a green light. Importantly, consumers can change their minds at any time.

For those under 16, businesses need opt-in consent before they can sell their personal information, and for children under 13, this permission has to come from a parent or guardian. Companies are also required to respect opt-out signals sent through user-enabled tools like Global Privacy Controls (GPC).

If a business offers financial incentives for collecting, selling, or deleting personal data, they must get the consumer’s opt-in consent, which can be withdrawn at any point. Additionally, if a consumer has previously opted out of the sale of their information, businesses need to wait at least 12 months before asking for permission again.