Navigating the “Do Not Sell My Personal Information” Requirement: A Guide for E-commerce

As an eCommerce Professional, you’re tasked with navigating the complex landscape of data privacy laws. One of the most significant pieces of legislation in this area is the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020. This law confers strong protection for individuals’ personal data and applies to businesses that collect, use, or share consumer data. A key aspect of the CCPA is its focus on transparency and provisions that limit the selling of personal information — the “Do Not Sell My Personal Information” requirement.

Understanding the CCPA’s “Do Not Sell” Requirement

The CCPA guarantees a right for individuals to ask organizations to cease the selling of their personal information. Businesses must enable and comply with a consumer’s request to opt out of the sale of personal information to third parties, subject to certain exemptions. To enable consumers to exercise their right to opt-out, businesses have to add a clear and conspicuous “Do Not Sell My Personal Information” link on their website.

Defining ‘Sell’ and ‘Third-Party’ in the Context of CCPA

According to the CCPA, selling or sale of personal information includes renting, disclosing, releasing, disseminating, transferring, or communicating personal information to another business or a third party for “monetary or other valuable consideration.” Note that the definition of selling does not have to involve a payment made in exchange for personal information.

A third-party is a person or entity other than the business collecting personal information from consumers. However, this definition excludes anyone with who a business discloses a consumer’s personal information for a business purpose under a written contract that contains specific clauses i.e., a service provider. When a business designates another business as a service provider, then sharing personal information with the entity is not categorized as a ‘sale’. The CCPA also excludes the transfer of data to a third party in the context of a merger from the definition of sale.

CCPA’s Opt-Out Requirements

If you sell personal information and cannot rely on the exemptions under the law, you must comply with the following opt-out requirements for CCPA compliance:

• Provide a “Do Not Sell My Personal Information” link on your homepage or any webpage where you collect personal information. Make the same accessible on a mobile application. Include the link in your privacy notice under the consumers’ rights.
• Adhere to the consumer’s request and stop selling personal information unless the consumer subsequently provides explicit authorization for you to do so.
• Wait at least 12 months after a consumer opts out before requesting authorization to sell their personal information again.

Latest Amendments to CCPA

The California Attorney’s office passed amendments to CCPA in March 2021 that banned dark patterns that have “the substantial effect of subverting or impairing a consumer’s choice to opt-out”. The amendments include the provision for an optional CCPA opt-out icon that may be used in addition to a “Do Not Sell My Personal Information” link.

Cookies and the Sale of Personal Information

The CCPA regulations consider unique personal identifiers like cookies, IP addresses, mobile ad IDs as personal information. The CCPA includes cookies because they can be used to recognize a device linked to a consumer or family.

Most businesses use identifiers like cookies to participate in behavioral advertising networks. The data collected via cookies that publishers and advertisers use to target ads can therefore fall under the scope of personal information. The interpretation of CCPA considers it as the sale of personal information when a business shares or allows a third party to access a consumer’s personal information for targeted ad buying or selling.

Achieving CCPA Compliance

As enforcement is set to get stricter over time, businesses must address CCPA requirements and start complying. Here are four simple steps that you should implement on your site for CCPA compliance:

1. Display a “Do Not Sell My Personal Information” link.
2. Add a CCPA opt-out button/form.
3. Provide a cookie notice.
4. Update your privacy policy.

By understanding and implementing these requirements, you can ensure that your e-commerce business remains compliant with the CCPA and respects the data privacy rights of your customers.