Opt-in? Opt-out? Precautions for Enterprises Concerning the Design of Two Different Systems (Taiwan)

Jhen-Yi Chen, Yuki Chiang and Jaime Cheng (California Attorney)[1]

I. Introduction

The California Consumer Privacy Act (hereinafter, “CCPA”) grants consumers the right[2] to access their personal information (consumers may request businesses to disclose, free of charge, the types of their personal information and the types of the information sources as collected or sold as well as the types of business of the third parties with whom such information is shared), the right to request deletion of personal information[3], and the right to request the portability of personal data.[4] The Personal Data Protection Act (hereinafter, the “PDPA “) of this nation also grants similar rights to the consumers.[5]

However, in the design of the personal data protection system, there are two different designs, namely, opt-in and opt-out.  In this article, the PDPA in Taiwan is cited as an example to illustrate the right to opt-in regime. The PDPA in Taiwan requires that a business shall first inform the consumers, in advance, of the specific purposes of using their personal data as collected, and the business shall obtain a specific written “consent” (which means “the right to opt-in”) from the consumers after fulfilling the obligation to inform in order to meet the requirement of lawful collection and use of personal information.  As for the “right to opt-out” mechanism, this article uses the CCPA for illustration.  The CCPA requires businesses to specifically and clearly include the types of personal information to be collected and the purpose of such collection in the Personal Information Collection Statement released to the consumers, and businesses may lawfully collect and use the personal information of the consumers after performing this obligation to inform.  The uniqueness in the design of this regime lies in CCPA’s focus on the right to opt-out mechanism.  In particular, the CCPA enables consumers above the age of 16 to easily exercise the “right to opt-out.”[6]  This article compares the differences between the opt-in and opt-out regimes and the differences in their requirements.

II. CCPA grants the consumers the “right to opt-out.”

1. Definition of “Sell, ” “selling, ” “sale, ” or “sold, “:[7] Means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration..

2. “Obligation to inform the consumers”:[8] A business that sells consumers’ personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.  The businesses shall provide a link to the consumers’ right to opt-out on their website homepage.

3. Definition of the “right to opt-out”:[9] A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.   A business shall provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.   A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information in a form that is reasonably accessible to consumers.

(1) People over the age of 16: The CCPA gives consumers the right to opt-out of the sale of their personal information by businesses. This means that before selling personal information, a business shall provide consumers above the age of 16 with the right to opt-out.

(2) People between the ages of 13 to 15: If businesses cannot obtain the opt-in of people between the age of 13 and 15 in advance, they shall not sell the personal information of the people between the age of 13 and 15.

(3) People below the age of 13: If a business does not obtain the opt-in of people below the age of 13 from their legal representatives in advance, the business shall not sell the personal information of the people below the age of 13.

4. Prohibition against differential treatments: Businesses shall immediately cease the sale upon receipt of the consumers’ instructions, and shall not provide differential treatments[10] to consumers who have exercised the right to opt-out within the scope of services originally provided.

III. The PDPA is basically designed in a way that requires prior opt-in of the consumers with respect to the scope of the legal use of the personal data collected by businesses.

1. Definition of “use”:[11] It means any act of use.

2. Before collecting personal data, a business should clearly inform the data subjects of the “specific purposes” of collecting personal data as follows and obtain the consent of the consumers before it may legally collect, process or use personal data: When collecting personal data, a business shall communicate:

(1) The name of the business.

(2) The purposes of collection.

(3) The types of personal data.

(4) The period, area, targets and method concerning the use of personal data.

(5) With respect to the rights which may be exercised by the consumers concerning the PDPA and the manners of such exercise, the rights include: the inquiry or request to review; the request to provide a copy; the request to supplement or correct; the request to stop the collection, processing or use; or the request to delete.

(6) The impact on the rights and interests of the consumers who do not provide their personal data when they freely choose to do so.

3. Only when a business has obtained the consent of the data subjects can it use their personal data as collected beyond the specified purposes:[12] If a business seeks to use the personal data as collected beyond the specified purposes (e.g., for other marketing use) after collecting the personal data, it shall separately obtain the consent of the consumers in accordance with Article 7, Paragraph 2 of the PDPA (Article 20, Paragraph 1, Subparagraph 6 of the PDPA in Taiwan) and shall not use the personal data as collected beyond the specified purposes simply by way of a generalized special statement.[13]

4. The consumers have the right to request that the use of their personal data be stopped after the collection of such personal data[14]:

(1) Illegal use of consumers’ personal data by businesses: Businesses should stop using personal data on their own initiative or at the request of the consumers.[15]

(2) The personal data collected by businesses that are obtained from generally available sources: When it is clear that a consumer has a significant interest that is more worthy of protection, the business should, on its own initiative or at the request of the consumer, cease the use of such personal data voluntarily or at the request of the consumer.[16]

5. Consumers’ right to refuse marketing: The PDPA in Taiwan requires that, when using the consumers’ personal data for marketing for the first time, businesses shall provide consumers with a means to state their refusal to the marketing and pay for all the costs incurred in connection with the consumers’ exercise of the right to refuse marketing.  When consumers report their refusal to marketing, businesses shall immediately stop the use of the consumers’ personal data for marketing purposes.[17]

IV. The main differences between the opt-in and opt-out regimes.

1. Right to opt-in:

(1) Businesses: Before collecting personal data, a business is required to sufficiently perform its obligation to inform by properly and thoroughly informing the consumers of the scope of the business’s plan to use their personal data. The business may lawfully use the personal data of the consumers if their consent is obtained. In the event of any dispute over personal data, the business shall assume the burden of proof to substantiate the fact that the consumers’ lawful written consent has been obtained.

(2) Consumers: Consumers are to be provide with a right to review in advance the purposes and scope of use of personal data collected by businesses. In general, businesses can only collect, process, and use personal data within the scope of the purposes agreed by the consumers.  Intuitively, this “prior consent model” is more protective for consumers, but in practice, businesses often provide consumers with a standard consent form concerning personal data protection for signature.  Regardless of the scope of specified use or their willingness to give prior authorization to the businesses to engage in uses beyond the purposes which have been communicated in the consent form (such as use for group marketing, sale or sharing with any third party), mostly standard contractual provisions only permit consumers to accept or reject the provisions in their entirety with no room for negotiation.  In addition, if the consumers do not agree to the personal data protection policy or the provisions in a consent form set by the business, the business, in most cases, will directly refuse to provide any or part of the services (with an impact on the service quality).  This is tantamount to forcing the consumers to passively accept the use of their personal data, which they previously were unwilling to accept (e.g., for group marketing, sales, sharing with third parties).

2. Right to opt-out:

(1) Businesses: Before or when collecting consumers’ personal data, businesses should specifically and clearly inform the consumers of the types and purposes of the personal data to be collected in the “personal data collection statement” released to the consumers. After performing the obligation to inform, businesses may lawfully collect and use consumers’ personal data.  When a business sells personal data, it should inform the consumers of the fact that it sells personal data and should also inform the consumers of the right to opt-out.  In addition, the business shall provide a link on its homepage with respect to a data subject’s refusal to the sale of his/her personal data to facilitate the consumers’ exercise of the right to opt-out.    

(2) Consumers: The CCPA focuses on the protection of personal data on the right to opt-out. This means that consumers over the age of 16 are granted the right to opt-out, which is simple to exercise.  Even though consumers are clearly aware that the business may sell their personal data in the future, if consumers subsequently change their minds or are not willing to allow the business to sell their personal data, they still can refuse to the business’s sale of their personal data while using the services at the same quality as provided by the business.[18]  Therefore, in terms of practical operations, the right to opt-out is practically easier, by design, for consumers to exercise in the context of standard contracts and enhances consumers ability to manage their own personal data.

V. Precautions for enterprises

The competent authority in Taiwan has started to amend the PDPA so that Taiwan can obtain the GDPR adequacy decision for the European Union.  Whether the draft PDPA will include an opt-out mechanism similar to that in under the CCPA is worthy of further attention.   In addition, when Taiwanese businesses engage in foreign economic and trade activities that involve business dealings with companies in California, it is necessary to specifically confirm whether their internal personal data protection policies is compliant with the CCPA.

Take the system involving the “consent” of data subjects, as discussed in this article, for example.  The legislation in Taiwan focuses on the right to opt-in where consumers may agree to a business’s collection, processing and use of their personal data within the scope of “specific purposes” which has been communicated to the consumers by the business in advance, coupled with the right of the consumers to request the businesses to stop the illegal use of their personal data after the fact and the right of the consumers to refuse marketing.  It should be noted that in the event of a dispute over personal data, the businesses have the burden of proof to substantiate the fact that the prior written consent of the consumers has been lawfully obtained.

However, the regulatory focus of the CCPA is on the right to opt-out with the mechanism that the consumers may exercise the right to opt outPlease note that when selling personal data, businesses shall notify consumers of the fact that their personal data are to be sold and inform the consumers of their right to opt-out.  In addition, the businesses shall provide a link on their homepage concerning the right of the data subjects to opt-out to facilitate the consumers’ exercise of the right to opt-out.

When the laws and regulations of different countries emphasize different protection mechanisms, Taiwanese businesses should pay special attention to how to set up a multinational personal data protection policy that meets the legal requirements of all countries and to design webpage contents that meet the requirements of local laws and regulations.  It is also necessary for businesses to further review their internal personal information management system and their personal data policies, which have been announced in order to accommodate the different requirements or different system designs in various countries.

[1] The contents of this article are neither legal opinions and nor represent the position of this law firm.

[2] CCPA, Section 1798.100(a)(c), 1798.110 and 1798.115.

[3] CCPA, Section 1798.105.

[4] CCPA, Section 1798.100(d), 1798.130(a).

[5] Articles 3, 10 and 11 of the PDPA.

[6] CCPA, Section 1798.120(a)(c).

[7] CCPA, Section 1798.140(t)(1).

[8] CCPA, Section 1798.120(b).

[9] Same as Footnote 6.

[10] CCPA, Section 1798.125(a)(1).

[11] Article 2, Subparagraph 5 of the PDPA: “‘Use’ means an act of using personal data via any methods other than processing.”

[12] Article 20, Paragraph 1, Subparagraph 6 of the PDPA: “Except for the personal data specified in Article 6, Paragraph 1, a non-government agency shall use personal data only within the necessary scope of the specific purpose of collection, provided that the use of personal data for another purpose may be engaged in any of the following circumstances: (6) the data subjects have given their consent.”

[13] MOJ-Fa-Lu-10603503880

[14] Article 3, Subparagraph 4 of the PDPA: “A data subject shall be able to exercise the following rights with regard to his/her personal data and such rights shall not be waived or limited contractually in advance:…(4) the right to demand the cessation of the collection, processing or use of his/her personal data.”

[15] Article 11, Paragraph 4 of the PDPA: “A person who collects, processes, or uses personal data in violation of this Law shall, upon its own initiative or at the request of the data subjects, delete, cease to collect, process or use such personal data.”

[16] Article 19, Paragraph 1 of the PDPA: “Except for the personal data specified under Article 6, Paragraph 1, the collection or processing of personal data by a non-government agency shall be for specific purposes and be subject to one of the following circumstances: …(7) where the personal data are obtained from publicly available sources, provided that this restriction shall not apply if the data subjects apparently have an interest in prohibiting the processing or use of such personal data which is more worthy of protection;” and Paragraph 2 provides: “A data collector or processor shall, upon its own initiative or at the request of the data subject, delete or cease processing or using the personal data when it becomes aware of, or upon notification by the data subject, that the processing or use of the personal data should be prohibited pursuant to the proviso of Subparagraph 7 of the preceding paragraph.”

[17] Article 20, Paragraph 2 of the PDPA: “When a non-government agency uses personal data for marketing purpose pursuant to the preceding paragraph, if the data subject objects to such use, the agency shall cease using the data subject’s personal data for marketing,” and Paragraph 3 provides: “A non-government agency, when using the data subject’s personal data for marketing purposes for the first time, shall provide the data subjects with the means by which they can object to such use, and the agency shall pay for all relevant costs.”

[18]Same as Footnote 10.