Does your technology know you better than some of your closest friends? Much of the technology you rely on tracks your search history, analyzes your social media posts and comments, monitors your purchases, and studies every aspect of your digital life without you even knowing. It feels like an episode of Black Mirror, but really this is just modern, digital, targeted advertising - a technique used to present targeted ads to consumers by collecting information about their browsing behavior. But the California Consumer Privacy Act (CCPA) now significantly restricts how businesses can use this technology to collect and manage personal information.
Now in effect (with enforcement starting on July 1), the CCPA introduces many new rights for California residents including the right to opt out of the sale of personal information, otherwise known as the “Do Not Sell” rule. This provision allows California residents to prohibit businesses from selling their personal information to third parties, which includes data used for ad targeting, like persistent identifiers, browsing histories, and IP addresses.
Yet, there is much speculation around how to comply with this rule and what constitutes the scope of “sale” under the CCPA. In this post, we’ll take a deeper look at the CCPA’s “Do Not Sell” provision and the Attorney General’s proposed regulations, the direct impact it will have on digital advertising, and how your business can comply with this challenging new rule.
What is the "Do Not Sell" Rule?
The CCPA’s “Do Not Sell” rule is part of a larger crackdown on businesses that have become profitable from selling consumers’ personal information. Under this provision, all businesses subject to the CCPA must have a clear and conspicuous link on their website titled “Do Not Sell My Personal Information” that gives consumers the option to opt out of the sale of their personal information.
Consumers must be able to submit this opt-out request without having to create an account, and businesses must respect the consumer’s opt-out decision for at least 12 months before asking to allow the sale of personal information again.
But this provision raises a lot of questions as the CCPA’s definition of “sell” is very broad and includes a wide range of transactions. According to the CCPA, “sale” is defined as:
“The selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
The transactions listed for monetary considerations are relatively straightforward, but the source of confusion for many businesses is the phrase “valuable consideration,” which is not defined in the CCPA. Under contract law doctrine, valuable consideration is a sale where personal information is exchanged, and the transferring entity receives a benefit to which it was not legally entitled. This means that the CCPA covers more transactions than simply selling data to another company for money, which could widely impact digital advertising.
In addition, the definition of “sale” under the CCPA contains exceptions for when personal information is shared with a service provider, but these exceptions do not exist for behavioral advertising networks. For an exception to be reached, three conditions must be met:
- The transfer of information to the service provider must be necessary for the website’s purpose. While targeted advertising is a desired service for many companies, it is unclear whether it can be considered a necessity.
- The transfer of information to the service provider must be disclosed to consumers. Most websites meet this requirement by disclosing their participation in behavioral advertising in their privacy policies.
- The agreement with a service provider must prohibit the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.” Behavioral advertisers normally retain consumer personal information from websites and use that personal information for their own benefit, something that would be prohibited under this CCPA requirement.
In October of 2019, the California Attorney General published a first draft of additional regulations that would provide practical guidance on various elements within the CCPA. The draft includes clarifying details for responding to consumers’ requests to opt out of the sale of their personal information.
Within the draft, the California Attorney General proposes that a business must act upon a consumer’s Do Not Sell request within 15 days of receiving the request. Upon receiving the consumer request, the business must also notify all third parties to whom it sent the consumer’s personal information over the last 90 days and instruct them to not sell the personal information any longer. The business must then notify the consumer once this step is complete.
In addition, the proposed draft states that opt-out requests do not need to be verifiable consumer requests. If a business suspects a consumer opt-out request may be fraudulent and has a good reason to believe so, then they may deny the consumer request and provide an explanation stating why they believes that it is fraudulent.
These proposed regulations are open to the public and have a comment period until December 6, 2019.
How Will This New Rule Affect Advertising?
Many companies, especially online retailers, utilize behavioral advertising by inserting a code on its website that allows a third party to either place a cookie on the computer of the consumer who visits the website or receive information from the consumer’s computer. The third party collects and monitors the information provided by the cookie to build a profile, so that the behavioral advertising provider can tailor and deliver targeted advertising. This is the reason why the shirt you were looking at yesterday is now showing up on the sidebar of every website you go to today.
So far, it is unclear how the CCPA will apply to third-party cookies used specifically for targeted or behavioral advertising. It can be argued that providing a third-party behavioral advertising network access to personal information that is transmitted by a consumer is the same as “making available” the personal information. Therefore, this could be considered a “sale” under the CCPA.
For this reason, some websites are attempting to avoid a cookie being interpreted as a sale and are asking consumers to opt in to the use of behavioral advertising through cookie banners. In this situation, a consumer “uses or directs the business to intentionally disclose personal information,” and therefore, the website has not “sold” information to advertisers.
How to Comply with the CCPA "Do Not Sell" Rule
The CCPA deadline has come and gone, and the law is expected to make a big impact on the digital advertising industry in the months to come. Even organizations that do not buy or sell personal data need to gain an understanding of how they collect and process data. To gain a better understanding of the personal information that your website processes, you should learn:
- What data is being collected and stored about your visitors and customers?
- What tools are being used to collect information about visitors, customers, and any other interactions with third parties?
- What information, if any, is being disclosed to third parties? How are these third parties using this information?
- What is the purpose for disclosing the information collected? Does the purpose include valuable consideration under the CCPA?
- What mechanisms are used to facilitate access to third parties?
- What existing contracts, if any, are in place that cover the sale of personal information per the CCPA?
Organizations now also need to add a Do Not Sell button on the website’s cookie banner and homepage and ensure this request is fulfilled by providing two or more designated methods for submitting requests, including at least a toll-free phone number and a website (if the business has a website). These actions should be detailed and documented to demonstrate full compliance with the CCPA.
Businesses also must educate their consumers on the information they are collecting, with whom it is being shared with, why it is being shared, and how it is being used. By explaining the implications of opting out of the sale of personal information (i.e., the consumer might not receive relevant discounts or pertinent educational information), consumers might be more likely to opt in.
Furthermore, businesses need to evaluate their relationships with third-party service providers, like marketing and advertising companies, to gain a better understanding of how they are using the consumer personal information that is shared with them and if these practices align with the CCPA. It is likely that some contracts will need to be updated to ensure data is only being used for the needs expressed by the business.
Collective consumer insights are more valuable to many companies than any individual commercial transaction, but the CCPA is attempting to ensure consumers have the right to decide how businesses can use their personal information. Yet, despite the approaching compliance deadline, it is uncertain what far-reaching effects the CCPA will have on online advertisers and digital marketing strategies. But those businesses that take the steps to put the necessary requirements and individual privacy rights in place and educate their consumers about why they need to share their personal information in order to better serve them will not only promote compliance, but also potentially increase opt-in rates.
We will continue to monitor the CCPA’s Do Not Sell rule and its amendments and will provide updates as more guidance is given.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.