What Does 'Do Not Sell or Share My Personal Information' Mean in CCPA/CPRA?
In this article we are taking a look at the CCPA / CPRA’s "Do Not Sell or Share My Personal Information" requirement, which gives many businesses headaches, and we’re offering you a way to avoid that for your business.
The challenge posed by the CCPA / CPRA’s "Do Not Sell or Share My Personal Information" requirement means that businesses must accurately identify and map all personal information they collect, sell, or share, and have proper processes in place to handle opt-out requests from California residents.
This involves significant effort in updating websites, training staff, and ensuring all personal data handling practices are in line with CCPA regulations.
Clym offers a solution to this by providing a compliance management tool (CMP) that simplifies the management of consumer data requests and ensures that businesses can easily adhere to the regulations.
The California Consumer Privacy Act (CCPA), one of the strictest privacy laws in existence, requires businesses who operate in or work with customers in California to become compliant with a series of data privacy requirements. With the coming into effect of the California Privacy Rights Act, or CPRA, these requirements have suffered further development in the form of extra consumer privacy rights. We have discussed the changes to California’s data privacy landscape that the CPRA brought in a related blog post.
Among these, there is one CCPA requirement that can turn out to be particularly challenging to businesses that sell personal information. This requirement revolves around the way businesses have to process Do Not Sell or Share My Personal Information requests (or opt-out requests).
In this article we take a look at what these requests are and what they mean for your organization, as well as how Clym helps businesses with their CCPA/CPRA compliance.
What does "Do Not Sell or Share My Personal Information" mean?
The phrase "Do Not Sell or Share My Personal Information" allows California residents to opt-out of having their personal data sold or shared by a business. This right is a fundamental part of the CCPA and CPRA, emphasizing consumer control over personal information.
The CCPA provides several rights to California residents, including the right to opt-out of the sale and sharing of personal information collected by a business. In essence, California residents have the right to tell companies to stop selling their personal information.
In order to achieve CCPA compliance, if your company sells and shares personal information and does not qualify for an exemption for the opt-out right, it must implement certain protocols, such as:
- Providing notice to consumers that it sells and shares their personal information to third parties and that consumers can opt-out of such selling and/or sharing.
- Including a “Do Not Sell or Share My Personal Information” link on the homepage and every other page that collects personal information, which takes consumers to a web page where they can exercise the right to opt-out of the sale and sharing of their personal information. Companies cannot require that users create an account prior to submitting opt-out requests.
- Once a Do Not Sell or Share request is obtained, the company must not sell or share that consumer’s information for at least 12 months. After this period of time the company can sell or share the information provided they first obtain consent from the consumer authorizing the sale or sharing of personal information.
- The company is responsible for training staff responsible for handling customer rights inquiries and processing consumer rights requests.
In order to comply with the regulation, your company must know exactly what personal information it collects, sells, and shares, knowing what information belongs to which consumer, navigating and targeting information that may be housed in multiple systems, and having a system in place to process opt-out requests.
What is the difference between "Do Not Sell My Personal Information" vs "Do Not Sell or Share My Personal Information" in CCPA?
Originally, the CCPA included the "Do Not Sell My Personal Information" provision. The CPRA expanded this to "Do Not Sell or Share My Personal Information," broadening the scope to include the sharing of personal information for cross-context behavioral advertising, not just its sale.
So in the context of the California Consumer Privacy Act (CCPA), both "Do Not Sell My Personal Information" and "Do Not Sell or Share My Personal Information" are expressions used to convey a consumer's choice regarding the use of their personal information. When it went into effect back in 2020, the CCPA required businesses to allow consumers to opt-out of the sale of their personal information by following the steps outlined above. With the expansion brought on by the CPRA, which went into effect on January 1, 2023, this opt-out consumer right now extends also to the sharing of personal information.
Prior to 2023 businesses already using Clym’s compliance solution were able to display the “Do Not Sell My Personal Information” link in the footer of their website. This link has been automatically updated in line with the development of the CCPA to now display as "Do Not Sell or Share My Personal Information," facilitating businesses’ compliance with California’s consumer privacy law.
What is Personal Information Under the CCPA?
Under the CCPA, personal information encompasses data that identifies, relates to, describes, or could be linked with a specific consumer or household. This broad definition includes identifiers like IP addresses, browsing history, and geolocation data, among others.
The CCPA’s definition of ‘personal information’ is as follows:
“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(L) Sensitive personal information.
(2) “Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
(3) “Personal information” does not include consumer information that is deidentified or aggregate consumer information.
What are the requirements of the “Do Not Sell or Share My Personal Information?
Businesses must provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” on their website's homepage, allowing consumers to opt-out of the sale or sharing of their personal information.
By using Clym your customers are able to submit their “Do Not Sell or Share My Personal Information” requests with ease. This process is fully automated meaning that our system will send customers a verification email and can recognize if they're in the scope of submitting such a request. What this means for your company is that once such a request has been submitted and verified, you can then easily manage the opt-out requests in one place. Moreover, our system will ensure that you don’t miss any deadlines for handling these requests by sending you a series of email notifications ahead of time to facilitate your compliance with the CCPA.
What is the process for handling a "Do Not Sell or Share My Personal Information" Request?
Upon receiving a request, your business must act within a specific timeframe to comply and confirm that it will not sell or share the requester’s personal information. The process of handling a "Do Not Sell or Share My Personal Information" request under the CCPA/CPRA involves several specific steps:
- Verification of the Request: First, you must verify the identity of the individual making the request to ensure they are indeed the subject of the personal information in question.
- Responding to the Request: After verification, you must promptly acknowledge receipt of the request.
- Reviewing the Request: You need to review the request to determine whether it falls under the scope of the CCPA/CPRA. This includes assessing whether your company actually sells or shares the individual's personal information.
- Implementing the Request: If your company does sell or share the individual's information, it must take immediate steps to stop doing so. This involves updating internal systems and notifying third parties to whom the data has been sold or shared.
- Timeframe for Compliance with a Do Not Sell or Share My Personal Information request: The CCPA mandates that businesses must comply with a verified consumer request within 45 days of receiving it. This period can be extended by another 45 days when reasonably necessary, provided the consumer is informed.
- Confirmation to Consumer: Once the request has been implemented, you should communicate to the consumer that you have complied with their request.
- Record-Keeping: Businesses are required to maintain records of these requests and their responses for at least 24 months for accountability and auditing purposes.
Clym’s all-in-one platform provides consumers with an effective and user-friendly way to opt-out of data collection, which is a crucial aspect of CCPA/CPRA compliance, and businesses with an audit-ready trail which allows them to manage all their opt-out requests under CCPA in an efficient and cost-effective way.
What is a typical example for the implementation of the Do Not Sell or Share My Personal Information?
A typical example for the implementation of the Do Not Sell or Share My Personal Information requirement is a clear, user-friendly link on your company’s website, often found in the footer or header. This link typically directs users to a dedicated page where they can easily opt-out of the sale or sharing of their personal data. The page should provide a simple and straightforward mechanism for users to exercise their rights without unnecessary complexity.
Additionally, this page often includes detailed information about what it means to opt-out, the types of data collected, and how it is used or shared. Some businesses also incorporate an FAQ section to address common questions and concerns about data privacy and the opt-out process.
The goal is to provide a transparent, accessible way for consumers to control their personal information, in line with CCPA/CPRA regulations. This approach not only ensures legal compliance but also builds trust with your customers by demonstrating your commitment to protecting their privacy.
Clym helps your business provide consumers residing in California with a specific link in the footer of your website’s pages, the “Do not sell or share my personal information” link mandated by the CCPA. This link allows your customers coming from California to quickly submit a "Do not sell or share my personal information" request. Having this on your website is a legal requirement as long as you are serving customers coming from California, United States of America.
Does My Company Need to Comply with CCPA’s Do Not Sell Requirements?
If your company does business in California and meets certain criteria regarding revenue, data processing, or selling consumer data, compliance with the CCPA's "Do Not Sell" requirements is necessary. This means that if your company is subject to CCPA, it’s also subject to the Do Not Sell or Share requirement. However, not every company is impacted by the CCPA, but any company that collects and sells the personal information of California residents, regardless of whether they’re physically present in the state, needs to have a process to comply with the Do Not Sell requirements.
Generally, your company is subject to CCPA if it:
- Generates over $25 million in revenue,
- Collects information of more than 50,000 California residents a year, or
- Derives 50% or more of its annual revenue from selling the personal information of California residents.
Clym’s privacy experts can help you find the best compliance solution for you and your business, tailored to your specific needs. If you are unsure whether the scope of application of California’s CCPA extends to your business, simply reach out to us today.
What does Selling or Sharing Personal Data mean according to CCPA / CPRA?
In order to determine whether you qualify as a business that sells or shares personal data, you should first understand how the CCPA defines the sale and the sharing of personal data. That being said, the CCPA does not define “selling” in a traditional sense. According to the CCPA, selling is:
“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Moving on to “sharing,” the CCPA defines this as:
“sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
Most likely your next question will be: What does valuable consideration mean?
That is a great question!
This concept is a bit vague and likely will be subject to debate as enforcement of the CCPA expands. The International Association of Privacy Professionals has a good summary on the topic of valuable consideration under the CCPA.
In the context of the California Consumer Privacy Act (CCPA), "valuable consideration" refers to the exchange of something of value between a business and a consumer. Specifically, under the CCPA, the term is associated with the "sale" or of “sharing” of personal information.
Valuable consideration in this context then refers not only to monetary transactions but also to any exchange of goods, services, discounts, or other benefits that have value. Therefore, if your business receives any form of compensation or benefit in exchange for sharing or disclosing a consumer's personal information, this is considered a sale or a sharing of personal information under the CCPA, and the consumer has the right to opt-out of such transactions.
How can my company comply with the CCPA’s Do Not Sell or Share My Personal Information rule?
To comply with the CCPA's "Do Not Sell or Share My Personal Information" rule, your company should first understand what data is being collected and whether it falls under the category of 'selling' or 'sharing'.
Implement clear procedures for users to opt-out of their data being sold or shared, typically through a visible link on your website.
Ensure this process is easy and straightforward.
Additionally, maintain records of these requests for compliance and auditing purposes.
Compliance with this rule not only aligns with legal requirements but also demonstrates a commitment to consumer privacy and trust.
Where to place the "Do Not Sell or Share My Personal Information" link?
What if I Need to Sell Personal Information?
Many publishers and blogs rely on ad support as their primary or sole source of revenue; almost certainly these companies are subject to CCPA. If you need to sell personal information, make sure you are perfectly clear about what information you sell and why you sell it.
Being as transparent as possible regarding your data management and sales practices may lead to fewer consumers who exercise their opt-out rights.
How Clym Can Help with "Do Not Sell or Share My Personal Information" Requests?
Clym offers a versatile solution for businesses to meet their data privacy and accessibility compliance requirements, particularly in alignment with regulations like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Our compliance solution is designed to handle compliance across a global spectrum, encompassing laws such as GDPR, CPRA, and PIPEDA. What makes Clym stand out is our user-friendly opt-out mechanism for data collection, an essential aspect of CCPA/CPRA compliance. This feature is smartly integrated into websites, ensuring that user experience remains fluid and business revenue generation is not impacted.
Moreover, Clym's platform is not just about legal adherence; it enhances website accessibility, aligning with various global regulations and ensuring a broader audience can interact seamlessly with your website.
In addition to these features, Clym's Cookie Consent Manager streamlines the management of Data Subject Access Requests (DSARs), simplifying compliance with over 40 international data privacy laws. This includes major laws like GDPR in Europe and LGPD in Brazil.
Clym’s platform automatically updates to accommodate changes in data privacy laws, relieving businesses from the constant need to monitor and manually log data subject requests. Clym’s holistic approach combines privacy and accessibility compliance into a single, cost-effective platform, providing benefits such as seamless website integration, adaptability to different user locations and laws, customizable branding, and preconfigured accessibility profiles.
By choosing Clym, businesses can not only comply with the necessary regulations but also enhance their digital presence, making their website accessible and user-friendly for a diverse audience.
FAQs about CCPA/CPRA's Do Not Sell or Share My Personal Data
What does the CCPA / CPRA’s "Do Not Sell or Share My Personal Information" requirement mean for my business?
This requirement mandates businesses to allow California residents to opt-out of the sale or sharing of their personal information. It involves accurately mapping all personal information collected, sold, or shared, and implementing processes for handling opt-out requests.
What is considered "personal information" under the CCPA?
Personal information includes data that identifies, relates to, describes, or could be linked with a specific consumer or household, such as names, addresses, IP addresses, browsing history, and more.
How can my business handle "Do Not Sell or Share My Personal Information" requests?
Upon receiving a request, verify the requester's identity, acknowledge receipt, review the request’s scope under CCPA/CPRA, implement the request by stopping the sale or sharing of the individual's information, and confirm compliance to the consumer.
Where should the "Do Not Sell or Share My Personal Information" link be placed on my website?
What if my business needs to sell personal information?
If selling personal information is essential for your business, ensure transparency about what information is sold and why. Clearly communicate your data management practices to potentially reduce the number of opt-out requests.
Does my company need to comply with the CCPA’s "Do Not Sell" requirements?
If your company operates in California, meets certain revenue or data processing criteria, or sells consumer data, compliance with CCPA's "Do Not Sell" requirements is necessary. Clym’s experts can help determine if your business is affected and assist in compliance.
Does my company need to comply with the CCPA’s "Do Not Sell" requirements?
If your company operates in California, meets certain revenue or data processing criteria, or sells consumer data, compliance with CCPA's "Do Not Sell or Share" requirements is necessary. Clym’s experts can help determine if your business is affected and assist in compliance.
How does Clym simplify CCPA / CPRA compliance for businesses?
Clym offers a compliance management tool that automates the management of consumer data requests, making it easier for businesses to adhere to regulations. It includes features for displaying a “Do Not Sell or Share My Personal Information” link on websites and managing opt-out requests efficiently.