2020 is here, and businesses everywhere are rushing to meet the requirements of the California Consumer Privacy Act (CCPA). As the first state privacy law of its kind to pass in the United States, it grants California residents with five core privacy rights that went into effect on January 1, 2020. The right to opt-out of the sale of personal information is one of the most notable. Many businesses, no matter their size, are starting to familiarize themselves with this right and the Do Not Sell requirement as they begin to receive more and more consumer requests. But, what does this mean for small and growing businesses? Moreover, how should they approach this type of request?
Check out these OneTrust Pro Tips in 3-2-1…
CCPA Right to Opt-Out & The Do Not Sell Requirement
Starting with the basics, what is the right to opt-out?
Under the CCPA, California residents have the right to opt-out of the “sale” of their personal information. When a consumer opts-out, businesses are required to identify their personal information involved in a “sale” and stop selling it.
The CCPA defines the “sale” of personal information to mean giving, “renting, releasing, disclosing, disseminating, making available, transferring,” or communicating personal information to another business or third-party in exchange for valuable consideration. With such a broad definition, determining the parameters of a “sale” can challenging. However, the law covers several situations that don’t involve the “sale of personal information, including businesses who use or share personal information with a service provider or third-party, under contract, in relation to opt-out requests, and consumers who direct businesses to intentionally disclose their personal information to a third-party.
If your business sells the personal information of California consumers, you must honor opt-out requests when made, in addition to other related requirements. These include:
- Providing consumers with notice that you sell their personal information, and informing them of their right to opt-out
- Create a clear and conspicuous “Do Not Sell My Personal Information” link that allows customers to opt-out of the sale of personal information
- Adding your “Do Not Sell My Personal Information” link to your homepage and any page that collects personal information
- Adding your “Do Not Sell My Personal Information” link to your privacy policy and any California-specific description of consumers’ privacy rights
- Respect consumers’ opt-out decision for at least 12 months Before requesting opt-in authorization
- Establish procedures for authorized agents to submit an opt-out request on behalf of a consumer
- Train staff responsible for handling opt-out requests and inquiries
The CCPA requires businesses that do not and will not sell personal information to post notices related to consumer opt-out rights. However, it does require they state within their privacy policy that they do not and will not sell personal information.
How to Handle Opt-Out of Sale Requests
According to the California Attorney General’s Modified Regulations (which are not yet final), businesses must establish at least two methods for consumers to submit an opt-out of sale requests. These methods must be simple and easy for consumers and should have minimal steps involved. Additionally, these regulations prohibit businesses from using a method that purposefully or potentially undermines or impairs a consumer’s opt-out decision.
Whether you have a storefront or an online location, there are several options for you to choose from. These request methods include:
- Toll-Free Number. Setting up a toll-free number is one of two requirements for businesses to intake opt-out requests. This method requires businesses to establish a unique phone number for consumers to call, which includes configuring a customized welcome greeting that meets CCPA requirements.
- Interactive Webform. All online businesses are required to establish an interactive web form that enables consumers to opt-out. This web form must be accessible via your “Do Not Sell My Personal Information” link. Businesses should make this webform available within privacy notices, any preference center or opt-out webpage, and within links on their website or mobile app.
- Designated Email Address. This method allows consumers to submit opt-out requests via email to a designated email address. This email address may be managed by one or many people. For small businesses, this is typically handled by one person.
- User-Enabled Global Privacy Controls. For businesses that collect personal information online, the California General’s Modified Regulations require them to accept opt-out requests from user-enabled privacy controls as valid requests. These controls include a browser plugin, privacy settings, device settings, or other systems. As a result, make sure you configure your systems to recognize an opt-out from a user-enabled privacy control.
- Form submitted in person or by mail. A more manual and time-consuming option, this method involves a consumer completing a form or making an official written request to opt-out of the sale of personal information and submitting that document in person or via conventional mail.
Once you receive a request, you should comply as soon as possible. The CCPA requires businesses to fulfill opt-out requests within 15-days of receiving the request.
3 Steps to Comply with Do Not Sell Requirements
Meeting Do Not Sell requirements under the CCPA can pose a new set of challenges as the digital marketing landscape continues to evolve. However, you can take steps to bring your business processes up to par with the CCPA.
Step #1: Identify Sold Information
As a best practice, businesses should actively identify the personal information they collect and determine which pieces of that information, if not all, they are selling. Start with data mapping exercise to identify cases in which personal information has been sold to third parties. Then leverage automated tools to streamline the discovery of data that has been sold. Using these insights, develop a tagging method to help keep track of personal information sold and transferred out of the company.
OneTrust Pro DSAR Discovery tool helps growing businesses quickly find and retrieve a consumers’ personal information that has been sold by automating tasks required to discover, delete, redact, opt-out and process access, deletion, or CCPA opt-out requests.
Step #2: Give Your Consumers Notice
Under the CCPA, businesses must provide consumers with notice of their personal information collection practices, as well as a notice of their right to opt-out of the sale of their personal information. The required “Do Not Sell My Personal Information” link must direct consumers to a readable opt-out notice written in plain language and presented an eye-catching format. They must also be available in languages used in daily business operations, and accessible to consumers with disabilities. At a minimum, your notices must include:
- a description of consumers’ right to opt-out
- a link to an interactive webform to submit opt-out requests
- instructions on how consumers should submit an opt-out request.
OneTrust Pro Privacy Policy and Notice enables small and mid-size businesses to simplify the process of creating, updating, reviewing, and distributing CCPA compliant privacy policies and notices across websites and applications.
Step #3: Maintain Opt-Out Records
Finally, the California Attorney General’s Modified Regulations require businesses to keep up-to-date records of opt-out requests for at least 24 months. To meet these requirements, you need to maintain records of how and when the request was made, and how and when your business responded. Keeping up with records of opt-out processes and fulfillment will help enable your business to comply with the law, establish accountability, and keep track of consumers who have opted out.
OneTrust Pro Universal Consent and Preference Management provide growing businesses with a centralized, up-to-date, and detailed records of consumer opt-outs to help eliminate manual documentation and demonstrate compliance.
Bonus Tip: Train Your Employees on CCPA Requirements
For businesses that want to ensure requirements are met from the start, establish a set of procedures that employees must follow when responding to and fulfilling opt-out requests. To ensure requests are handled properly, train your privacy team and staff responsible for handling consumer requests. on the correct opt-out process and applicable CCPA requirements.
OneTrust Pro Awareness Training helps small businesses get familiar with the ins and outs of the CCPA using role-based online training courses that can be easily deployed across your organization.
Covered businesses under the CCPA need to proactively prepare to execute California consumers’ opt-out requests. They will want to make sure they have configured their processes to achieve compliance by the enforcement date. To do so, they will need to adopt privacy software that can help them track a consumer’s personal information and preferences at scale.
With the help of OneTrust Pro, small and mid-size businesses can build a mature compliance program that meets CCPA requirements and honors consumer privacy rights under the law. OneTrust Pro for CCPA makes it easy for growing businesses to automate data discovery, identify and track the sale of personal information to third parties, and efficiently manage opt-out requests from consumers.
Download the OneTrust Pro CCPA Readiness Worksheet and get started on your CCPA compliance program today.
