CCPA’s Do Not Sell My Personal Information Requirement Continues to Confuse Companies
The California Consumer Protection Act (“CCPA”) was implemented almost a full year ago, and yet one of the most important part of the regulation is still one of its most misunderstood; the “do not sell my personal information” (“DNS”) requirement. Many companies think that “selling” information is something that only companies like Facebook and Google do, but given the broad language used by CCPA, companies outside of the tech sector need to be aware of this CCPA requirement so as to not run afoul of the regulation and be subject to penalties.
Is My Business Selling Personal Information?
Most businesses initially take the position that they are not selling personal information, however it’s important to understand what a “sale” is under CCPA. For purposes of CCPA, a sale is defined as
“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Because the CCPA does not clearly define “valuable consideration,” this leaves some gray area for businesses to interpret, however given this broad definition it’s likely that the California Attorney General will adopt an expansive view of this topic so that the usage of website cookies and tracking scripts, which collect personal information in the form of IP addresses, qualifies as a sale for valuable consideration.
If your business is selling information using CCPA’s definition, then you should know that the CCPA provides several rights to California residents, including the right to opt-out of the sale of personal information, meaning they can prevent businesses from selling their personal information, unless those businesses qualify for an exemption.
How Do I Comply with the DNS Requirement?
If your business is selling information for purposes of CCPA, you should:
- Determine what information you are collecting and selling.
- Provide notice to consumers that you sell personal information to third parties and that consumers have the right to opt-out of such sales (generally within your privacy policy).
- Post a “Do Not Sell My Personal Information” link on your website that takes consumers to a page where they can exercise the right to opt-out of the sale of their personal information. Provide this link on its homepage and any page that collects personal information, or on its application’s platform or download page.
- Empower consumers to submit opt-out requests without having to create an account.
- Inform consumers of their right to opt-out and provide the do not sell link in its online privacy policy or any other California-specific description of rights.
- Respect the consumer’s decision for at least 12 months. After this time the business can ask the consumer to authorize the sale of personal information, but may not do so without that consumer’s consent.
- Establish procedures for responding to and fulfilling opt-out requests, as well as training personnel who handle such requests. For instance, businesses may consider automating the opt-out request process.
- Maintain records of opt-out processes and details on the fulfillment or rejection of opt-out requests to demonstrate CCPA compliance and accountability.
- Train individuals responsible for handling customer rights inquiries and processing consumer rights requests.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.