The CCPA’s “Do Not Sell My Personal Information” Provision

The state of California has come up with a unique solution to deal with data privacy concerns of its citizens by including a “Do Not Sell My Personal Information” provision in the CCPA. This lets consumers deny or withdraw consent to businesses who might otherwise use their data for profit or research purposes.

Under the CCPA, every company under California jurisdiction should clearly specify the points where user data is collected, and must have a URL redirecting to a “Do Not Sell My Personal Information” page on the company’s website. Moreover, it is also necessary to include the same in the privacy policy.

How should businesses respond to this?

The “Do Not Sell My Personal Information” provision can be a challenge for businesses who rely heavily on monetization of data, or are completely dependent on user data. But with the appropriate amount of consideration, businesses can adjust without a severe blow to their operations.

To ensure best practices are being followed, businesses can assign a Data Protection Officer, an individual who will supervise privacy concerns of users. Having a DPO in place will strengthen the trust between the user and company, and protect the business from stark consequences of violating the CCPA.

Companies can take the following steps to prepare for the CCPA’s requirement:

  1. First, you need to identify whether your company falls under the CCPA’s regulatory restrictions. There’s more about the criteria for who is covered here.
  2. After this, the company should inspect all the ways they collect data and thoroughly examine each process. They must disclose to their consumers all the different ways in which they collect and monetize user data in the company privacy policy.
  3. To insure transparency in the web experience, the CCPA has asked the companies to clarify a disclosure at or before the point of data collection. Companies must therefore consider the need to restructure their websites to adhere to these regulations.
  4. Furthermore, companies should ensure they link to the “Do Not Sell My Personal Data” page on their homepage and in the privacy policy. The CCPA explicitly stipulates that users should be able to file a “Do Not Sell My Information” request without creating an online account. The company should also be prepared to handle customer requests and address them within 45 days.
  5. Lastly, to function smoothly even after abiding by the CCPA, a company should examine its clientele. Does it make sense to have a separate web property for California consumers? Or does it make the most sense to overhaul all company properties to be CCPA-compliant event though consumers from other states will visit? This is a business decision unique to each company, but it’s worth noting that lots of prominent companies (like Microsoft, for example) have committed to honoring the CCPA standards nationwide.

These are the steps which can be taken by the companies in order to build a reliable consent management platform so that they can function without legal hindrances from the CCPA and consumers.