CCPA Do Not Sell Rule: The Complete Guide
CCPA will go into effect in less than four months, bringing with it serious consequences for businesses with customers in California. The fast-approaching deadline means now is the time to start putting in place procedures to help your business stay compliant.
One of the parts of CCPA that will be challenging for businesses to comply with, at least initially, is processing do not sell requests. In this article, we’ll look at what these are as well as what you should be doing to stay compliant.
What is the CCPA Do Not Sell Rule?
The CCPA “Do Not Sell My Personal Information” rule gives those based in California the right to tell businesses not to sell their personal data.
It includes several specific instructions:
- Websites must have a page called “Do Not Sell My Personal Information” that allows consumers to opt-out of the sale of personal information.
- They must link to this page on the homepage.
- Users must be able to make this request without having to create an account.
- The business must respect the consumer’s decision for at least 12 months. After this time the business can ask the consumer to allow the sale of personal information.
On the surface, this seems fairly straightforward. However, it brings many challenges. These include knowing what personal data your business collects and sells, knowing what data belongs to which user, and having a system in place to process do not sell requests.
Does My Business Need to Comply With CCPA Do Not Sell?
All businesses affected by CCPA need to put in place do not sell compliant processes.
The CCPA affects companies that collect information from California residents. Even those without a physical presence in the state. However, there are some exemptions.
The regulations only affect businesses that either generate over $25 million in revenue, collect information of more than 50,000 Californian residents a year, or derive 50% or more of their annual revenue from selling the personal information of California residents.
The first and third of those conditions are easy to understand. The point where small businesses may slip up is in the provision of collecting the personal information of 50,000 California residents a year.
The CCPA definition of personal information includes data collected via websites. Some ways a website could collect personal information include:
- A SaaS business that collects email addresses as part of its sales funnel
- An eCommerce store that collects credit card details to process payments
This puts businesses with a moderate online presence in California at risk of needing to comply. This is the case even if they bring in far less than $25 million in revenue or if their business model isn’t based around buying or selling data.
What Exactly Does “Sell” Mean?
If you aren’t in the business of buying and selling data, you may think the rule doesn’t affect you. Be careful, though. The way CCPA defines “sell” is very broad and includes a broad range of transactions.
According to CCPA, selling is:
“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
The range of transactions is fairly clear. However, there is some confusion brought by the fact that CCPA doesn’t define “valuable consideration.”
The International Association of Privacy Professionals has produced a blog post that explains what it could cover.
The organization says that, assuming the phrase is interpreted in a way that is consistent with existing contract law, “valuable consideration” would be “all agreements where personal information is exchanged and the transferring entity receives any benefit to which it is not legally entitled.”
All this means that CCPA covers a lot more activities than simply selling data to another company for money.
How to Comply With CCPA Do Not Sell Rule
Businesses with websites face several challenges when it comes to complying with do not sell requirements. Some of these include:
- They need a way to know what data they are collecting and storing about each of their customers.
- They need to know what, if any, of this data they are selling to third parties. This can be particularly challenging if the business doesn’t know exactly what data its website collects about users.
- They need to provide a way for customers to request that the business does not sell the data it has collected about them. This can be done by implementing a do not sell button on the website’s cookie banner and homepage.
- They need a way to ensure this request is fulfilled by providing a phone number and email address the user can contact if further action is needed to opt-out of other systems. Again this can be challenging if the website owner is unsure about what counts as selling personal information.
- They need to maintain details of this process to show the governing bodies they are compliant.
What if I Need to Sell Personal Data?
Another challenge is what businesses should do if they currently generate income from selling personal data. This is likely to affect many publishers and blogs that rely on an ad-supported business model.
These businesses do have options. Being clear with customers about what data they sell and why they sell it could make it more likely that customers don’t make a do not sell request. Especially if they find value in the product they are using.
Additionally, businesses could provide customers with the option to consent to only selling certain types of data for specific purposes.
Finally, businesses can minimize the effects of the regulations by providing customized user experiences for both customers residing in California and those in other parts of the world.
Make CCPA Compliance Easy With an All-in-One Solution
For many small businesses that are subject to CCPA, an all-in-one solution can be the easiest way to ensure they stay compliant.
CookiePro takes care of the entire compliance process; from providing cookie banners and CCPA do not sell buttons, to tracking these requests and integrating with your existing tools to ensure that the request is upheld.
Learn how CookiePro can help your business build CCPA compliant processes.
CookiePro recently launched a CCPA Do Not Sell WordPress Plugin. The CookiePro Do Not Sell Plugin enables website owners to customize and embed a floating Do Not Sell action button and modal on their website that gives visitors the ability to exercise their rights and opt-out of personalized advertisements. Learn more here.