With the CCPA effective date just around the corner, the compliance deadline is coming in hot. Businesses with customers in California need to start creating procedures to become compliant.

One CCPA requirement that will present a challenge to businesses that sell personal information is processing do not sell my personal information requests (or opt-out requests). In this post, we’ll discuss what do not sell requests are and how your business can comply with them.

Get started today with the OneTrust CCPA Same Day Fast Track Implementation Program.

What is the CCPA Do Not Sell Requirement?

The CCPA provides several rights to California residents, including the right to opt-out of the sale of personal information. Specifically, California residents have the right to direct businesses to stop selling their personal information.

Businesses that sell personal information and do not qualify for an exemption for the opt-out right must take several different actions to comply with the CCPA.

More specific instructions are as follows:

  1. A business must provide notice to consumers that it sells consumers’ personal information to third parties and that consumers have the right to opt-out of such sales.
  2. The business’s website must post a “Do Not Sell My Personal Information” link that takes consumers to a web page where they can exercise the right to opt-out of the sale of their personal information.
  3. The business must provide this link on its homepage and any page that collects personal information, or on its application’s platform or download page.
  4. Users must be able to submit opt-out requests without having to create an account.
  5. The business must inform consumers of their right to opt-out and provide the do not sell link in its online privacy policy or any other California-specific description of rights.
  6. The business must respect the consumer’s decision for at least 12 months. After this time the business can ask the consumer to authorize the sale of personal information.
  7. The business must train individuals responsible for handling customer rights inquiries and processing consumer rights requests.

Like many rules with the CCPA, this individual rule may seem easy to comprehend, but it poses a lot of challenges for businesses and consumers alike. These challenges include knowing exactly what personal information your business collects and sells, knowing what information belongs to which consumer, navigating and targeting information that lives in decentralized systems, and having a system in place to process opt-out requests.

Check out OneTrust Cookie Auto-Blocking for CCPA today.

Does My Business Need to Comply with CCPA Do Not Sell?

Not every business is impacted by the CCPA, but any business that collects and sells the personal information of California residents (including those without a physical presence in the state) needs to have process to comply with the do not sell my personal information right.

If your business generates over $25 million in revenue, collects information of more than 50,000 Californian residents a year, or derives 50% or more of their annual revenue from selling the personal information of California residents, then the CCPA will impact your business.

What Does “Sell” Mean?

According to the CCPA, selling is:

“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

Because the CCPA does not clearly define “valuable consideration,” this leaves some gray area for businesses to interpret. For greater insight, read the International Association of Privacy Professionals (IAPP) blog analyzing what “sale” means and the IAPP’s blog evaluating what “valuable consideration” means.

How Can Your Business Comply with the CCPA Do Not Sell Rule?

New and evolving digital marketing properties and practices pose unique compliance challenges to businesses with respect to the do not sell requirements. In particular, businesses need to do the following:

What if I Need to Sell Personal Information?

If you’re a publisher or a blog that relies on ad support, this section of the law applies to you. If you need to sell personal information, make sure you are perfectly clear about what information you sell and why you sell it. Being more transparent about your selling practices may lead to fewer consumers who exercise their opt-out rights.

CCPA Compliance Made Easy

For many businesses subject to the CCPA, OneTrust’s all in-one-solution can be the easiest way to ensure compliance. Get started today with the OneTrust CCPA Same Day Fast Track Implementation Program.

Resources: 

Check out our CCPA blog series: