CCPA enumerates certain rights for individuals, one of which requires companies to provide access to the data collected on individuals by facilitating Data Subject Access Requests (“DSARs”). That means that if a consumer can compel your company to provide it with the following rights:
- Right to request information
- Right to data portability
- Right to opt-out
- Right to access data
- Right of disclosure
- Right to deletion
- Right to restrict sale of personal information
This last right is known as the “Do Not Sell My Personal Information” component of CCPA. If a consumer makes this request, your company cannot sell that consumer’s information for at least 12 months, after which the company can sell the consumer’s information provided that they obtain affirmative consent from the consumer to do so.
It is important to know that CCPA takes a broad view of the word “sell”, which the regulation defines as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Based on our understanding of the regulation, if you’re running tracking scripts on your website, that’s considered to be selling personal information for purposes of CCPA.
CCPA requires that you respond to any DSAR within 45 days after receipt, which can be extended once for another 45 days provided you notify the consumer about the delay.