Processing "Do Not Sell" Requests Using Ethyca

What is a “Do Not Sell My Personal Information” Request?

A “Do Not Sell” (or “Do Not Sell My Personal Information”) request is an action that can be taken by a person whose data is being processed by your business. Put simply, it gives customers the right to opt-out of the sharing of their personal data. It places an obligation upon your business to not sell or otherwise transfer any of their personal information to another business for monetary or other valuable consideration.

That’s a mouthful, and there has been a lot of deliberation about what constitutes a “data sale”, particularly under the California Consumer Privacy Act (CCPA). The long and short is, if your customer says “Do Not Sell My Personal Information”, you need a way to make sure that none of their Personally Identifiable Information (PII) ends up in other hands or data systems. Fortunately with Ethyca, that tricky task is a piece of cake.

The long and short is, if your customer says “Do Not Sell My Personal Information”, you need a way to make sure that none of their Personally Identifiable Information (PII) ends up in other hands or data systems. Fortunately with Ethyca, that tricky task is a piece of cake.

In this article, we’ll first take you through a step-by-step guide of how Ethyca handles consent, including “Do Not Sell” requests, which are effectively the removal of consent by users. Then, we’ll explore some of the Frequently Asked Questions around consent management, including the million dollar question - can “Do Not Sell” requests be managed with a cookie tool? (TLDR: No!) Let’s dive in...

The obligation to respect a customer’s right to not have their personal information sold is enforced by leading data privacy law. The California Consumer Privacy Act (CCPA) is explicit in its requirements. Businesses covered by the CCPA must create a mechanism for their customers to opt-out of the sharing of their information without requiring them to set up an account. It’s always good practice to apply data minimization principles in cases such as this i.e. only collect what you need to confirm the request.

The CCPA is explicit with its requirement for the creation of a publicly displayed page titled "Do Not Sell My Personal Information" to facilitate the request. At a minimum, you should clearly provide a “Do Not Sell My Information” hyperlink in the footer of your website to a page titled “Do Not Sell My Information” so that it is available on every page of your site. You're also required to include this link in your company’s Privacy Policy, and this policy should disclose the categories of personal data you have sold or shared within the past year. If your business does not sell/share personal information with third parties, then it is good practice to provide a page that explicitly states you do not sell customer data.

 

How Does Ethyca Manage “Do Not Sell” Requests?

Ethyca’s consent management system helps you build customer trust and leverage personal data with confidence. A combination of features help you implement a comprehensive yet customer-friendly consent management strategy for your business. These include:

  • A custom-branded Privacy Center to let your users manage their consent at any time,
  • Auditable consent reports so that you have a record of consent management processes to satisfy privacy regulation in any region,
  • Automated activity flags to easily prevent data accidents by constraining access based on whether consent is given for data processing activities.

Ethyca offers best-in-class consent management across multiple tiers of its product, including Ethyca CHOICE, a tier aimed specifically at managing “Do Not Sell My Personal Information”. Here’s how it works for you and your customers:

  1. The process begins when a user submits a consent management request via the custom-branded Ethyca-powered Privacy Center on your company’s website by clicking on the “Consent” option.

  2. The customer is then shown a popup message and prompted to provide their email address.

  3. Once their email address is submitted, the customer is sent a verification code by email to confirm their identity. Verifying the customer’s identity by a linked email account is necessary to ensure that the entirety of data linked to their account can be suppressed.

  4. After the customer has entered a valid verification code, they will be redirected to their personal consent management page. From here they will be able to view the personal data that your business is processing and choose whether or not they consent to having their data sold. If they toggle the consent for data sale to “No”, Ethyca’s technology will immediately suppress all data flows linked to their account into any third-party systems. In other words, if a user toggles “No” to Data Sales in your business’s Privacy Center, Ethyca automates the fulfillment of this consent choice throughout your business. If you don’t have your entire data infrastructure connected to Ethyca, it will suppress data flows in any platform that is connected, but you’ll also be able to generate an account-based log of “Do Not Sell” request activity to manually suppress activity in unconnected systems.

  5. On your business’s backend, in the Ethyca Control Panel, your team can run an auditable report of all of the consent changes that your customers have made, including any “Do Not Sell” requests. This helps make sure that your customers’ requests are satisfied and that your team can prove full compliance with the law.

Isn’t A Cookie Consent Manager Enough?

A lot of people wonder whether their existing cookie consent manager will suffice to make their business compliant with “Do Not Sell My Information” requests. The short answer is “no”. Not all personal information is captured by cookies. In reality, personal information comes from multiple sources and is passed between many hands within a modern business.

To begin with, cookies do not capture personal data that are generated from offline sources. For example, from an in-store purchase for a retailer or by your sales team capturing lead data at a real-world conference. Online data sources, on the other hand, are a lot more diverse than simply data captured via browser cookies. Customer data from online purchases or emails captured from a marketing campaign are just some of many examples that don't rely on cookies.

A modern business needs to be able to enact a cascading flow of data suppression that goes into the very guts of multiple business systems containing things like account info, purchase history, and more. The idea that this could be accomplished by an accept/deny cookies box on a homepage is just not feasible.

Put simply, not all data is collected by cookies so a cookie consent manager alone is not enough to stay compliant with data privacy law. As a solution, Ethyca provides you with a comprehensive consent management system that covers all categories of personal data, regardless of source.

If you have any questions about processing “Do Not Sell My Data” requests or about using Ethyca’s data privacy platform, please feel free to reach out and we’d be happy to help!


What Is Ethyca, & How Does It Help You Comply With Privacy Laws?

What is Ethyca?

Ethyca is cloud software that lets organizations easily manage all their data privacy requirements. It lets your team rapidly execute privacy tasks which would otherwise take many hours to complete. What’s more, its automation power removes all human error from the execution of these tasks - and people reviewing database tables row by row are very prone to mistakes!

In short: following the world’s privacy laws is made much quicker and much simpler with Ethyca. Oh, and your customers will love their privacy experience too. This has tangible impacts on your business's bottom line.

The software consists of a front-end privacy center for your customers where they can file any privacy requests granted to them by data privacy law. This includes options to opt-in to “do not sell” agreements, update their consent preferences, or make requests to access, amend, or erase their data.

On the back-end, Ethyca has a number of features that help you create a powerful data management strategy. These include:

  • Data integrations that link into all the SaaS and owned applications in  your business’s tech stack,
  • A seamless Data Subject Request management system that can be fully automated,
  • Real-time data mapping that clearly outlines your entire business’s data supply chain,
  • A robust consent management system that ensures that your organization remains up-to-date with customers’ personal data preferences, and lets customers easily opt out of things like Facebook advertising.
  • Automated data entitlements to help ensure that team members only access the data that they’re supposed to, &
  • Streamlined Data Protection Impact Assessments that help you stay compliant with data risk mitigation.

 

Why is Ethyca valuable?

Ethyca helps you create a clear picture of how data privacy affects your organization and provides a seamless solution to address any potential gaps in your data privacy strategy.

If you don’t have a robust system in place to address data privacy management then you’ll likely experience data inefficiencies, create trust issues with your customers, and risk heavy penalties for violating compliance with data privacy law. 

But if that value doesn’t seem concrete enough, let’s talk time and money. Ethyca saves an SMB huge amounts of both in their efforts to comply with the privacy laws they are bound to follow. Per one recent study of businesses in the UK, it takes an average of 83 hours to complete a Data Subject Request in a business of 250+ people. The per-request cost of processing one of these requests amounts to an average of over $4,000. It should be clear that the only way to avoid crippling privacy management costs is to remove the person-hours from this process as much as possible via automation. That’s what Ethyca does.

What are these “Requests” we speak of? Simply put, your customers are entitled to make a series of requests of your organization relating to the data that you are processing about them. These are enforced by the leading data privacy laws across the globe such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD). Your organization is obliged to respect them. Ethyca helps you stay ahead of these obligations and capture the most value from your data management system.

Below is a list of the data subject rights imposed by GDPR, CCPA and LGPD which afford the customer certain entitlements that they can exercise by making a data subject request.

GDPR CCPA LGPD
• The right to be informed;

• The right of access;

• The right to rectification;

• The right to erasure;

• The right to restrict processing;

• The right to data portability;

• The right to object to processing;

• The rights in relation to automated decision making and profiling

• The right to notice;

• The right to know;

• The right to delete;

• The right to data portability;

• The right to opt-out;

• The right to opt in (for minors);

• The right not to be subject to discrimination for the exercise of rights

• The right to confirmation of the existence of the processing;

• The right to access the data;

• The right to correct incomplete, inaccurate or out-of-date data;

• The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;

• The right to the portability of data to another service or product provider, by means of an express request;

• The right to delete personal data processed with the consent of the data subject;

• The right to information about public and private entities with which the controller has shared data;

• The right to information about the possibility of denying consent and the consequences of such denial;

• The right to revoke consent

The time frames by which an organization must complete a Data Subject Request along with relevant fines for violation according to the leading data privacy regulation.

GDPR CCPA LGPD
Time given to comply with Data Subject Request 30 Days 45 Days 15 Days
Maximum fine if right is violated violated State bodies can be fined up to €1 million for failure to meet their obligations.

Multinationals can be fined up to €20 million, or four per cent of their previous year’s turnover.

Unintentional violators can be fined up to $2,500 per individual affected, per violation.

Intentional violators can be fined up to $7,500 per individual affected, per violation.

2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million Brazilian reals.

 

How Does Ethyca Make Data Privacy Management Easier?

Your organization’s data privacy responsibilities need to be taken seriously, so you’ll need a robust and trustworthy system in place to get the job done right. Ethyca gives you the tools to do so, and those tools are designed to automate as much privacy management as possible. This lets you save valuable team hours and focus on the bigger privacy picture. Let’s take a deeper look at some of the functions that it automates for you.

Simplified Data Mapping

Ethyca automatically creates a data inventory or map of your business’s data flow in real-time. This saves your team hours of effort with an instant, birds-eye view of your business’s data supply chain. Automated, dynamic data maps make addressing your customer’s privacy concerns simple, as they create a full picture of all of the personal data that your organization possesses. They also empower you to easily craft reports that are vital for regulatory compliance at fixed, minimal cost.

 

Seamless Data Subject Request Management

Data Subject Requests are one of the most important parts of modern privacy management. These are requests that your customers make to access their data, edit their data, or erase their data. You can view and respond to all of the Data Subject Requests that your business receives from a single control panel within Ethyca. This helps make light work of any Data Subject Requests that your team receives or, if your team prefers, no work at all, as Ethyca allows you to fully automate the process.

When a request comes from a customer, Ethyca scans all your different data systems to surface data related to the customer. Many businesses have 50 or more SaaS and owned applications storing user data, so you can imagine that it would take a long time to do this discovery manually! Once that discovery is done, Ethyca automatically identifies all data for a given user and generates a comprehensive, rapid response to any Subject Request at zero incremental cost to your team.

Sometimes a picture is worth a thousand words. Watch below to see how Ethyca manages Data Subject Requests:

 

Consent Management Made Easy

An easy-to-use and easy-to-deploy consent management system helps you build user trust & leverage data with confidence. Users are more conscious than ever of the way their data is used by third-party apps, advertising platforms, and more. Privacy regulations require businesses to provide customers with controls for managing how a user’s data flows through these systems; without a solution in place, compliance risk is at stake and so are your marketing efforts.
Give up running social ads? No thanks! Want to minimize the risk of lawsuits and fines? Then you must have consent management systems in place.

Fortunately, Ethyca offers the most granular, comprehensive tools on market for making consent management easy. On the front-end, your customers can easily manage their data privacy preferences on your website at any time. On the back-end, Ethyca verifies the users identity, automatically transmits consent updates into every data system in your stack — and your advertising campaigns — while providing a clear audit trail to ensure compliance and minimizing reduction of your target audiences.

 

Automated Data Entitlements

Ethyca integrates with your directory service to streamline access for different roles. This helps ensure that individuals within your organization only access the data that they’re supposed to. Permissions can be automatically determined based on privacy-compliant processing activities or manually assigned by a system admin if necessary. This means your teams can work uninhibited while still maintaining the highest standards of data privacy and security, with audit logs of any changes for your peace of mind.

 

Streamlined Impact Assessments

As a legal must-have, Data Protection Impact Assessments require dedicated, reliable technology to be carried out efficiently. Ethyca streamlines the process by building DPIAs into the coding workflow and allowing them to be submitted via the command line. Impact assessments as code mean hours of back and forth email correspondence about a potential data risk turn into a single code-line command. Ethyca then automatically generates risk analysis reports for all processes, providing a comprehensive audit trail for regulators.

 

Conclusion: Why Ethyca?

There are other tools that offer data privacy compliance solutions out there, but Ethyca goes deeper into your businesses tech stack - and consequently eliminates more of the manual effort - than any other tool on the market. Where other vendors may offer elaborate workflow tools to give a sense of thoroughness, we build all that thoroughness directly into our code, creating a user experience that's streamlined, elegant, and still completely comprehensive for complying with privacy laws all over the world.

An effective privacy management strategy is fundamental for any modern business, and having the right tools to address your customer’s data privacy concerns efficiently is crucial. If you have any questions about data privacy management or about using Ethyca’s data privacy platform, please feel free to reach out and we’d be happy to help!


Finalization of CCPA Regulations

Part of an extensively annotated music sheet of Mozart’s Fantasia in D minor.

 

Update From The CA-AG

On August 17, 2020, California Attorney General Xavier Becerra announced the finalization of the CCPA regulations, bringing an almost year-long process of refinement to an end. We've covered some of the previous rounds of updates to the CCPA elsewhere, but given that this marks the end of long rounds of CCPA wordsmithing, we thought the August 17 clarifications deserved a standalone post.

CCPA Clarifications

The key areas that were refined or clarified in this latest and final round were:

  • The "Do Not Sell" requirement was amended such that "Do Not Sell My Info" is not listed as acceptable language for the homepage link requirement. This means only "Do Not Sell My Personal Information" is the only explicitly mentioned acceptable language to use when allowing consumers to exercise this right. If your business has implemented a "Do Not Sell My Info" link on your homepage, it must be modified to "Do Not Sell My Personal Information".
  • Next, the California AG deleted the provision that allowed businesses to deny requests from authorized agents who can't show proof that they're authorized to act on consumers' behalf. However, there are other CCPA provisions that allow businesses some ability to verify authority, including permission to verify with the consumer that the authorized agent has been cleared represent them.
  • The AG also removed the requirement that businesses offer an offline mechanism for filing Do Not Sell requests. Instead, businesses can direct users to their online service for managing those requests.
  • There were additional clarifications around the upfront consent needed to use consumer data for explicit purposes and the user experience requirements for Do Not Sell requests.

Key Takeaways

The final round of CCPA clarifications skews business-friendly. Some of the more onerous requirements around the Do Not Sell requirement were eased or alleviated. With that said, it's notable that businesses may now need to do more legwork when scoping their dealings with authorized agents purporting to represent California consumers. Perhaps the highest-level takeaway is that the CCPA text is actually finalized - at least until California returns to the ballot box on November 4, 2020 to vote on "CCPA 2.0", The California Privacy Rights Act.

Per Future of Privacy Forum policy counsel Pollyanna Sanderson:

This essentially leaves the CCPA as a notice and consent regulatory model, with extra room for potentially coercive consent mechanisms.

How To Run Automated Privacy Reports In Ethyca

Ethyca Simplifies Privacy Management Reporting

Effective, well-executed reporting helps you:
1. Maintain a consistent audit trail for data privacy compliance;
2. Improve your user’s experience by providing you with actionable insights;
3. Create a more efficient data infrastructure by drawing attention to redundant data.

Ethyca's automated reporting functions let your team get quick, actionable insights into the shape your data flows and the character of your customers' privacy requests. 

Ethyca allows you to seamlessly run reports on all of your data privacy activities. Below, we’ll take a look at a report you can automatically generate on the personal information that is referenced in your company’s data flow map. We’ll also look at a report on all of the data subject requests received by users for a given period.

Reporting on Your Data Flow Map

In Ethyca, you can run reports to view all the information relating to your organization’s data flow map. This lets you carry out audits of the personal data that you're currently processing or provide a paper trail for privacy law compliance.

To get started, log into your Ethyca Control Panel. From the Ethyca Control Panel homepage you should navigate to the “Datamaps” section.

From here, click “Download Report” below the visual of your company’s Data Flow Map.

Once the report is downloaded, open the file to view its contents. The report will contain a snapshot of the flow of personal data across your data infrastructure.

This is a rich source of evidence of data privacy law compliance should you ever need to provide it. It is also an excellent way to assess the necessity of any personally identifiable information that your organization is processing at any time. 

Below is a list of key elements from the report that contain excellent insights into the personal data that your company is processing.

INFORMATION TYPE DESCRIPTION
Timestamp The time and date at which the report was generated. This is important to reference because your data map is not static and will change over time.
Source Service A reference to the system of software where the data was captured or where it originated.
Source Type The type of system or software where the data came from. Typically in-house or third party service.
Source Activity The type of data processing that is being carried out on the data at the source.
Destination Source The system or software that the data is transferred to, from the source.
Destination Type The type of system or software where the data is transferred to. Typically in-house or third party service.
Destination Activity What happens to the data when it is transferred to its destination.
Data Class The type of data that is being processed e.g. phone number, email, name, IP address etc.
Processing Activity The activity that the data is being used for e.g. testing, fraud monitoring, email marketing etc.
Involved Datastore The exact system or software where the data that is being processed is stored.
Subject Types Involved The individual whose data is being processed e.g. customer, employee etc.
Internal User Types with Access The individuals or teams who have access to the data that is being processed e.g. sales manager, all employees, marketing team etc.

 

Reporting on Your Data Subject Requests

Ethyca also allows you to run reports on all of the data subject requests that your organization has received so that you have a record for compliance. This report is also useful for understanding the most common data subject requests that your users are making, so that you can more proactively deal with such requests in future.

To access your Data Subject Request report you should navigate to the “Reports” section of the Ethyca Control Panel.

From here, you have the option of running reports on your Data Subject Requests, running reports on the consent that has been granted by your users, or running reports on the usage of your privacy centre. For now we’ll focus on a report on Data Subject Requests. 

You can access this report under the “DSR” tab by clicking the “Download” option beside the Date Range that you wish to view the report for. 

Once you click download, a new tab will open containing a report on your Data Subject Requests. 

The report will contain important information about all Data Subject Requests received during the selected date range. This will include a summary of the type and amount of requests received for that period. It will also detail how many requests of a given type are at each stage of processing at the time the report was generated. Lastly, it highlights areas that may require added focus if a large number of users are making the same type of data subject request each month. 

You can also view the details on individual subject request reviews. This includes whether the review was accepted or rejected, the date it was carried out, who carried it out, and any additional clarifying commentary they made while processing the request. This is crucial information for the purposes of auditing your data privacy management practices. It also uncovers opportunities for improving the way your company responds to data subject requests or how it manages personal data in the first place.

Reporting on your company’s data privacy management practices is a fundamental process that should be both reliable and easy to execute. If you have any questions about data privacy management reporting or about using Ethyca’s data privacy platform, please feel free to reach out and we’d be happy to help!


Fine Tracking

Country Law Fine
Argentina APDPA 1,411
Australia APA 6,947,750
Brazil GDPL 9,374,004
Canada PIPEDA 73,580.50
India PDP 1,996,042.50
Indonesia EIT 52,173.19
Japan APPI 4661
Malaysia PDPC 70,340
Mexico INAI 1,237,351
New Zealand Privacy Bill 6,581
Philippines RA 10173 101,227
Russia PD Law 281,070
South Africa POPI 598,803.20
Switzerland FDLP 265,673.75
Thailand PDPA 159,540.65
European Union GDPR 20,000,000

Fine Tracker World Map

USA Privacy Fines Map

State Law Fine Penalty Status
California CCPA 7,500 Fines up to $7,500 per violation Passed & In effect
Rhode Island S2430 7,500 Fines up to $7,500 per violation In consideration
Minnesota HF3096 750 Civil rights action up to $750/customer In consideration
New York NYPA 750 Civil rights action up to $750/customer In consideration
Massachusetts S-120 750 Civil rights action up to $750/customer In consideration
Virginia HB 473 500 Civil rights action up to $500/customer In consideration
Connecticut SB134 7,500 Fines up to $7,500 per violation In consideration
Maine LD-946 7,500 Fines up to $7,500 per violation Passed & In effect
Nevada NPICICA 7,500 Fines up to $5,000 per violation Passed & In effect
Nebraska NCDPA 7,500 Fines up to $7,500 per violation In consideration
Texas TXCPA 7,500 Fines up to $7,500 per violation In consideration
Wisconsin AB870 20,000,000 Fines up to $20 million In consideration
Country Law Fine
Argentina APDPA 1,411
Australia APA 6,947,750
Brazil GDPL 9,374,004
Canada PIPEDA 73,580.50
India PDP 1,996,042.50
Indonesia EIT 52,173.19
Japan APPI 4661
Malaysia PDPC 70,340
Mexico INAI 1,237,351
New Zealand Privacy Bill 6,581
Philippines RA 10173 101,227
Russia PD Law 281,070
South Africa POPI 598,803.20
Switzerland FDLP 265,673.75
Thailand PDPA 159,540.65
European Union GDPR 20,000,000
State Law Fine Penalty Status
California CCPA 7,500 Fines up to $7,500 per violation Passed & In effect
Rhode Island S2430 7,500 Fines up to $7,500 per violation In consideration
Minnesota HF3096 750 Civil rights action up to $750/customer In consideration
New York NYPA 750 Civil rights action up to $750/customer In consideration
Massachusetts S-120 750 Civil rights action up to $750/customer In consideration
Virginia HB 473 500 Civil rights action up to $500/customer In consideration
Connecticut SB134 7,500 Fines up to $7,500 per violation In consideration
Maine LD-946 7,500 Fines up to $7,500 per violation Passed & In effect
Nevada NPICICA 7,500 Fines up to $5,000 per violation Passed & In effect
Nebraska NCDPA 7,500 Fines up to $7,500 per violation In consideration
Texas TXCPA 7,500 Fines up to $7,500 per violation In consideration
Wisconsin AB870 20,000,000 Fines up to $20 million In consideration