Avoiding the Dreaded Link under CCPA: “Do Not Sell My Personal Information”

Many companies that do substantial business in CCPA may fall under the scope of the CCPA. If they do, and they don’t take actions beforehand, they are required to put a link, in a clear and conspicuous manner, on the company’s homepage (as well as in the privacy policy), that reads “Do Not Sell My Personal Information“. If this link is clicked on it must provide a mechanism (that must work) in which the consumer can opt of of having its personal information “sold”, and the company must refrain from soliciting the sale date of the opted out individual for 12 months after the opt out. It should be noted that the CCPA allows the link to not appear on the company’s main web-page if the company creates a web-page for CA residents only (because of the technology infrastructure needed to do this, its likely most companies subject to CCPA will not be able to do so, at least not right away).

When the company’s legal department or outside counsel tells the marketing department that the link has to be put on the main website of the company by January 1, 2020, the reaction is “We can’t do that. How do we avoid it?” Anyone involved in sales or business development understands that a link of that nature will not help revenue generation and the PR issues associated with it are not favorable.

By way of background the CCPA applies to any business (of a certain size or that generates over a threshold amount of revenue from CA), that “sells” personal information about California consumers to third parties. CCPA Section 1798.120(a). “Sell” under the CCPA is defined broadly meaning sharing the personal information for any value at all.

The answer to the marketing department’s question of how the company gets out of putting the link on the company’s homepage is that the company has to take action to ensure that it is not subject to the requirements of the CCPA, specifically that the company does not “sell” personal information. Each company likely has multiple vendors, subcontracts, service providers and other parties it has contracted with. A number of those agreements likely involve the sharing, making available, or outright sale of personal information to the third party. Usually the agreement includes more than simply the personal information. What the company should do is go through all of their agreements and amend any that involve the sharing or making available of personal information so that it is clear that any consideration provided by the third party under the agreement is not in exchange for personal information (i.e. that no consideration is changing hands related to the personal information). This assumes that the company’s business operations do not generally involve sale of this data (if they do, the CCPA will apply, absent a fundamental change in the company’s business model), and this course of action may not be available for all companies.

Service Provider Exemption in the CCPA

One of the larger exemptions to being deemed a seller of personal data under the CCPA is the “service provider” exemption. I am not going to quote the statutory language as frankly its written in a confusing way. But the CCPA states that a business will not be deemed a seller of personal data, with respect only to its relationship with a service provider, where such business uses or shares with a service provider personal information of a consumer, where:

  • its necessary to perform a business purpose, and
  • the service provider does not further collect, sell or use the personal information, and
  • the business has provided notice that information is being used or shared in its terms and conditions (which should comply with CA law, see 1798.135)

The CCPA broadly defines “business purpose” as that which uses the personal information for the business or a service provider for reasonable and necessary uses proportinate to get the operational purpose for which it was collected. Specifically, auditing, security purposes, debugging, transient use, performance of services (providing accounts, customer service, etc.), internal research, verifying quality or security of services or products.

If a business gets a right to delete information, it should pass that request along to its service providers and they should process the request and delete the information they have.

An agreement addressing specific items should be in place between the company and its service providers and many companies are now scrambling to amend all of their current agreements with service providers to ensure compliance with CCPA.

Updates to the California Consumer Privacy Act of 2018

We introduced the California Consumer Privacy Act of 2018 (CCPA) before, and there has been some updates since then.  While the CCPA was to take effect on January 1, 2020, the date of effectiveness and the date when the California Attorney General has to promulgate the regulations for same has been pushed back to July 1, 2020.  Similarly, the time of enforcement of same is to be that date if the regulations are published then and if not, then six months from the date of publication of the regulations.


There was lobbying in California regarding the private right of action in the CCPA and there was some language added to clarify the limits of consumer suits against companies.

On the federal level, Senator Marco Rubio introduced what he called the American Data Dissemination Act (and used the acronym “ADD Act”), which he presents as a federal data protection bill which would require the FTC to promulgate national regulations on data protection and would explicitly preempt state laws like the CCPA. It is to be based on the antiquated Privacy Act of 1974. Its unclear without specific statutory language or regulations on the ADD Act to determine the reasons for its genesis. If it were to follow the European model, an entirely new statutory scheme would likely be needed. The purpose could also be to halt the rise of 50 different data protection laws, one from each state. In any event, the members of Congress have been getting heavily lobbied by the US Chamber of Commerce and other business groups. It should be interesting to see how it all plays out. Companies should not however, presume that the CCPA will be pre-empted and should begin to prepare for same now.