California Consumer Privacy Act of 2018 (CCPA) aims to confer strong protection for individuals personal data and applies to businesses that collect, use, or share consumer data. The CCPA came into effect on 1 January 2020 and the enforcement began in July 2020. CCPA is the first significant state-level data privacy legislation in the US.

An important aspect of CCPA includes its focus on transparency and provisions that limit the selling of personal information — the “Do not sell my personal information” requirement. 

What is the CCPA do not sell requirement?

CCPA has certain provisions on the information organizations must provide to individuals when collecting and processing their personal information. A prominent one is CCPA’s right to opt out of the sale of personal information

CCPA guarantees a right for individuals to ask organizations to cease the selling of their personal information. Businesses must enable and comply with a consumer’s request to opt out of the sale of personal information to third parties, subject to certain exemptions. To enable consumers to exercise their right to opt-out, businesses have to add a clear and conspicuous “Do Not Sell My Personal Information” link on their website. But, how exactly is sale defined? Let’s take a look.

What does ‘sell’ and ‘third-party’ mean in the CCPA?

As per the CCPA selling or sale of personal information includes renting, disclosing, releasing, disseminating, transferring, or communicating personal information to another business or a third party for “monetary or other valuable consideration.” Note that the definition of selling does not have to involve a payment made in exchange for personal information.

Third-party means a person or entity other than the business collecting personal information from consumers. However, this definition excludes anyone with who a business discloses a consumer’s personal information „ for a business purpose under a written contract that contains specific clauses i.e. a service provider. When a business designates another business as a service provider, then sharing personal information with the entity is not categorized as a ‘sale’. The CCPA also excludes the transfer of data to a third party in the context of a merger from the definition of sale. 

What are CCPA’s opt-out requirements?

If you sell personal information and cannot rely on the exemptions under the law, you must comply with the following opt-out requirements for CCPA compliance: 

  • Provide a “Do Not Sell My Personal Information” link on your homepage or any webpage where you collect personal information. The same should be made accessible on a mobile application. The link should be included in your privacy notice under the consumers’ rights.
  • Businesses should adhere to the consumer’s request and stop selling personal information unless the consumer subsequently provides explicit authorization for you to do so.
  • Businesses should also wait at least 12 months after a consumer opts out before requesting authorization to sell their personal information again.

For website owners and publishers, the foolproof way to comply is to ensure that they fulfil opt-out all the “Do not sell my personal information” requirements stated above.

What are the latest amendments to CCPA?

The California Attorney’s office passed amendments to CCPA in March 2021 that banned dark patterns that have “the substantial effect of subverting or impairing a consumer’s choice to opt-out”.

The amendments include the provision for an optional CCPA opt-out icon that may be used in addition to a “Do Not Sell My Personal Information” link. The icon can be downloaded here. The amendment also clarifies how a business must facilitate a consumer’s to exercise their right to opt-out and prohibits:

  • An opt-out mechanism that involves more steps than what is required to opt-in to the sale of personal information (after a consumer has previously opted out).
  • The use of confusing language such as a double negative like “Don’t Not Sell My Personal Information”.
  • Requiring a consumer to click through or listen to reasons why they should not opt out.
  • Requiring the consumer to search or scroll through the text of the privacy policy or similar document to locate the opt-out link.

Does the use of cookies constitute the sale of personal information?

The CCPA regulations consider unique personal identifiers like cookies, IP addresses, mobile ad IDs as personal information. As cookies can be used to recognize a device that is linked to a consumer or family, it falls under the scope of the CCPA. 

Most businesses use identifiers like cookies to participate in behavioural advertising networks. The data collected via cookies that publishers and advertisers use to target ads can therefore fall under the scope of personal information. 

Businesses often place tracking cookies on their website that permits a third party (the behavioural advertising network) to track a consumer across all of the websites that participate in the network and build a profile to deliver targeted advertising. In such scenarios, when a business shares or permits a third party to access a consumer’s personal information to buy or sell a targeted ad, it can be interpreted as the sale of personal information under CCPA.

How can my website achieve CCPA compliance?

In July 2021, California’s Office of the Attorney General released a report on CCPA’s first year of enforcement, which included a list of 27 anonymized examples of violations. More than half of the businesses received notices for non-compliant privacy policies, while over a quarter was for failing to provide a “Do Not Sell My Personal Information” link on their websites.

As enforcement is set to get stricter over time, businesses need to address these CCPA requirements and start complying. Here are 4 simple steps that you should implement on your site for CCPA compliance.

1. Display a “Do Not Sell My Personal Information” link

Add a clear ‘Do Not Sell My Info’ link on your website’s or application. The link should lead to a page that should describe the purposes for which you collect user’s data, whether you’re selling/sharing it with third parties and how consumers can opt-out of the sale of their personal information.

‘Do Not Sell My Information’ link on Lufthansa's homepage.
Lufthansa has a clear ‘Do Not Sell My Info’ link on its website’s footer.

You may use this interactive privacy tool by the California Attorney General’s office and see if your website violates the requirement for a ‘Do not sell’ link. While the tool is designed to enable consumers to notify of potential CCPA violations, it can be used to measure your site’s compliance.

2. Add a CCPA opt-out button/form

Within the ‘Do not sell’ page, you should include a simple opt-out form where they can enter only the necessary information and opt-out of the sale of their data.

An opt-out form on the 'Do not sell my personal information' page on Atlantic website.
The CCPA opt-out form on Atlantic’s ‘Do Not Sell My Personal Information’ page.

As per the CCPA, you should also provide alternative methods of opting out such as via email or toll-free number. You may implement a simpler mechanism such as a CCPA opt-out button (as per the latest amendment). Below are a few ‘Do not sell my personal information’ page examples. Note that websites use different methods for opt-out. 

A 'Do not sell my personal information' page on Fox News website.
Fox News uses a ‘Do Not Sell My Personal Information’ button to enable users to opt-out.
A 'Do not sell my personal information' page on Politico website.
Politico uses a cookie settings button to enable opt-out.
A 'Do not sell my personal information' page on Marriott website.
Marriott uses a simple opt-out form that caters to both CCPA and Nevada’s privacy laws.

3. Provide cookie notice

If your business permits third-party businesses to collect information about user’s activity on our websites and apps, for example through cookies, mobile ad identifiers, pixels, web beacons and social network plugins, you can set up an opt-out notice. Your website can display this notice on a user’s first visit. An opt-out cookie notice should disclose to users that the website deploys cookies and give them a mechanism for declining the use of cookies. You can also link your cookie policy or the ‘Do not sell’ page on your cookie notice.

CookieYes for CCPA compliance

CookieYes is a cookie consent solution that will help your website get compliant with privacy laws like the CCPA, GDPR and LGPD. To comply with CCPA, you can implement a cookie banner and block cookies until the user gives consent. CookieYes will automatically block third-party scripts until the user gives consent.

A CCPA compliant cookie notice.
CCPA compliant cookie notice from CookieYes.
A CCPA opt-out notice with 'Do not sell my personal information' link.
CCPA compliant ‘Do not sell’ opt-out notice from CookieYes.

You can select the cookie categories set by third parties such as advertising cookies or analytics cookies so they are not set on user’s devices if they opt-out.

CookieYes dashboard with CCPA compliance features.
On CookieYes, you can select the cookie categories that are shared with third parties so they are not set on the user’s browser once they opt-out. 

If you have a global website that caters to visitors from all over the world, especially Europe, you should comply with both the GDPR and CCPA. With CookieYes, it’s possible. You can display a geo-targeted notice as per the requirements of CCPA and GDPR in the US and EU respectively. You can also generate a custom cookie policy for your website and link it to your cookie notice.

4. Update your privacy policy

Under the CCPA, businesses should display a link to your privacy policy on your website’s or mobile applications homepage. It should be easily accessible and understandable for users. The privacy policy should contain all the relevant details including information about the personal information that is collected, disclosed, or sold in the last 12 months. 

In your privacy policy, including information about the authorised agent (person or corporate entity authorized to exercise CCPA rights on behalf of the consumer), contact information, the date on which the privacy policy was last updated and mention the required processes if an organization sells the personal information of minors. Also, describe the user’s rights and how to exercise them: the right to know, delete, opt-out of sale and the right to non-discrimination. 

Add the CCPA requirements in your privacy policy separately or create a CCPA-specific privacy policy. If you use a general privacy policy for all the consumers, ensure to mark the CCPA specifications separately. You can use a free privacy policy generator to create your custom CCPA-specific privacy policy. All you have to do is answer the preset questions and generate your privacy policy.

FAQ on CCPA

Does CCPA require EU-style cookie banners?

No. CCPA does not have provisions for taking prior consent before deploying cookies like in the GDPR and ePrivacy Directive. CCPA only imposes certain restrictions on the sale of personal information to third parties (such as through the use of cookies). It is therefore not mandatory to show an opt-in cookie banner like in the EU. However, website operators may choose to show a cookie notice if they deploy third-party cookies for advertising or analytics. 

Is the CCPA applicable to all states?

The CCPA only legally applies to California residents but covers companies that “do business” in California. A company might be considered to “do business” in California even if it merely operates a website in which is used by California residents. Therefore, businesses can be subject to the CCPA even if they are operating in another state and lack a physical presence in California. This means the California ‘do not sell’ rule applies to any website that caters to residents from the state.

Who is subject to CCPA?

The CCPA applies to a for-profit organization that collects personal information of residents of California and meets any of the following thresholds:

  • Has annual gross revenue over $25 million 
  • Buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

Who is exempt from CCPA?

The CCPA provides several specific carve-outs from its scope of application. It does not apply to:

  • ​​Medical information or protected health information governed by California and federal health information privacy laws. „ 
  • Clinical trial information subject to the Federal Policy for the Protection of Human Subjects. „ 
  • Personal information regulated by the Fair Credit Reporting Act (FCRA).

What is considered personal information under CCPA?

The CCPA  defines personal information very broadly and it includes any information that directly or indirectly identifies, describes, relates to, or can reasonably be linked to a particular consumer or household. Identifiers such as real, alias, postal address, email address, unique personal or online identifier,  characteristics like race, religion, gender, national origin, or sexual orientation and biometric information are all considered as personal information.

Information related to any internet or other electronic network activity including browsing history, search history or information collected via consumer’s interaction with a website, application, or advertisement, and geolocation data are also considered personal information in CCPA. Personal information does not include publicly available information that is lawfully made available from federal, state, or local government records.

Who enforces the CCPA?

The State of California Department of Justice – Office of the Attorney General enforces the CCPA and has the power to issue fines for non-compliance. The Department will send out a 30-day ‘notice to cure’ to businesses that fail to comply with the CCPA.

What are the penalties for violating CCPA?

The CCPA provides that any business that violates its provisions will be subject to a civil penalty of not more than $2,500 for each violation or seven $7,500 for each intentional violation. The civil action will be initiated by the Attorney General in the name of the people of the State of California. CCPA also has a private right of action, and consumers can claim damages between $100 and $750 per incident per consumer.

What is CPRA and does it replace CCPA?

The California Privacy Rights Act  (CPRA) is an amendment to the CCPA that is set to be enforced from July 1, 2023. Until then the CCPA will remain the primary governing legislation in California. The CPRA strengthens some requirements, consumer rights and brings California more in line with the GDPR-like legislation, and creates a new enforcement agency — the California Privacy Protection Agency. 

Read this guide to California Privacy Rights Act (CPRA)