The California Consumer Privacy Act (“CCPA”) requires many businesses with customers in California to become compliant with certain data privacy requirements. One CCPA requirement that could be particularly challenging to businesses that sell personal information is processing do not sell my personal information requests (or opt-out requests).
What is the CCPA Do Not Sell Requirement?
The CCPA provides several rights to California residents, including the right to opt-out of the sale of personal information collected by a business. Crucially, California residents have the right to tell companies to stop selling their personal information.
In order to achieve CCPA compliance, companies that sell personal information and do not qualify for an exemption for the opt-out right must implement certain protocols, such as:
1) A company must provide notice to consumers that it sells their personal information to third parties and that consumers can opt-out of such sales.
2) The company’s website must include a “Do Not Sell My Personal Information” link on their homepage, and any other page that collects personal information, that takes consumers to a web page where they can exercise the right to opt-out of the sale of their personal information. Companies cannot require that users create an account prior to submitting opt-out requests
4) Once a Do Not Sell request is obtained, the company must not sell that consumer’s information for at least 12 months. After this period of time the company can sell the information provided they first obtain consent from the consumer authorizing the sale of personal information.
5) The company is responsible for training staff responsible for handling customer rights inquiries and processing consumer rights requests.
Simple, right? Maybe not. In order to comply with the regulation, your company must know exactly what personal information it collects and sells, knowing what information belongs to which consumer, navigating and targeting information that may be housed in multiple systems, and having a system in place to process opt-out requests.
Does My Company Need to Comply with CCPA’s Do Not Sell Requirements?
If your company is subject to CCPA, it’s also subject to the Do Not Sell requirement. Not every company is impacted by the CCPA, but any company that collects and sells the personal information of California residents, regardless of whether they’re physically present in the state, needs to have a process to comply with the Do Not Sell requirements.
Generally, your company is subject to CCPA if it:
1) Generatesover $25 million in revenue,
2) Collects information of more than 50,000 Californian residents a year, or
3) Derives50% or more of its annual revenue from selling the personal information ofCalifornia residents
Am I Selling Data?
CCPA does not define “selling” in a traditional sense. According to the CCPA, selling is:
“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
What does valuable consideration mean? Great question, it’s a bit vague and likely will be subject to debate as enforcement of the CCPA expands. The International Association of Privacy Professionals has a good summary on this topic, which can be located here.
How Can Your Company Comply with the CCPA’s Do Not Sell Rule?
If you’re subject to the CCPA, you’ll need to:
1) Determine what personal information you are collecting about each of your consumers and whether you are selling (as defined by the CCPA) that information
2) Notify consumers in a clear way of their right to have your company stop selling their personal information and inform them how to do so
3) Provide a “Do Not Sell My Personal Information” link on your websites; the best practice here is to have this link to a form where the consumer can fill out their information with their request. Some companies post an email address and a toll-free phone number, but this becomes an organizational nightmare from a management perspective
4) Document and implement procedures for responding to and fulfilling opt-out requests, as well as training personnel who handle such requests. Again, having a platform (hint: Clym!) here is very helpful, especially as your business, and the number of opt-out request, scales
5) Maintain audit-ready records of opt-out processes and details on the fulfillment or rejection of opt-out requests to provide compliance with California regulators
What if I Need to Sell Personal Information?
Many publishers and blogs rely on ad support as their primary or sole source of revenue; almost certainly these companies are subject to CCPA. If you need to sell personal information, make sure you are perfectly clear about what information you sell and why you sell it. Being as transparent as possible regarding your data management and sales practices may lead to fewer consumers who exercise their opt-out rights.