ISACA_logo_RGB
Home / Resources / News and Trends / ISACA Now Blog / 2020 / CCPAs Do Not Sell Its Here But What Does It Mean

ISACA NOW BLOG

CCPA’s Do Not Sell: It’s Here, But What Does It Mean?

Author: Alex Bermudez | CIPP/E, CIPM, Privacy Solutions Consulting Manager, Atlanta, GA, USA
Date Published: 22, January 2020

So, the California Consumer Privacy Act (CCPA) went into effect – and, the world didn’t burn. Companies have many issues to contend with, but one in particular has presented challenges to businesses that sell personal information. "Do not sell my personal information" requests (or opt-out requests), and confusion around what these really are, have many business leaders scratching their heads.

What is the CCPA Do Not Sell Requirement?
The CCPA provides several rights to California residents, including the right to opt-out of the sale of personal information. Specifically, California residents have the right to direct businesses to stop selling their personal information.

Businesses that sell personal information and do not qualify for an exemption for the opt-out right must take several different actions to comply with the CCPA.

More specific instructions are as follows:

1. A business must provide notice to consumers that it sells consumers’ personal information to third parties and that consumers have the right to opt-out of such sales.

2. The business’s website must post a “do not sell my personal information” link that takes consumers to a web page where they can exercise the right to opt-out of the sale of their personal information.

3. The business must provide this link on its homepage and any page that collects personal information, or on its application’s platform or download page.

4. Users must be able to submit opt-out requests without having to create an account.

5. The business must inform consumers of their right to opt-out and provide the “do not sell” link in its online privacy policy or any other California-specific description of rights.

6. The business must respect the consumer’s decision for at least 12 months. After this time, the business can ask the consumer to authorize the sale of personal information.

7. The business must train individuals responsible for handling customer rights inquiries and processing consumer rights requests.

Like many rules with the CCPA, this individual rule may seem easy to comprehend, but it poses a lot of challenges for businesses and consumers alike. These challenges include knowing exactly what personal information your business collects and sells, knowing what information belongs to which consumer, navigating and targeting information that lives in decentralized systems, and having a system in place to process opt-out requests.

Does My Business Need to Comply with CCPA Do Not Sell?
Not every business is impacted by the CCPA, but any business that collects and sells the personal information of California residents (including those without a physical presence in the state) needs to have a process to comply with the “do not sell my personal information right.”

If your business generates over US$25 million in revenue, collects information of more than 50,000 California residents a year, or derives 50% or more of its annual revenue from selling the personal information of California residents, then the CCPA will impact your business.

What Does “Sell” Mean?
According to the CCPA, selling is: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

Because the CCPA does not clearly define “valuable consideration,” this leaves some gray area for businesses to interpret.

How Can Your Business Comply with the CCPA “Do Not Sell” Rule?
New and evolving digital marketing properties and practices pose unique compliance challenges to businesses with respect to the “do not sell” requirements. In particular, businesses need to do the following:

  • Determine exactly what personal information they are collecting about each of their consumers and whether they are sharing or selling that personal information, or a part thereof, to third parties.
  • Clearly notify consumers of their right to direct businesses to stop selling their personal information and inform them how to do so.
  • Provide ways for consumers to direct businesses to not sell their personal information, including posting a “Do Not Sell My Personal Information” link on their websites. For example, the proposed CCPA regulations issued by the California Attorney General (AG) require, at a minimum, an interactive webform for submitting requests. Other acceptable methods include, among others, an email address and a toll-free phone number.
  • Establish procedures for responding to and fulfilling opt-out requests, as well as training personnel who handle such requests. For instance, businesses may consider automating the opt-out request process.
  • Maintain records of opt-out processes and details on the fulfillment or rejection of opt-out requests to demonstrate CCPA compliance and accountability.

What If I Need to Sell Personal Information?
If you’re a publisher or a blog that relies on ad support, this section of the law applies to you. If you need to sell personal information, make sure you are perfectly clear about what information you sell and why you sell it. Being more transparent about your selling practices may lead to fewer consumers who exercise their opt-out rights.

Author’s note: For more CCPA resources from OneTrust, visit www.onetrust.com/ccpa-compliance.

ISACA Now By Year

2020
Check Mark

2019
Check Mark

2018
Check Mark

2017
Check Mark

2016
Check Mark