What CCPA’s Do Not Sell Rule Means for Your Business
Does your company sell consumer data?
When it comes to the California Consumer Privacy Act (CCPA), answering that question isn’t so straightforward.
Even if you don’t sell lists of personal data for money, you may still be “selling” under CCPA’s broad definition of “sale.” There’s a lot of confusion about the meaning of “sell” and “personal information” under CCPA and companies are reacting to the ambiguity in many different ways.
Let’s take a look at CCPA’s nebulous and evolving definitions to see what they mean for your company’s compliance.
The Definition of “Sell”
CCPA requires a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on websites—essential providing an opportunity for consumers to “opt-out” of the sale of their data.
CCPA’s definition of “sale” applies to “…the exchange for value of all consumer information to another business or third party for “monetary or other valuable consideration.”
This includes “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating” personal information to another party.
It also covers the sharing of personal data captured by cookies and other tracking technologies with third parties like Facebook, Google, and others. Not all cookies have the same purpose, so you’ll need to know what type of cookies are used on your company’s website. Some—but not all—cookies are subject to CCPA’s Do Not Sell provision.
- “First-party” cookies allow websites to perform essential functions, like remembering which products you selected for purchase and placed into your shopping cart. For “first-party” cookies, the entity or website storing the cookie on the computer is the entity or site that is being visited.
- “Third-party” cookies are referred to as “advertising” cookies or “behavioral advertising” cookies. These are data files installed by another program, such as an advertisement that is presented on the site but is not owned or controlled by the site owner, or that is separate and distinct from the site that is being visited. Third-party cookies are often used by advertising agencies and track consumer activity across sites.
Third-party cookies are subject to CCPA’s Do Not Sell provision. To comply with CCPA, you must have the ability to stop using third-party cookies when a consumer opts out of the sale of their personal data.
The Definition of “Personal Information”
If you’ve determined that you are indeed selling information under CCPA’s definition of “sale,” you’ll also need to figure out if that info is publicly available or if it’s truly personal information.
CCPA currently defines “personal information” as “…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
And that definition might expand this year. California Privacy Rights Act of 2020 (CPRA), follow-on legislation that could appear on the November 2020 California ballot, would expand the law to include other types of sensitive personal information such as financial info, biometrics, health status, geo-location, religion and race.
If there’s any grey area or room for interpretation when it comes to your company’s sale of personal information, err on the side of caution. You can’t go wrong if you stay on the safe side and assume that the law applies to you. Recent updates to CCPA and the proposed CPRA are likely to clear up ambiguities and close any loopholes or omissions. When in doubt, be proactive and demonstrate responsible data stewardship. It will build consumer trust in your brand and show that you care about consumer privacy.
Making Good on Your Promise Not to Sell: Suppression Lists
Once you’ve provided a way for consumers to request that you don’t sell their data, you need to follow through and honor their request. You can do this by creating suppression lists of people who opted out of the sale, based on the information you have about them at the time of the opt-out. If you only have their cookie or IP address, you may need to ask for more information to confirm their identity so you can connect the dots across your different marketing and advertising systems.
Your suppression lists need to be updated and applied internally and by third parties on an ongoing basis. You’ll need to check against the lists and restrict the data of consumers who have opted out from being sent to third-party advertising platforms and ad networks. This can be quite a heavy lift for companies with numerous data stores and third-party partners, so make sure your compliance solution has a way to communicate the Do Not Sell request to all parties involved.
WireWheel and LiveRamp Help You Comply with CCPA’s “Do Not Sell” Requirement
WireWheel and LiveRamp can help you build your privacy operations and while reducing the complexity of Do Not Sell compliance. The simple, end-to-end solution takes care of every step, including collecting consumer consent, logging requests, and executing a workflow to help you fulfill them. Information is passed automatically and securely to create a Do Not Sell suppression list. The suppression list is stored and can be used by anyone in your organization and third parties to prevent the sale of data.
No matter where privacy legislation is headed, you need to build consumer trust with a transparent privacy experience. WireWheel and LiveRamp can help you simplify, structure, and automate your privacy program for today and the future. Watch our recent webinar with Forrester, What CCPA’s “Do Not Sell” Requirement Means for You, to learn more about turning your biggest compliance challenges into an opportunity to build trust in your brand.
The biggest tech companies have different interpretations of the law, especially over what it means to stop selling or sharing consumers’ personal details.
Suggested Blog Posts
Summary The Brazilian privacy law, LGPD, will begin to be enforced on Aug. 1, 2021. As of today, no specific...
Now that the Schrems II decision is behind us and the EU-US Privacy Shield no longer provides a valid legal basis for...
On August 14, 2020, California Attorney General Xavier Becerra announced the approval of final regulations under the...