The CCPA: California Consumer Privacy Act provides a variety of privacy controls to consumers. These privacy controls include the right to request the deletion of collected personally identifiable information (“PII”), request access to a number of disclosures pertaining to what PII the business has collected and sold, and the ability to file lawsuits directly against businesses under certain circumstances.
Pursuant to allowing consumers to opt-out of the sale of their PII, the CCPA requires businesses to provide a link entitled “Do Not Sell My Personal Information” on their website. Consumers may click this link to request that the business halt the sale of their PII to third-parties.
This article will discuss the following two topics:
- When a “Do Not Sell My Personal Information” link is required under the CCPA
- Why your business needs a “Do Not Sell My Personal Information” link to avoid fines and lawsuits
When a “do not sell my personal information” link is required under the CCPA
Generally, businesses that fall under one of the following three categories are required to comply with the CCPA:
- Have an annual gross revenue in excess of twenty-five million dollars ($25,000,000);
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
Covered businesses that must comply with Section 1798.120 of the CCPA must provide a “Do Not Sell My Personal Information” link. Under Section 1798.120, businesses that sell PII to third-parties must provide consumers with the ability to opt-out of those sales. The CCPA defines “sales” of PII as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.”
Businesses that do not sell PII as defined by the CCPA are not required to provide a “Do Not Sell My Personal Information” link. Under the CCPA, businesses are not engaged in a sale of PII if any of the following apply:
- The consumer has instructed the business to sell the PII to third-parties
- The disclosure of PII is made to a service provider so long as:
- The exchange of PII is necessary to fulfill a business purpose
- The service provider is performing a function on behalf of the business
- The service provider itself does not engage in the sale of the PII
- The business has transferred the PII to a third party pursuant to a merger agreement, acquisition, or bankruptcy proceeding, provided that the third party uses the PII consistently with the business’s prior disclosures to the consumer
What about businesses that regularly communicate with consumers offline and/or do not operate a website but are nevertheless covered under the CCPA? The CCPA regulations, although not yet finalized, provide some guidance on that front.
The regulations would require businesses that substantially interact with consumers offline to provide notice of the right to opt-out as well as how the consumer may access the business’s “Do Not Sell My Personal Information” link online. For example, businesses that direct consumers to disclose PII on a piece of paper would be required to include a notice of the right to opt-out and directions for accessing the “Do Not Sell My Personal Information” link online. With respect to what constitutes “substantially interacting” with the consumer, the regulations have yet to define the level of communication that qualifies.
Per the regulations, businesses that do not operate a website would be required to implement, document, and comply with another method to inform consumers of their right to opt-out of the sale of collected PII. This method must comply with the methods employed by businesses that substantially interact with consumers offline, as discussed above.
Why your business needs a “do not sell my personal information” link to avoid fines and lawsuits
Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.