Avoiding the Dreaded Link under CCPA: “Do Not Sell My Personal Information”

Many companies that do substantial business in CCPA may fall under the scope of the CCPA. If they do, and they don’t take actions beforehand, they are required to put a link, in a clear and conspicuous manner, on the company’s homepage (as well as in the privacy policy), that reads “Do Not Sell My Personal Information“. If this link is clicked on it must provide a mechanism (that must work) in which the consumer can opt of of having its personal information “sold”, and the company must refrain from soliciting the sale date of the opted out individual for 12 months after the opt out. It should be noted that the CCPA allows the link to not appear on the company’s main web-page if the company creates a web-page for CA residents only (because of the technology infrastructure needed to do this, its likely most companies subject to CCPA will not be able to do so, at least not right away).

When the company’s legal department or outside counsel tells the marketing department that the link has to be put on the main website of the company by January 1, 2020, the reaction is “We can’t do that. How do we avoid it?” Anyone involved in sales or business development understands that a link of that nature will not help revenue generation and the PR issues associated with it are not favorable.

By way of background the CCPA applies to any business (of a certain size or that generates over a threshold amount of revenue from CA), that “sells” personal information about California consumers to third parties. CCPA Section 1798.120(a). “Sell” under the CCPA is defined broadly meaning sharing the personal information for any value at all.

The answer to the marketing department’s question of how the company gets out of putting the link on the company’s homepage is that the company has to take action to ensure that it is not subject to the requirements of the CCPA, specifically that the company does not “sell” personal information. Each company likely has multiple vendors, subcontracts, service providers and other parties it has contracted with. A number of those agreements likely involve the sharing, making available, or outright sale of personal information to the third party. Usually the agreement includes more than simply the personal information. What the company should do is go through all of their agreements and amend any that involve the sharing or making available of personal information so that it is clear that any consideration provided by the third party under the agreement is not in exchange for personal information (i.e. that no consideration is changing hands related to the personal information). This assumes that the company’s business operations do not generally involve sale of this data (if they do, the CCPA will apply, absent a fundamental change in the company’s business model), and this course of action may not be available for all companies.

2 comments

  1. >By way of background the CCPA applies to any business (of a certain size or that generates over a threshold amount of revenue from CA), that “sells” personal information about California consumers to third parties. CCPA Section 1798.120(a).

    Not true. 1798.140(c)(1)(A) applies to any business with revenues in excess of $25M that ‘”collects” personal information…

    That’s the sucky part of this law – companies like ours get scooped up that don’t sell, trade or barter customer data.

    1. Robert – I agree that the CCPA may apply to businesses over the various thresholds that collect California resident’s personal information. The post mainly focused on avoiding the link related to selling the information and didn’t state that the CCPA doesn’t apply to others that merely collect it. However, just because you collect California consumer’s personal information doesn’t mean the CCPA definitely applies to you. In order for it to apply you have to be a for-profit business, that does business in the State of California, that collects California consumer’s personal information (and determines the means of processing same), AND one of the following has to apply: (i) you have at least $25 million in annual revenue, (ii) you buy, sell, share or receive personal information of at least 50,000 California consumers, households or devices per year, or (iii) you derive at least 50% of your annual revenue from selling California consumer’s personal information. There are many “sucky” parts of the law, that’s for sure.

Comments are closed.