As the CCPA’s effective date approaches, businesses are actively monitoring how companies will update their websites and privacy notices to comply with the new disclosure requirements of the Act. While many companies are prepared to update their websites at the end of the year, websites that are preemptively changed before year-end are reviewed and scrutinized for signs of emerging industry standard practice.
To-date, the placement of a “do not sell” link on a website has not arisen to the level of an industry practice.
In order to help companies understand and benchmark standards and practices, BCLP analyzed a random sample of the privacy notices of Fortune 500 companies.1 Based upon that sample, as of December 13, 2019, only 6% of the total sample population had placed a “Do Not Sell My Personal Information” link either within their privacy notice or on their homepage. 2 The percentage is slightly higher when viewed as a function of only those websites that have already updated their privacy notices for the CCPA. Within that sub-sample, 33% of companies have included a “Do Not Sell My Personal Information” link.
Interestingly, none of the companies that have included such a link appear to have a working mechanism for effectuating a “do not sell” request. One company’s link takes users to a data subject request portal that does not contain a “do not sell” option; the other company’s link takes users to an online chat bot that does not respond to requests for information not to be sold. It remains to be seen whether regulators and the plaintiff’s bar will view the inclusion of a link that is not functional as raising legal concerns under the Federal Trade Commission Act (“FTCA”) and state Unfair and Deceptive Trade Practice Acts (“UDTPA”).
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1.Using a computer random number generator, BCLP selected 6% of the companies listed among the Fortune 500 in 2019. Revenues for the selected companies ranged from $85 billion to $5 billion. While BCLP did not conduct statistical analysis to determine whether the sample selected accurately represented the range of businesses in the United States, the sample contained companies focused on retail, financials, food, agriculture, manufacturing, entertainment, and energy.
2. In the event that a business sells personal information (as those terms are defined within the CCPA), the Act requires the business to include a link on their homepage and in their online privacy notice titled “Do Not Sell My Personal Information.”
[View source.]
