California Consumer Privacy Act of 2018 (CCPA) aims to confer strong protection for individuals personal data and applies to businesses that collect, use, or share consumer data. The CCPA came into effect on 1 January 2020 and the enforcement began in July 2020. CCPA is the first significant state-level data privacy legislation in the US.
An important aspect of CCPA includes its focus on transparency and provisions that limit the selling of personal information — the “Do not sell my personal information” requirement.
What is the CCPA do not sell requirement?
CCPA has certain provisions on the information organizations must provide to individuals when collecting and processing their personal information. A prominent one is CCPA’s right to opt out of the sale of personal information.
CCPA guarantees a right for individuals to ask organizations to cease the selling of their personal information. Businesses must enable and comply with a consumer’s request to opt out of the sale of personal information to third parties, subject to certain exemptions. To enable consumers to exercise their right to opt-out, businesses have to add a clear and conspicuous “Do Not Sell My Personal Information” link on their website. But, how exactly is sale defined? Let’s take a look.
What does ‘sell’ and ‘third-party’ mean in the CCPA?
As per the CCPA selling or sale of personal information includes renting, disclosing, releasing, disseminating, transferring, or communicating personal information to another business or a third party for “monetary or other valuable consideration.” Note that the definition of selling does not have to involve a payment made in exchange for personal information.
Third-party means a person or entity other than the business collecting personal information from consumers. However, this definition excludes anyone with who a business discloses a consumer’s personal information for a business purpose under a written contract that contains specific clauses i.e. a service provider. When a business designates another business as a service provider, then sharing personal information with the entity is not categorized as a ‘sale’. The CCPA also excludes the transfer of data to a third party in the context of a merger from the definition of sale.
What are CCPA’s opt-out requirements?
If you sell personal information and cannot rely on the exemptions under the law, you must comply with the following opt-out requirements for CCPA compliance:
- Provide a “Do Not Sell My Personal Information” link on your homepage or any webpage where you collect personal information. The same should be made accessible on a mobile application. The link should be included in your privacy notice under the consumers’ rights.
- Businesses should adhere to the consumer’s request and stop selling personal information unless the consumer subsequently provides explicit authorization for you to do so.
- Businesses should also wait at least 12 months after a consumer opts out before requesting authorization to sell their personal information again.
For website owners and publishers, the foolproof way to comply is to ensure that they fulfil opt-out all the “Do not sell my personal information” requirements stated above.
What are the latest amendments to CCPA?
The California Attorney’s office passed amendments to CCPA in March 2021 that banned dark patterns that have “the substantial effect of subverting or impairing a consumer’s choice to opt-out”.
This is @NewYorker trying to trick Californians into not exercising their CCPA rights to bar companies from selling their personal data. Again, I hope @xavierbecerra is keeping a list of all this deceptive shit, so come July, he’ll strike with furious anger at the transgressions.
— DHH (@dhh) February 4, 2020
The amendments include the provision for an optional CCPA opt-out icon that may be used in addition to a “Do Not Sell My Personal Information” link. The icon can be downloaded here. The amendment also clarifies how a business must facilitate a consumer’s to exercise their right to opt-out and prohibits:
- An opt-out mechanism that involves more steps than what is required to opt-in to the sale of personal information (after a consumer has previously opted out).
- The use of confusing language such as a double negative like “Don’t Not Sell My Personal Information”.
- Requiring a consumer to click through or listen to reasons why they should not opt out.
The CCPA regulations consider unique personal identifiers like cookies, IP addresses, mobile ad IDs as personal information. As cookies can be used to recognize a device that is linked to a consumer or family, it falls under the scope of the CCPA.
Most businesses use identifiers like cookies to participate in behavioural advertising networks. The data collected via cookies that publishers and advertisers use to target ads can therefore fall under the scope of personal information.
Businesses often place tracking cookies on their website that permits a third party (the behavioural advertising network) to track a consumer across all of the websites that participate in the network and build a profile to deliver targeted advertising. In such scenarios, when a business shares or permits a third party to access a consumer’s personal information to buy or sell a targeted ad, it can be interpreted as the sale of personal information under CCPA.
How can my website achieve CCPA compliance?
In July 2021, California’s Office of the Attorney General released a report on CCPA’s first year of enforcement, which included a list of 27 anonymized examples of violations. More than half of the businesses received notices for non-compliant privacy policies, while over a quarter was for failing to provide a “Do Not Sell My Personal Information” link on their websites.
As enforcement is set to get stricter over time, businesses need to address these CCPA requirements and start complying. Here are 4 simple steps that you should implement on your site for CCPA compliance.
1. Display a “Do Not Sell My Personal Information” link
Add a clear ‘Do Not Sell My Info’ link on your website’s or application. The link should lead to a page that should describe the purposes for which you collect user’s data, whether you’re selling/sharing it with third parties and how consumers can opt-out of the sale of their personal information.
You may use this interactive privacy tool by the California Attorney General’s office and see if your website violates the requirement for a ‘Do not sell’ link. While the tool is designed to enable consumers to notify of potential CCPA violations, it can be used to measure your site’s compliance.
2. Add a CCPA opt-out button/form
Within the ‘Do not sell’ page, you should include a simple opt-out form where they can enter only the necessary information and opt-out of the sale of their data.
As per the CCPA, you should also provide alternative methods of opting out such as via email or toll-free number. You may implement a simpler mechanism such as a CCPA opt-out button (as per the latest amendment). Below are a few ‘Do not sell my personal information’ page examples. Note that websites use different methods for opt-out.
3. Provide cookie notice
CookieYes for CCPA compliance
CookieYes is a cookie consent solution that will help your website get compliant with privacy laws like the CCPA, GDPR and LGPD. To comply with CCPA, you can implement a cookie banner and block cookies until the user gives consent. CookieYes will automatically block third-party scripts until the user gives consent.
You can select the cookie categories set by third parties such as advertising cookies or analytics cookies so they are not set on user’s devices if they opt-out.
FAQ on CCPA
Does CCPA require EU-style cookie banners?
Is the CCPA applicable to all states?
The CCPA only legally applies to California residents but covers companies that “do business” in California. A company might be considered to “do business” in California even if it merely operates a website in which is used by California residents. Therefore, businesses can be subject to the CCPA even if they are operating in another state and lack a physical presence in California. This means the California ‘do not sell’ rule applies to any website that caters to residents from the state.
Who is subject to CCPA?
The CCPA applies to a for-profit organization that collects personal information of residents of California and meets any of the following thresholds:
- Has annual gross revenue over $25 million
- Buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Derives 50% or more of its annual revenues from selling consumers’ personal information
Who is exempt from CCPA?
The CCPA provides several specific carve-outs from its scope of application. It does not apply to:
- Medical information or protected health information governed by California and federal health information privacy laws.
- Clinical trial information subject to the Federal Policy for the Protection of Human Subjects.
- Personal information regulated by the Fair Credit Reporting Act (FCRA).
What is considered personal information under CCPA?
The CCPA defines personal information very broadly and it includes any information that directly or indirectly identifies, describes, relates to, or can reasonably be linked to a particular consumer or household. Identifiers such as real, alias, postal address, email address, unique personal or online identifier, characteristics like race, religion, gender, national origin, or sexual orientation and biometric information are all considered as personal information.
Information related to any internet or other electronic network activity including browsing history, search history or information collected via consumer’s interaction with a website, application, or advertisement, and geolocation data are also considered personal information in CCPA. Personal information does not include publicly available information that is lawfully made available from federal, state, or local government records.
Who enforces the CCPA?
The State of California Department of Justice – Office of the Attorney General enforces the CCPA and has the power to issue fines for non-compliance. The Department will send out a 30-day ‘notice to cure’ to businesses that fail to comply with the CCPA.
What are the penalties for violating CCPA?
The CCPA provides that any business that violates its provisions will be subject to a civil penalty of not more than $2,500 for each violation or seven $7,500 for each intentional violation. The civil action will be initiated by the Attorney General in the name of the people of the State of California. CCPA also has a private right of action, and consumers can claim damages between $100 and $750 per incident per consumer.
What is CPRA and does it replace CCPA?
The California Privacy Rights Act (CPRA) is an amendment to the CCPA that is set to be enforced from July 1, 2023. Until then the CCPA will remain the primary governing legislation in California. The CPRA strengthens some requirements, consumer rights and brings California more in line with the GDPR-like legislation, and creates a new enforcement agency — the California Privacy Protection Agency.
Read this guide to California Privacy Rights Act (CPRA)