In Ethyca, you can run reports to view all the information relating to your organization’s data flow map. This lets you carry out audits of the personal data that you’re currently processing or provide a paper trail for privacy law compliance.
A “Do Not Sell” (or “Do Not Sell My Personal Information”) request is an action that can be taken by a person whose data is being processed by your business. Put simply, it gives customers the right to opt-out of the sharing of their personal data. It places an obligation upon your business to not sell or otherwise transfer any of their personal information to another business for monetary or other valuable consideration.
That’s a mouthful, and there has been a lot of deliberation about what constitutes a “data sale”, particularly under the California Consumer Privacy Act (CCPA). The long and short is, if your customer says “Do Not Sell My Personal Information”, you need a way to make sure that none of their Personally Identifiable Information (PII) ends up in other hands or data systems. Fortunately with Ethyca, that tricky task is a piece of cake.
In this article, we’ll first take you through a step-by-step guide of how Ethyca handles consent, including “Do Not Sell” requests, which are effectively the removal of consent by users. Then, we’ll explore some of the Frequently Asked Questions around consent management, including the million dollar question – can “Do Not Sell” requests be managed with a cookie tool? (TLDR: No!) Let’s dive in…
The obligation to respect a customer’s right to not have their personal information sold is enforced by leading data privacy law. The California Consumer Privacy Act (CCPA) is explicit in its requirements. Businesses covered by the CCPA must create a mechanism for their customers to opt-out of the sharing of their information without requiring them to set up an account. It’s always good practice to apply data minimization principles in cases such as this i.e. only collect what you need to confirm the request.
The CCPA is explicit with its requirement for the creation of a publicly displayed page titled “Do Not Sell My Personal Information” to facilitate the request. At a minimum, you should clearly provide a “Do Not Sell My Information” hyperlink in the footer of your website to a page titled “Do Not Sell My Information” so that it is available on every page of your site. You’re also required to include this link in your company’s Privacy Policy, and this policy should disclose the categories of personal data you have sold or shared within the past year. If your business does not sell/share personal information with third parties, then it is good practice to provide a page that explicitly states you do not sell customer data.
Ethyca’s consent management system helps you build customer trust and leverage personal data with confidence. A combination of features help you implement a comprehensive yet customer-friendly consent management strategy for your business. These include:
Ethyca offers best-in-class consent management across multiple tiers of its product, including Ethyca CHOICE, a tier aimed specifically at managing “Do Not Sell My Personal Information”. Here’s how it works for you and your customers:
A lot of people wonder whether their existing cookie consent manager will suffice to make their business compliant with “Do Not Sell My Information” requests. The short answer is “no”. Not all personal information is captured by cookies. In reality, personal information comes from multiple sources and is passed between many hands within a modern business.
To begin with, cookies do not capture personal data that are generated from offline sources. For example, from an in-store purchase for a retailer or by your sales team capturing lead data at a real-world conference. Online data sources, on the other hand, are a lot more diverse than simply data captured via browser cookies. Customer data from online purchases or emails captured from a marketing campaign are just some of many examples that don’t rely on cookies.
A modern business needs to be able to enact a cascading flow of data suppression that goes into the very guts of multiple business systems containing things like account info, purchase history, and more. The idea that this could be accomplished by an accept/deny cookies box on a homepage is just not feasible.
If you have any questions about processing “Do Not Sell My Data” requests or about using Ethyca’s data privacy platform, please feel free to reach out and we’d be happy to help!
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Request a Demo