The CCPA Has Placed a Mandatory Link on Your Company’s Homepage

Carlton Fields
Contact

Carlton Fields

If a company sells personal information of California consumers, then the California Legislature has claimed real estate on its homepage. This article summarizes this new requirement of a “Do Not Sell My Personal Information” link and provides some practical guidance.

The California Consumer Privacy Act of 2018 (CCPA) in certain instances requires a business to “[p]rovide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.” Sec. 1798.135(a)(1).

This requirement applies only to businesses that “sell” personal information about California consumers to third parties. Sec. 1798.120(a). “Sell” in the world of the CCPA does not really mean “sell” — it means share for any benefit at all. Sec. 1798.140(t). What this homepage requirement does is make operational the CCPA’s much-discussed “right to opt out,” that is, a consumer’s right to demand that a company stop transferring his or her personal data for value to others. Sec. 1790.120(a).

Compliance requires more than a cosmetic website tweak. By January 1, 2020, the effective date of the CCPA, the company must also:

  • Construct a back-end system that takes opt-out requests from the webpage and turns it into a reality. Sec. 1798.135(a)(4).
  • Train individuals responsible for “handling consumer inquiries” on how to direct consumers to exercise the right to opt out. Sec. 1798.135(a)(3).
  • Figure out a system so that the company refrains from soliciting the sale data of an opting-out customer for 12 months from the date of opting out. Sec. 1798.135(a)(5).


A website’s landing page is not the only place where this “Do Not Sell My Personal Information” link must appear. A company must also install it in the company’s (i) online privacy policy or policies if the business has one; and (ii) any California-specific description of consumers’ privacy rights. Sec. 1798.135(a)(2). The CCPA also defines “homepage” to include “any Internet Web page where personal information is collected,” suggesting that some may interpret the statute to require that the link be included on other parts of the website where the user inputs data or user data is tracked or collected. Sec. 1798.140(l).

We have already observed a number of websites adopting a separate “California privacy rights” link from its general “privacy rights” link for residents of every other state, accessible from the homepage. Such a strategy does not deploy the actual language that the statute requires for the “do not sell” link and may face compliance challenges.

A more certain way to avoid having this “do not sell” link on the common homepage, other than not selling California residents’ data, is both an engineering and advertising challenge. That is, the law allows an entirely separate homepage for California residents (with the link) and one for everyone else (without the link). Sec. 1798.135(b). If a company takes California up on that challenge, it must further “take[] reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.” Id. We look forward to seeing enterprising web engineers experiment with what “reasonable steps” might work here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields | Attorney Advertising

Written by:

Carlton Fields
Contact
more
less

Carlton Fields on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.