Who needs a “do not sell my personal information” link under the CCPA?

The CCPA: California Consumer Privacy Act provides a variety of privacy controls to consumers. These privacy controls include the right to request the deletion of collected personally identifiable information (“PII”), request access to a number of disclosures pertaining to what PII the business has collected and sold, and the ability to file lawsuits directly against businesses under certain circumstances. 

Pursuant to allowing consumers to opt-out of the sale of their PII, the CCPA requires businesses to provide a link entitled “Do Not Sell My Personal Information” on their website. Consumers may click this link to request that the business halt the sale of their PII to third-parties. 

This article will discuss the following two topics:

  • When a “Do Not Sell My Personal Information” link is required under the CCPA 
  • Why your business needs a “Do Not Sell My Personal Information” link to avoid fines and lawsuits 

When a “do not sell my personal information” link is required under the CCPA 

Generally, businesses that fall under one of the following three categories are required to comply with the CCPA

  • Have an annual gross revenue in excess of twenty-five million dollars ($25,000,000);
  • Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or 
  • Derives 50% or more of its annual revenues from selling consumers’ personal information. 

Covered businesses that must comply with Section 1798.120 of the CCPA must provide a “Do Not Sell My Personal Information” link. Under Section 1798.120, businesses that sell PII to third-parties must provide consumers with the ability to opt-out of those sales. The CCPA defines “sales” of PII as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.” 

Businesses that do not sell PII as defined by the CCPA are not required to provide a “Do Not Sell My Personal Information” link. Under the CCPA, businesses are not engaged in a sale of PII if any of the following apply: 

  • The consumer has instructed the business to sell the PII to third-parties 
  • The disclosure of PII is made to a service provider so long as: 
    • The exchange of PII is necessary to fulfill a business purpose 
    • The service provider is performing a function on behalf of the business 
    • The service provider itself does not engage in the sale of the PII
  • The business has transferred the PII to a third party pursuant to a merger agreement, acquisition, or bankruptcy proceeding, provided that the third party uses the PII consistently with the business’s prior disclosures to the consumer 

Should any of these circumstances apply, businesses must nevertheless ensure that their Privacy Policy states that the business does not engage in the sale of PII. 

What about businesses that regularly communicate with consumers offline and/or do not operate a website but are nevertheless covered under the CCPA? The CCPA regulations, although not yet finalized, provide some guidance on that front. 

The regulations would require businesses that substantially interact with consumers offline to provide notice of the right to opt-out as well as how the consumer may access the business’s “Do Not Sell My Personal Information” link online. For example, businesses that direct consumers to disclose PII on a piece of paper would be required to include a notice of the right to opt-out and directions for accessing the “Do Not Sell My Personal Information” link online. With respect to what constitutes “substantially interacting” with the consumer, the regulations have yet to define the level of communication that qualifies. 

Per the regulations, businesses that do not operate a website would be required to implement, document, and comply with another method to inform consumers of their right to opt-out of the sale of collected PII. This method must comply with the methods employed by businesses that substantially interact with consumers offline, as discussed above. 

Why your business needs a “do not sell my personal information” link to avoid fines and lawsuits 

As enforcement of the CCPA approaches this July, your business needs to be able to determine whether or not it is required to provide a “Do Not Sell My Personal Information” link. If your business has a website and engages in the collection and disclosure of PII to third parties, there is a significantly high chance that you must provide a “Do Not Sell My Personal Information” link for consumers to access. Pursuant to ensuring that your business remains compliant with the CCPA, use Termageddon’s Privacy Policy generator to create your CCPA ready Privacy Policy and avoid fines or even lawsuits.