Advertising, Affiliate Marketing, Business, cloud computing, Compliance, cyber risk, cybersecurity, Data, data privacy, Internet, Law, Marketing, Privacy, Regulation, Regulatory Compliance, Uncategorized

Does My Business Need A “Button” To Comply With The CCPA’s Do Not Sell Rule?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and went into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Your clients may be asking you about the CCPA.  While each business should evaluate the law in terms of its own specific situation, here are some general guidelines to start the process.

Does the CCPA Apply to My Business?

If your business satisfies one or more of the following, then the CCPA applies:

(i) annual gross revenue in excess of $25 million?

(ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, (a) for commercial purposes (assume always true), (b) alone or in combination (assume always true), (c) annually, and

(iii) derives fifty percent (50%) or more of its annual revenues from selling consumers’ personal information.

Even if the business does not collect personal information, as long as is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.

What is the Do Not Sell Rule?

The Do Not Sell rule is a key part of the regulation. It states that businesses must give consumers the option to opt-out of the sale of their personal data.

Specifically, the regulation says that businesses must:

  • Have a page on their website titled “Do Not Sell My Personal Information.” On this page, consumers based in California can opt-out of the sale of their personal data.
  • The business must clearly link to the “Do Not Sell My Personal Information” webpage from the homepage.
  • The website must describe the consumer’s rights to opt-out of the sale of personal data and provide a link to the “Do Not Sell My Personal Information” page in its privacy policy.
  • Once a user requests that a business not sell their personal information, the business must respect this decision for a minimum of 12 months.
  • Finally, websites should have a way to prove that they are respecting these customer requests.

Businesses and website owners need to put processes in place that will help them adhere to the above guidelines.

For more information about the impact of the CCPA on your business, please contact the lawyers at Adler Law Group to schedule a consultation.

Published by David

I am a the founder of a boutique intellectual property law firm based in Chicago, Illinois. In my role as a trusted advisor, I act as the primary transactional attorney for my clients, reporting directly to a company’s executive staff and/or its General Counsel. I provide advice to business units and executives on copyright, trademark, ecommerce, software/IT, media & entertainment and issues associated with creating and commercializing innovations and creative content, drafting and negotiating contracts and licenses, advising on securities laws and corporate governance and managing outside counsel. My clients frequently rely on me to successfully draft and negotiate complex commercial and intellectual property transactions such as supply/distribution agreements, IP development and license agreements and documentation related to mergers, acquisitions and divestitures.