Processing “Do Not Sell” Requests Using Ethyca

What is a “Do Not Sell My Personal Information” Request?

A “Do Not Sell” (or “Do Not Sell My Personal Information”) request is an action that can be taken by a person whose data is being processed by your business. Put simply, it gives customers the right to opt-out of the sharing of their personal data. It places an obligation upon your business to not sell or otherwise transfer any of their personal information to another business for monetary or other valuable consideration.

That’s a mouthful, and there has been a lot of deliberation about what constitutes a “data sale”, particularly under the California Consumer Privacy Act (CCPA). The long and short is, if your customer says “Do Not Sell My Personal Information”, you need a way to make sure that none of their Personally Identifiable Information (PII) ends up in other hands or data systems. Fortunately with Ethyca, that tricky task is a piece of cake.

The long and short is, if your customer says “Do Not Sell My Personal Information”, you need a way to make sure that none of their Personally Identifiable Information (PII) ends up in other hands or data systems. Fortunately with Ethyca, that tricky task is a piece of cake.

In this article, we’ll first take you through a step-by-step guide of how Ethyca handles consent, including “Do Not Sell” requests, which are effectively the removal of consent by users. Then, we’ll explore some of the Frequently Asked Questions around consent management, including the million dollar question – can “Do Not Sell” requests be managed with a cookie tool? (TLDR: No!) Let’s dive in…

The obligation to respect a customer’s right to not have their personal information sold is enforced by leading data privacy law. The California Consumer Privacy Act (CCPA) is explicit in its requirements. Businesses covered by the CCPA must create a mechanism for their customers to opt-out of the sharing of their information without requiring them to set up an account. It’s always good practice to apply data minimization principles in cases such as this i.e. only collect what you need to confirm the request.

The CCPA is explicit with its requirement for the creation of a publicly displayed page titled “Do Not Sell My Personal Information” to facilitate the request. At a minimum, you should clearly provide a “Do Not Sell My Information” hyperlink in the footer of your website to a page titled “Do Not Sell My Information” so that it is available on every page of your site. You’re also required to include this link in your company’s Privacy Policy, and this policy should disclose the categories of personal data you have sold or shared within the past year. If your business does not sell/share personal information with third parties, then it is good practice to provide a page that explicitly states you do not sell customer data.

How Does Ethyca Manage “Do Not Sell” Requests?

Ethyca’s consent management system helps you build customer trust and leverage personal data with confidence. A combination of features help you implement a comprehensive yet customer-friendly consent management strategy for your business. These include:

• A custom-branded Privacy Center to let your users manage their consent at any time,
• Auditable consent reports so that you have a record of consent management processes to satisfy privacy regulation in any region,
• Automated activity flags to easily prevent data accidents by constraining access based on whether consent is given for data processing activities.

Ethyca offers best-in-class consent management across multiple tiers of its product, including Ethyca CHOICE, a tier aimed specifically at managing “Do Not Sell My Personal Information”. Here’s how it works for you and your customers:

1. The process begins when a user submits a consent management request via the custom-branded Ethyca-powered Privacy Center on your company’s website by clicking on the “Consent” option.
2. The customer is then shown a popup message and prompted to provide their email address.
   
3. Once their email address is submitted, the customer is sent a verification code by email to confirm their identity. Verifying the customer’s identity by a linked email account is necessary to ensure that the entirety of data linked to their account can be suppressed.
4. After the customer has entered a valid verification code, they will be redirected to their personal consent management page. From here they will be able to view the personal data that your business is processing and choose whether or not they consent to having their data sold. If they toggle the consent for data sale to “No”, Ethyca’s technology will immediately suppress all data flows linked to their account into any third-party systems. In other words, if a user toggles “No” to Data Sales in your business’s Privacy Center, Ethyca automates the fulfillment of this consent choice throughout your business. If you don’t have your entire data infrastructure connected to Ethyca, it will suppress data flows in any platform that is connected, but you’ll also be able to generate an account-based log of “Do Not Sell” request activity to manually suppress activity in unconnected systems.
5. On your business’s backend, in the Ethyca Control Panel, your team can run an auditable report of all of the consent changes that your customers have made, including any “Do Not Sell” requests. This helps make sure that your customers’ requests are satisfied and that your team can prove full compliance with the law.

Isn’t A Cookie Consent Manager Enough?

A lot of people wonder whether their existing cookie consent manager will suffice to make their business compliant with “Do Not Sell My Information” requests. The short answer is “no”. Not all personal information is captured by cookies. In reality, personal information comes from multiple sources and is passed between many hands within a modern business.

To begin with, cookies do not capture personal data that are generated from offline sources. For example, from an in-store purchase for a retailer or by your sales team capturing lead data at a real-world conference. Online data sources, on the other hand, are a lot more diverse than simply data captured via browser cookies. Customer data from online purchases or emails captured from a marketing campaign are just some of many examples that don’t rely on cookies.

A modern business needs to be able to enact a cascading flow of data suppression that goes into the very guts of multiple business systems containing things like account info, purchase history, and more. The idea that this could be accomplished by an accept/deny cookies box on a homepage is just not feasible.

Put simply, not all data is collected by cookies so a cookie consent manager alone is not enough to stay compliant with data privacy law. As a solution, Ethyca provides you with a comprehensive consent management system that covers all categories of personal data, regardless of source.

If you have any questions about processing “Do Not Sell My Data” requests or about using Ethyca’s data privacy platform, please feel free to reach out and we’d be happy to help!