Multiple advertising and privacy laws outline requirements for getting consumer consent to use personal information, including for marketing or other purposes. While many companies realize that inadequate user consent increases risks of class action lawsuits, regulatory actions, and fines, it can be difficult to determine what laws apply and how to comply, while still staying competitive. That is where experienced legal counsel can assist.

The following are key laws that require consumer consent for use of personal information:

California Consumer Privacy Act (CCPA)

  • Under the CCPA, consumers have a right to direct covered businesses to not "sell" personal information, and businesses must have authorization to sell personal information about consumers younger than 16 years old.
  • The CCPA also requires notice of privacy practices and of selling personal information, which is often done through consent to the privacy policy at the time of a transaction (as well as by having a privacy policy and requisite "Do Not Sell" hyperlinks on the website homepage).

The European Union's General Data Protection Regulation (GDPR)

  • The GDPR prohibits processing of personal data unless it is allowed by law or the data subject/user has consented to the processing.
  • Valid consent must be a freely given, specific, informed, and unambiguous indication of the data subject's wishes by a statement or clear affirmative action signifying agreement to the processing of the subject's data. In practice, this often means checking a checkbox next to clear disclosure language.

Telephone Consumer Protection Act (TCPA)

  • Telemarketing calls/text messages to mobile numbers using an automated telephone dialing system or artificial or prerecorded voice require "prior express written consent" under the TCPA.
  • The consent agreement must include a clear and conspicuous disclosure that the user authorizes the seller to call using the automatic telephone dialing system or prerecorded voice and that the user is not required to make any purchase as a condition of the agreement.

Telemarketing Sales Rule (TSR)

  • Telemarketers/sellers cannot call/text an individual who is listed on the Do Not Call List, unless an exception applies or the telemarketer/seller has obtained the express written agreement of the person to place telemarketing calls to that person.
  • The agreement must show authorization for calls/texts by or on behalf of a specific party to a specific phone number, as well as the person's signature.

Health Insurance Portability and Accountability Act (HIPPA)

  • Marketing communications and sales of protected health information by a covered entity may only occur if the covered entity obtains prior authorization of the individual, unless an exception applies.
  • HIPPA authorizations must contain specific requirements and be signed by the individual or a personal representative.

Gramm-Leach-Bliley Act (GLBA)

  • Covered financial institutions must obtain prior authorization before disclosing a consumer's nonpublic personal information, unless an exception applies.
  • While certain disclosures do not require a signed written authorization, disclosure of nonpublic personal health information must have authorizations according to specific requirements under certain circumstances.

Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)

  • In the United States, the CAN-SPAM Act follows an opt-out method, i.e., it does not require express consent to receive marketing emails. However, the CAN-SPAN opt-out rule does not apply if the user has provided prior affirmative consent.
  • Nonetheless, certain laws in other countries have specific requirements for obtaining user consent to emails, and acquiring such consent (either through an express agreement, such as a checkbox, or in the terms of use in the United States) can help mitigate problems later.

Restore Online Shoppers' Confidence Act (ROSCA), Electronic Funds Transfer Act (EFTA), California's Automatic Renewal Law (ARL)

  • Multiple laws require disclosures and consent before obtaining and/or using a consumer's billing information for certain practices, including subscription and negative option sales and "free" trials. For example, ROSCA requires express informed consent before charging consumers' cards for negative option billing, the EFTA prohibits recurring charges to a consumer's debit card without proper disclosure, and California's ARL requires, among other things, clear and conspicuous disclosures where credit card information is entered.
  • For covered billing practices, businesses should obtain consumer consent next to clear disclosures outlining the total price along with the amounts and timeframes for any automatic billing.

General Consent to Terms of Use

  • It is crucial for businesses to obtain consent to their terms of use, terms of service, and terms and conditions to be able to enforce these contracts against users.
  • In practice, this often means having a user check a box next to a disclosure and clear hyperlink and making sure that any key provisions, such as arbitration provisions with class-action waivers and limitations of liability, are clear and conspicuous.

Consent for Cookies and Other Privacy Practices

  • Certain international laws, such as in the European Union (EU), require user consent to other privacy practices, such as use of marketing cookies.
  • For example, some EU courts have outlined that consent to cookies requires opt-in consent, such as an affirmative click/agreement next to an adequate disclosure.

In addition to obtaining proper consent for various business and privacy practices, it is a smart practice to obtain and maintain consent records to confirm users' consent. Further, while researching how competitors are obtaining consent to data use is not by itself sufficient, it can provide a helpful way for companies to review how others in the industry are applying applicable laws and assessing the risks. Finally, under the Uniform Electronic Transactions Act (UETA), there are various ways to obtain consumer consent other than requiring a physical signature, such as requiring users to check an unchecked box or having users type their name.

Originally published August 24, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.