While consumer privacy laws have traditionally been few and far between in the United States, The California Consumer Protection Act (CCPA) upended that paradigm with the strictest consumer privacy rules in the States, laying the groundwork for other states to follow suit. The passing of the CCPA has granted California residents several new digital rights, chief among them the right to opt-out of the sale of their information for marketing purposes. This is known as the Do Not Sell Rule. This rule safeguards users from having their data sold and used by technology corporations and it gives legal ground for California residents to protect their data.
What is the Do Not Sell Rule?
The Do Not Sell Rule, also known as the Do Not Sell Requirement, is a stipulation of the CCPA that gives consumers the right to opt-out of the sale of personal information. This means that any organization doing business in California must provide a page for consumers to opt-out of their information being sold. This page is referred to as the Do Not Sell My Information page. If a business sells consumer data in any way, this page must be easily accessible on their website; this is typically placed at the bottom of the page where all the other links for the website are located.
There are additional specific requirements to meet the Do Not Sell Rule. Some of the requirements include:
The business must notify consumers if their data is being sold and that they can opt-out
The Do Not Sell My Information link should be visible on the site
Consumers should be able to opt-out without having to create an account on the site
The business must opt-out the consumer for at least 12 months. If they want to opt-in the consumer to sell their information, they must request permission again
What are the requirements for a compliant "Do Not Sell" page?
Simply having a Do Not Sell page isn’t enough, a business must follow the guidelines set out by the CCPA for what is a compliant Do Not Sell page. Some of the guidelines required on the page include:
Explanation of the right to opt-out: The CCPA requires a do not sell page to clearly explain to the consumer that they have the right to opt-out. This should be at the top of the page and should explain clearly to consumers why they have the right to opt-out and what steps they need to take to do so. You can include the types of personal information that they can opt-out from in your explanation; this will help give your audience a better understanding of what types of data can be sold if they don’t opt-out.
Opt-out form: The opt-out form is a form displayed on your Do Not Sell page which allows consumers to opt out of their data being sold. The form should ask enough information to identify the consumer and remove them from a company’s data selling databases. The opt out form should not ask for any new data on the consumer.
Multiple opt-out methods: The CCPA requires a Do Not Sell page to have at least two methods to submit an opt-out request. The Do Not Sell page can be one of your opt -ut methods, the other opt-out methods can include:
Sending an email address to the company
Calling the company phone number
A physical form submitted via mail or in-person
What Does "Sell" Pertain to?
It’s crucial to have a good understanding of what the CCPA means by selling consumer data. Under the CCPA, the terms “sell, sale or sold” refer to selling, releasing, renting, disseminating, transfering, communicating orally or writing pertaining to a customer’s personal information. More specifically, it relates to giving the personal information of a consumer to another business or third party for “monetary or other valuable consideration”.
This phrasing can apply to any act of sharing personal information to a third party for any exchange of value. There are some exceptions to “selling” customer data, these exceptions include for business purposes with a different provider, under the customer’s instructions, to inform a third party that the customer has opted out or during a merger or acquisition.
Does my organization need to comply with the CCPA?
Yes, if your organization plans to offer any services in California or to California residents, you may be required to comply with the CCPA. There are different thresholds depending on your company's size, data services and location that will require you to comply with the CCPA. The main types of companies that are required to comply with the CCPA include:
Companies with over $25 million in revenue: If you are a company that serves California residents and generate over $25 million in revenue annually, you are legally required to comply with CCPA. The revenue meant by the CCPA is total global revenue, not just revenue generated in California. Companies of this size must comply with the CCPA to do business in California.
Companies that generate over $50k from consumer information: All companies that generate over $50k directly from consumer information are required to comply with the CCPA. Since these businesses profit directly from the use of consumer personal data, the CCPA must ensure their operations are within their guidelines and they are not hurting California users.
Companies that derive >50% of revenue from consumer data: Additionally, companies that generate more than 50% of their revenue from consumer data have to comply with the CCPA. This is a different distinction than the last requirement because it encompasses companies of all sizes that derive the majority of their revenue from consumer data.
These are just some of the guidelines you should be aware of for CCPA compliance. To learn more check out all our resources for CCPA compliance here.