"Do Not Sell" and what it means Under CCPA and CPRA
Signed into law by then-governor Jerry Brown on June 28, 2018, the California Consumer Privacy Act (CCPA) was the first legislation of its kind in the United States. In the subsequent 3 1/2 years, the law’s impact has been felt far and wide.
But the state of California—the richest and most populous state in the country and a crucial market for any ambitious company—hasn’t stopped there.
The California Privacy Rights Act (CPRA) was approved by the state’s voters during the 2020 election. The update will go into effect in 2023, enhancing what was already in place.
This article will unpack both pieces of legislation, highlighting the important similarities and differences between the two groundbreaking laws. Most importantly, the piece below will dive deep into one key aspect of the laws: Do Not Sell My Personal Information.
A CCPA refresher
When the CCPA went into effect on New Year’s Day 2020, it was the last step of a legislative journey that began years prior.
“If [companies are] violating your right, they’re probably violating the rights of a lot of other people,” State Senator Hannah-Beth Jackson said, according to CNN. “The purpose of this litigation is not to punish this behavior, it’s to deter it. It’s to make these companies comply with the law. If there’s no punishment, if there’s no accountability, they’re going to keep doing it because it makes them money.”
Yes, it was the first law of its kind in the United States, but it was not the first worldwide. That distinction goes to the General Data Protection Regulation (GDPR), an even more stringent set of rules that were passed by the European Union.
The CCPA, meanwhile, makes sure Californians know what has been collected and how it’s used, can delete information as they wish, opt out thanks to easily accessible options and assures customers they won’t get worse prices or services if they decide not to give personal information. If the law is violated or their data is breached, consumers can sue the companies responsible.
Since the law was first passed, there have been modifications to address some ambiguities. Examples include routine cybersecurity auditing and risk assessment, limitations on the information businesses can collect and limits regarding sensitive personal information. For the full list, please download our ebook for more information.
However, of all the tweaks and changes, the most important provision are updates to “Do Not Sell” to “Do Not Sell or Share” personal Information.
The CCPA and CPRA game changer— Do Not Sell rule
For any company looking to do business, it is crucial for them to understand this rule. Simply put—or at least as simply put as possible—it allows California consumers to tell businesses they are not allowed to sell their personal information. If they don’t comply, businesses could face consequences that would be more costly and time-consuming than compliance in the first place.
To be within the law, sites must have a page for consumers to opt-out of the sale of their personal information. That site, however, must not be difficult to find, and needs to be easily discovered. Further, users are required to be able to make requests from a company without creating an account, a noteworthy point because that’s a juncture where information is routinely collected.
Per the CCPA legislation itself, selling means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” The one ambiguity there is a valuable consideration, though under contract law it can be interpreted as any transaction where the seller derives a benefit.
Does my business need to comply?
Here is one area where there is not much ambiguity: chances are, if you’re even a moderately sized firm doing business with California consumers you need to comply. To put it more bluntly, all businesses that comply with CCPA and CPRA must abide by Do Not Sell.
Here’s how to tell if these guidelines apply to your business. Taking into account the CPRA update, you must comply if you:
- Collect information from California residents
- Have an annual gross revenue that exceeds $25 million
- Buy, receive or sell personal information of more than 50,000 consumers or households, a number that has been expanded to 100,000 under CPRA
- Earn more than half of your revenue from selling personal info.
What is the cost of noncompliance
Complying with these laws does take effort and some expenditure. That labor and money spent, however, pales in comparison to the costs of not complying.
Businesses are built on their reputations. It takes years of good service and quality products to build that trust with consumers. But a mistake such as noncompliance can wipe all of that out in a heartbeat. Customers will inevitably find alternatives if possible, hitting your bottom line. And as the Equifax breach shows, reputations are hard to rebuild.
Of course, it’s the bottom line that must be protected. The Ketch ebook “Complete Compliance Guide for the California Consumer Privacy Act (CCPA & CPRA) outlines exactly how much is at stake.
Ways to ensure compliance
Knowledge of CCPA and CPRA is good, applying that knowledge to effectively comply and help your business is better.
To do that, companies must take a programmatic approach to data privacy. Automation after evaluating needs is a handy way to make sure you’re on the right side of the law. Effective implementation means systems are native and scalable, and that friction is reduced between all parts of a company when the new privacy policies are introduced.
California is an incredibly important market, and its state government has the resources to enforce its laws. It’s a must for any company to comply with CCPA and CPRA, and know its way around Do Not Sell.