There are several key aspects of the California Consumer Privacy Act (CCPA) that people are largely missing to date. Here, learn why the "Do Not Sell My Personal Information" provision of the CCPA could be a game changer for many companies. And learn how you can get a head start implementing the processes and systems to comply with the provision without hobbling the business.
The California Consumer Privacy Act of 2018 (the CCPA, as it has come to be known) was enacted on June 28, 2018 with 109 ayes and 0 noes and signed by the governor the same day. Based on the premise that "people desire privacy and more control over their information," the law ensures Californians five rights, including (#3), the right "to say no to the sale of personal information."
Referred to as the "Do Not Sell My Personal Information" provision, that #3 could be a hidden game-changer for many companies.
Key CCPA Regulation takeaways
- You're probably required to comply
- The potential impact is huge
- Digital advertising will not die
- You'll likely have to verify identities, track requests, and prove compliance – across all of your data systems, and your third-party partners' systems
- Sarbanes-Oxley and PCI DSS requirements didn't spell doom for companies; CCPA won’t either
- The solution is software that enables workflow automation, data automation, and change automation
The "Do Not Sell My Personal Information" provision of the CCPA could be a hidden game-changer for many companies.
Click to tweet
CCPA Regulations: Are You Required to Comply?
Businesses subject to the CCPA include those with annual revenue above $25 million and those that derive more than 50% of their revenue from selling consumers' personal information. Also subject are businesses that annually buy, receive, sell, or share the data of 50,000 or more consumers, households, or devices.
That may be far more medium-sized and even small businesses than one might think. An ecommerce business, for example, that places cookies on website visitors' computers would need only 137 visitors per day to fall under the purview of the CCPA, given that "Internet or other electronic network activity" is personal information as defined by the law.
Think you aren't subject to the CCPA? If you cookie 137 or more web visitors a day, you might be.
Click to tweet
How Big of a Deal Might This Be?
For all those businesses subject to the law, the potential game changer lies in sections 1798.120 (the right to opt-out), 1798.135 ("Do Not Sell"), and 1798.140 (definitions). In a nutshell, the law requires businesses to post a clear and conspicuous link on their website that says "Do Not Sell My Personal Information" and then to enable consumers to opt-out of the sale of their data to third parties.
The provision begs a lot of questions. How exactly is "sale" defined? What exactly counts as "clear and conspicuous"? Which pages of the website does that link have to be on? Does it have to be on a mobile site or a mobile app?
Those questions will be answered by California's Attorney General over the course of the next six months or so. (Section 1798.185 of the CCPA stipulates that "On or before January 1, 2020, the Attorney General shall solicit broad public participation to adopt regulations to further the purposes of this title.") For now, because the Attorney General has yet to tell businesses what specifically they have to do to comply with the law, interpretations remain open.
Of the 30 million users who were served the link, 4% clicked on it.
- 1798.120 (a)A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information. This right may be referred to as the right to opt-out.
- 1798.120 (b)A business that sells consumers' personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the "right to opt-out" of the sale of their personal information.
- 1798.135 (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers: (1) Provide a clear and conspicuous link on the business's Internet homepage, titled "Do Not Sell My Personal Information," to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer's personal information.
- 1798.140 (l) "Homepage" means the introductory page of an Internet Web site and any Internet Web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, "About," "Information," or settings page, and any other location that allows consumers to review the notice required by subdivision (a) of Section 1798.145, including, but not limited to, before downloading the application.
- 1798.140 (t) (1) "Sell," "selling," "sale," or "sold," means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.
Because the Attorney General has yet to tell businesses what specifically they have to do to comply with the law, interpretations remain open. Key questions remain around what counts as a "clear and conspicuous" link, what counts as a "Homepage," what counts as a "sale," and how quickly companies have to respond to opt-out requests.
What counts as a "clear and conspicuous" link?
That question isn't answered by the CCPA as it is written, though it is likely to be one of the elements of the law that the Attorney General will specify. Current regulation may be informative. For example, California's "Shine the Light" law requires businesses to post a "Your Privacy Rights" link on their homepage and specifies that link "shall be written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language." It is reasonable to assume the Attorney General will have similar mandates for the "Do Not Sell My Personal Information" link under the CCPA.
What counts as a "Homepage"?
The CCPA specifies that businesses include the "Do Not Sell My Personal Information" link on the "homepage" of the web site and "any Internet Web page where personal information is collected." Most experts suggest this means the link must be included on every page of the website – assuming that, in the case of cookies as just one example, consumer information is collected on every page. Many experts agree the requirement applies to a business’s mobile website as well.
Experts are more divided on the question of whether an app home screen counts as a "homepage." This is certainly an area that the Attorney General will weigh in on, and the question will likely be tested in the courts. But the Attorney General has to date indicated an interest in moving toward more rather than fewer privacy rights – a more aggressive stance on how privacy should be protected – so he may be likely to consider an app home screen as beholden to the "Do Not Sell My Personal Information" link requirement.
The difference in the magnitude of the challenge for businesses on a website versus an app is an issue of real estate. Even a mobile website, because it is scrollable, has far more real estate on which a "Do Not Sell My Personal Information" link could be included with lots of other information. By design, there is far less real estate on an app home screen, and a "Do Not Sell My Personal Information" link would be far more prominent there – and, by extension, far more likely to be clicked on.
What counts as a sale?
Businesses that do not sell consumers' data to third parties are, no surprise, not required to post a "Do Not Sell My Personal Information" link on their website. But what is a "sale" in this context? Obviously, a business selling consumers' personal information to a data aggregator would be subject to this provision of the CCPA. But what about a business that advertises to consumers through the Google Display Network, placing cookies that are then used by Google to serve retargeting ads to those visitors? That is a bit less clear cut. The business is not receiving money from Google – in fact, the business is paying Google – but it is receiving "valuable consideration" in the form of ad impressions.
In a recent webinar hosted by IAPP and featuring experts from Truyo and DLA Piper, Kate Lucente, a partner at DLA Piper, explained: "Given the broad definitions of personal information (which includes unique identifier such as IP address, cookie ID, device ID, customer ID) and of sale (includes disclosing or permitting access to personal information by a third party in exchange for monetary or other valuable consideration) third-party advertising and analytics activities should be reviewed for CCPA compliance purposes. For example, website operators/ publishers should review the third-party cookies served through their website to determine whether any disclosures to such third parties are a ‘sale’ under the CCPA. In particular, this may be relevant for third-party Online Behavioral Advertising (OBA) cookies, where the information collected via the third-party cookies are used in support of the ad network and multiple advertisers."
How quickly do companies have to respond?
The CCPA does not require that consumers' opt-out requests come through the "Do Not Sell My Personal Information" link. Consumers can exercise the opt-out right at any time, via the website or over the phone, by written request, or potentially in other ways as well. The law likewise does not specify the timeframe within which a business must respond to consumers’ opt-out requests. That will likely be another area of clarification from the Attorney General.
Given the utter lack of nuance, who wouldn't click on such a statement as "Do Not Sell My Personal Information"?
Click to tweet
Wither Digital Advertising?
Based on the current state of privacy affairs, it’s easy to imagine that a significant percentage of consumers would take advantage of the "Do Not Sell My Personal Information" provision. Yet consumers have demonstrated willingness to share their data – and even have their data reshared – when they understand the business's rationale for doing so, and the benefit they will see from it.
In one Pew study, for example, 67% of respondents said this scenario might be acceptable: "A grocery store has offered you a free loyalty card that will save you money on your purchases. In exchange, the store will keep track of your shopping habits and sell this data to third parties." (47% said it would be acceptable, 20% said it depends, and 32% said it would not be acceptable.) Yet just 44% of respondents said this scenario might be acceptable: "A thermostat sensor for your house that would learn about your temperature zone and movements around the house and potentially save you on your energy bill." (27% said it would be acceptable, 17% said it depends, and 55% said it would not be acceptable.)
The key is to educate consumers, transparently. Start by defining for the consumer what data is being collected, with whom it’s being shared, why it’s being shared, and how it’s being used. Explain the implications of opting out of the sale of data (for example, the consumer might miss out on relevant discounts or relevant educational information or opportunities). Enable consumers to selectively opt out of the sale of only certain personal data, rather than all of it. Educate consumers on why you need to share their data in order to better serve them, and you’ll minimize opt-outs.
Consumers have demonstrated willingness to share their data when they understand the business’s rationale, and the benefit to them.
Click to tweet
The system to facilitate such a dialogue is a technology solution, of course, and it will likely be implemented by the AdTech platforms and advertisers (the third parties) rather than the businesses themselves. It's a work in progress. The Interactive Advertising Bureau (IAB) Europe recently developed a framework for getting consent for the use of personal information in advertising (unlike the CCPA, where consent is granted by default, GDPR requires consumers to actively consent). The GDPR enforcement commission has sent IAB back to the drawing board to develop a more robust framework.
There is a history of self-regulation in the U.S. as well. In 2009, the Digital Advertising Alliance, an independent non-profit organization led by leading advertising and marketing trade associations, released the Self-Regulatory Principles for Online Behavioral Advertising (DAA Principles). In 2011 the organization created the Online Interest-Based Advertising Accountability Program. Together the DAA Principles and Accountability Program "serve as two pillars of a self-regulatory structure that promotes responsible commercial activity and protects consumer privacy."
Obviously self-regulation was not enough to eliminate the need for a law like CCPA. In response, some companies will turn to advertising tactics that don't involve the use of personal data or stop online advertising altogether. There has been some of that in the wake of the GDPR. But the efforts of IAB Europe and the Digital Advertising Alliance suggest that a structure does exist whereby the large advertisers (including the online AdTech platforms) will figure out how to maintain their businesses and comply with the CCPA.
The Consumer Opts Out. Then What?
Understanding whether you’re required to comply with the "Do Not Sell My Personal Information" provision of the CCPA, assessing how it might impact your organization, and creating a framework for transparently educating consumers about how you use their data and why allowing you to share it is in their best interest is just the beginning. Despite your best efforts in that regard, some consumers will opt out, and you will be required to honor their request and not "sell" their data for a period of 12 months.
That raises two key technical issues: 1) how to ensure all of the personal data you currently have on that consumer doesn’t get sold, and 2) how to ensure any new personal data you gather on that consumer doesn't get sold. In an online advertising context, as just one example of where this regulation will likely apply, compliance will likely mean erasing existing cookies tied to that consumer and refraining from placing new cookies in the future.
An effective system for managing opt-out requests will necessarily involve three components:
- You have to verify the identity of the person requesting to opt-out – to make sure they are who they say they are. This means you may actually be gathering more information that you’ll have to manage.
- You have to track the person who has opted out to ensure you honor their opt-out request for the requisite 12 months. That could require gathering and managing more personal data than you had in the first place (for example, an email address as a record identifier to ensure that cookie data isn’t sold).
- You should be able to prove to an auditor that you are honoring the consumer’s opt-out request. Because formats like Excel, text, and email aren’t immutable, managing requests in that way can make it difficult to prove compliance.
And, perhaps trickiest of all, you have to figure out how to do all that across all of the data systems consumers’ data pass through – yours, and the third parties you sell data to.
Perhaps trickiest of all, you have to verify identities, track requests, and prove compliance across all of the systems consumers’ data pass through – yours, and the third parties you sell data to.
Click to tweet
Lessons from SOX and PCI
While most companies haven't confronted the particular challenge of managing "Do Not Sell My Personal Information" requests before, history offers an optimistic view of how they will. “Sarbanes-Oxley was difficult for companies to comply with at first. The law required companies to show credit card information only to people who needed to see it. So systems were built to mask the data," explained Truyo CPO Rod Forsythe.
"Then the Payment Card Industry Data Security Standard (PCI DSS) required that credit card data not be directly accessible, even if it was masked, and that required new systems to be built or old systems to be retrofitted to, for example, use tokens. Essentially it was about data minimization – individuals’ financial data should only be accessible to people who need it to do their jobs. That’s what we will see happen with personal data as it’s being defined under GDPR and CCPA. Personal data will be treated like credit card data came to be treated."
SOX and PCI were essentially about data minimization. That’s what we will see happen with personal data as it’s being defined under GDPR and CCPA. It will be treated like credit card data came to be treated.
Click to tweet
The Solution: Automation
As was the case with SOX and PCI, the answer to the challenges posed by the CCPA “Do Not Sell My Personal Information” requirement is software built with the business need in mind. In this case, software that provides attribution around personal data records – is there a “do not sell” flag on the record? From when?
Whether you might have to manage 1.2 million opt-out requests, or more, or far fewer, navigating that on an ad-hoc basis without pre-organization – and, for most companies, automation – will likely be a nightmare. What can help is software-enabled workflow automation (communicating with consumers, validating identities), data automation (keeping track of opt-out requests across your entire data environment), and change automation (for when that opt-out request comes in, and when it expires).
Whether you might have to manage 1.2 million opt-out requests, or more, or far fewer, navigating that without pre-organization – and, for most companies, automation – will likely be a nightmare.
Click to tweet
The "Do Not Sell My Personal Information" component of the CCPA will be tough to manage through, no doubt. But there's a silver lining: for those companies that take the steps to put individual privacy rights management systems in place that enable consumers to have control over their personal data, it will not only be a compliance win, but a competitive differentiator as well. (Yes, it's a competitive differentiator to be a good steward of customers’ data.)
Questions? Reach out anytime. We're at Hello@Truyo.com
This publication informs our clients and friends about recent legal developments and is for informational purposes only. It does not constitute legal advice or reflect any opinions on any particular law or regulation. The information contained herein is subject to change and may become inaccurate or outdated over time. Do not rely on this publication without seeking legal guidance.