California Consumer Privacy Act, CCPA, Compliance, Cookies, Data Privacy, Do Not Sell, Do Not Sell Personal My Personal Information, Personal Data, Personally Identifiable Information, PII, Privacy Policy

CCPA ‘Do Not Sell’ Provision

Under the CCPA, one of the more challenging requirements for businesses is the compliance with Do Not Sell requests. The Do Not Sell My Personal Information rules permits residents of California the right to tell businesses not to sell their personal data.

Are you Required to Comply?

Typically all large and medium-sized businesses will be required to comply, along with many small businesses. Businesses subject to the CCPA include those with:

  • annual revenue about $25M and
  • those that derive more than 50% of their revenue from selling consumers’ personal information

Also subject are businesses that annually buy, receive, sell, or share the data of 50,000+ consumers, households, or devices.

Examples of businesses that collect personal information could include: publishers that use cookies to display targeted ads to website visitors, eCommerce stores that store credit card data of consumers to process payment transactions, and really any business that collects email addresses as part of a sales funnel.

What does Selling Data Mean?

Under the CCPA, the definition of ‘sell’ is broad and includes an array of transactions: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

Do not make the mistake of thinking that just because your primary business purpose is not the buying/selling of data, that this provision does not apply to you.

What are the Requirements?

  • websites must have a page called Do Not Sell My Personal Information that allows consumers to opt-out of the sale of their personal information
  • the Do Not Sell My Personal Information site must be linked on the homepage, open and visible to all site visitors
  • consumers and site visitors must be able to make the request to opt-out of the sale of personal information without having to create an account or registering in any way
  • the website must have a privacy policy that describes the consumer’s rights and includes a link to the Do Not Sell page
  • the website/business must honor the consumer’s decision and not sell their data for at least 12 months. After this time, the business may ask the consumer to allow the sale of personal information.To manage this businesses need to ensure that:
    • all of the personal data they currently store on that consumer does not get sold and
    • any new personal data the business gathers on that consumer does not get sold.

What Does this Language Look Like?

“Do Not Sell” Choice

ABC Business provides the “Do Not Sell My Personal Information” link to comply with the CCPA. For more information about why ABC’s apps and websites contain the “Do Not Sell My Personal Information” link and what happens if you tell ABC not to “sell” your personal data, please click here. We give you the option to opt out of these sales at any time by following this “Do Not Sell My Personal Information” link. The link is also available on our websites and mobile apps.

Compliance Checklist

  • Know what personal data is being collected and stored about each of your customers
  • Is any of the collected data being sold to third-parties?
  • Provide a way for customers to request that your business does not sell their personal information – implement the Do Not Sell link or button on your website’s homepage
  • implement a process by which all Do Not Sell requests are fulfilled and opt-out request are easy to make
  • written out, detailed internal processes to show governing bodies in the event of an audit or data breach
Share this:

Leave a Reply