Hidden tips related to “Do Not Sell” in the CA AG’s Online Consumer Privacy Tool

Emily Cohen, David Manek
Ankura
Contact
LinkedIn
Facebook
X
Send
Embed

On July 19, 2021, the California Attorney General announced the launch of a new online Consumer Privacy Interactive Tool which allows consumers to directly notify businesses of potential noncompliance that do not have a “Do Not Sell My Personal Information” link that is easy to locate on their homepage.

The Tool asks guided questions to walk consumers through the elements of the CCPA and includes some important insight as to what the CA AG might be evaluating when assessing a business’ California Consumer Privacy Act (“CCPA”) compliance posture.

The Tool starts by asking if the business is for profit, followed by similar questions related to whether the organization is covered by CCPA (i.e., does the business have annual revenue of over $25MM) and if the business would be considered a service provider (i.e., a business that is providing services on behalf of another business).

The fourth question in the series is “Does the business sell consumers’ personal information to third parties?”

Data privacy professionals know that identifying a sale as defined by the CCPA is a difficult question to answer without understanding specific elements of the underlying personal information data transfer. For example, when evaluating if a sale is occurring, we need to understand if consideration is exchanged or if the importer is acting as a service provider.

The CA AG allows for the user to select the option “I don’t know / I don’t understand the question” which then reveals a tip sheet.

The CA AG’s tip sheet includes the following:

“…One way to find out if a business sells personal information is to read its privacy policy. Every business that must comply with the CCPA must have a privacy policy…”

“…Make sure to read the privacy policy carefully. Some businesses use words other than “sell” or say they don’t sell personal information but describe ways they share information that may constitute “selling” under the CCPA. For the purposes of a consumer’s notice of noncompliance, look for language that indicates the business may provide personal information to third parties for its commercial purposes—for example, phrases like:

  • We may share your information with third-party companies
  • Our advertising partners may collect information about you
  • We provide information to other companies, sites, or platforms to develop services to offer you

A business’s sharing of information with its own “service providers” is not “selling” under the CCPA…”

How can you use this information?

If your organization takes the position that you do not sell personal information under the CCPA, or you do not have a “Do Not Sell My Personal Information” link on your website, you may be drawing attention to your data privacy practices if you are making statements in your data privacy policy that a) you share information with third-party companies, b) you have advertising partners collecting personal information or c) you are sharing personal data with other companies that are not service providers.

Your CCPA readiness program should have introduced mitigation solutions such as entering into service provider contracts with third parties or introducing robust third-party cookie management programs through the use of a consent management platform. These mitigation solutions help provide documentation of compliance measures and help reinforce your business’s position on sale.

These tips from the CA AG highlight where conflicts can arise between the organization’s Do Not Sell stance and language in the privacy policy. This situation creates an easy target for consumers and regulatory agency to raise questions. The data privacy team at your company should review your external facing privacy policy in relation to the new interactive Tool provided by the CA AG.

Finally, it is important to note two additional statements the CA AG makes in the opening paragraphs of the Tool site:

  • While the Tool currently is focused on helping consumers draft notices related to Do Not Sell my Personal Information noncompliance, the Tool scope may be expanded in the future and
  • “…the OAG collects the information you provide in the tool to assist us in investigating and enforcing the law.”

A link to the Tool can be found here.

Written by:

Ankura
Ankura
Contact
more
less

Ankura on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide