Understanding CPRA Compliance: ‘Do Not Sell/Share’ and Personal Data Requirements
Privacy & Compliance | December 08, 2022
The passing of the California Consumer Privacy Act (CCPA) and the subsequent California Privacy Rights Act (CPRA) ushered in a new era of data privacy regulation over for-profit businesses in California. As other states enact similarly comprehensive legislation, not only are digital privacy best practices becoming the law, but transparency and privacy are increasingly expected by consumers. Consumers have become more aware of how their personal information is used in ever-evolving ways, and now they have more options to control it.
In order to comply with these evolving regulations, it’s important to understand how these laws define personal data, as well as the regulations on its use. In this article, we’ll cover what qualifies as personal information under the CCPA and the CPRA, as well as the legal requirements regarding the processing, storing, collecting, sharing and selling of this data.
What is defined as personal information under the CCPA?
The CCPA defines personal information as: “information that identifies, relates to, or could reasonably be linked with you or your household.” This definition is purposely broad. The categories of personal data protected under this legislation are direct personal data, indirect personal data, biometric and health data, sensitive personal information, and internet activity.
A non-exhaustive list of examples includes:
- social security number
- religious beliefs
- political beliefs
- genetic data
- email address
- products purchased
- Internet browsing history
- IP address
- unique cookie ID
- geolocation data
What are the requirements for collecting and processing personal information under the CCPA and CPRA?
Under the CCPA and CPRA, businesses are usually not required to obtain prior consent or have any other legal purpose for collecting personal data (as is required under the GDPR). The CCPA instead entitles individuals to access what personal information businesses keep on them and how that information is used, as well as providing them with actions they can take to dictate the future uses of that data.
California citizens have the right to know what types of personal information a business collects about them and how it is used and shared. The CCPA requires businesses to provide this information in the form of a “notice at collection.” Data collectors and processors are required to inform data subjects on the categories of personal information that are being collected, the purposes of collection, the extent of the use of personal data, categories of sensitive personal information collected, the length of data retention, and whether or not collected information is sold or shared.
Right to Opt-Out
California citizens have the right to request that businesses stop selling or sharing their information. Businesses that sell personal information must provide a way for customers to request to opt-out of their information being sold via an easily found “Do Not Sell My Personal Information” button or link. This must be a simple opt-out option—the link must not prompt customers to create an account or verify their identity beyond basic questions that would be used to identify which personal info is connected to that individual. After an individual opts-out, businesses cannot contact them asking them to opt-in again for at least 12 months.
Rights to Delete and Correct
California citizens have the right to have their personal information deleted. Businesses must designate at least two methods of submitting a request to delete personal information (for example, an email address, a web form, or a toll-free number to call). California citizens also have the right to correct any inaccurate personal information.
Under the CPRA, data collectors and processors must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information,” or risk penalties of up to $7,500 for each individual violation, or even civil action from data subjects
What is “sensitive” personal information, as defined by the CPRA?
With the passage of the ballot measure approving the CPRA, which takes effect January 1, 2023, the CCPA has been expanded upon and amended in certain areas. The CPRA upholds the CCPA’s definition of personal information, but provides a new special category of personal information, called sensitive information, which includes:
- Social security number
- State-issued ID number
- Passport number
- Account login along with password or required credentials
- Racial or ethnic origin
- Sexual orientation
- Genetic information
- Biometrics that are used for the purpose of identifying a unique person
- Personal mail, email, and text message contents when the recipient is not the business accessing it
- Precise geo-location data
The CPRA gives Californians the right to know about how their sensitive personal information is collected, used, shared, and retained, but the onus is still on the individual to request limitations on that use.
‘Limit the Use of My Personal Information’ Links
While the CCPA allows consumers to opt-out of the sale of their personal information, the CPRA adds to that right by letting consumers opt-out completely of the use and disclosure of their personal information.
Under the CPRA, companies that use or disclose sensitive personal information must must give notice to consumers and must include “a clear and conspicuous” link on the company’s website), titled “Limit the Use of My Sensitive Personal Information,” that will let the consumer limit the disclosure of personal information.
What exceptions exist?
There are a few categories of information that do not qualify as personal information under the CCPA and CPRA, and are thus not subject to the regulation.
Publicly Available Information
Public information such as that found in federal, state, or local government records is not considered personal information.
When an individual’s data is included as part of a large group and the individual consumer identities have been removed, it is not personal information.
Information that has been properly deidentified is not considered personal information. To meet the CCPA’s narrow definition of deidentified, information “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular customer.” Further, the business must have processes and technology disabling reidentification of the data or inadvertent release of the de-identified data.
Is personal information under the CCPA the same as personal data under the GDPR?
Personal information is slightly different under the CCPA than under the GDPR.
Under both the GDPR and CCPA, the term “personal data” means any information that can directly or indirectly identify an individual person. The GDPR, and now (with the addition of the CPRA) the CCPA, both distinguish a “sensitive personal data” category.
However, personal information under the GDPR includes publicly available information, whereas the CCPA does not include publicly available information.
Personal information under the GDPR is limited to information that is exclusive to the identification of one specific individual, whereas the CCPA broadens the definition to include a household.
What are the Do Not Sell/Do Not Share Rules?
The Do Not Sell and Do Not Share rules are stipulation of the CCPA and CPRA that gives consumers the right to opt-out of the sale or sharing of personal information. This means that any organization doing business in California must provide a page for consumers to opt-out of their information being sold or shared. If a business sells or shares consumer data in any way, this page must be easily accessible on their website; this is typically placed at the bottom of the page where all the other links for the website are located.
There are additional specific requirements to meet the Do Not Sell Rule. Some of the requirements include:
- The business must notify consumers if their data is being sold or shared and that they can opt-out
- The Do Not Sell/Share My Information link should be visible on the site
- Consumers should be able to opt-out without having to create an account on the site
- The business must opt-out the consumer for at least 12 months. If they want to opt-in the consumer to sell or share their information, they must request permission again
If a consumer opts out of the sale or sharing of their data, businesses are not only responsible not only for what they do with customer data but also for what third-party partners may do with the data. For example, if you post website ads from a third party, you must ensure they do not store customer data. The same requirement extends to services such as trackers, telemetry, online assistants, and shopping carts. You will need to monitor and control all data flows with third parties, and you will be responsible for any data leakage.
What are the requirements for a compliant “Do Not Sell or Share” page?
Simply having a Do Not Sell/Share page isn’t enough. A business must follow the guidelines set out by the CCPA for what a compliant Do Not Sell page is. Some of the guidelines required on the page include the following:
Explanation of the right to opt-out: The CCPA requires a do not sell page to clearly explain to the consumer that they have the right to opt-out. This should be at the top of the page and should explain clearly to consumers why they have the right to opt-out and what steps they need to take to do so. You can include the types of personal information that they can opt-out from in your explanation; this will help give your audience a better understanding of what types of data can be sold if they don’t opt-out.
Opt-out form: An opt-out form is a form displayed on your Do Not Sell page which allows consumers to opt out of their data being sold. The form should ask enough information to identify the consumer and remove them from a company’s data-selling databases. The opt-out form should not ask for any new data on the consumer.
Multiple opt-out methods: The CCPA requires a Do Not Sell page to have at least two methods to submit an opt-out request. The Do Not Sell page can be one of your opt -ut methods, the other opt-out methods can include:
- Sending an email address to the company
- Calling the company phone number
- A physical form submitted via mail or in-person
How the CCPA and CPRA define ‘sell’ and ‘share’
It’s crucial to have a good understanding of what the CCPA means by selling consumer data. Under the CCPA, the terms “sell, sale or sold” refer to selling, releasing, renting, disseminating, transferring, communicating orally or writing pertaining to a customer’s personal information. More specifically, it relates to giving the personal information of a consumer to another business or third party for “monetary or other valuable consideration”.
This phrasing can apply to any act of sharing personal information to a third party for any exchange of value. There are some exceptions to “selling” customer data, these exceptions include for business purposes with a different provider, under the customer’s instructions, to inform a third party that the customer has opted out or during a merger or acquisition.
The CPRA’s defines “sharing” as “communicating orally, in writing, or by electronic or other means, a consumer’s personal information . . . to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
Does my organization need to comply with the CPRA?
If your organization plans to offer any services in California or to California residents, you may be required to comply with the CCPA. There are different thresholds depending on your company’s size, data services and location that will require you to comply with the CCPA. The main types of companies that are required to comply with the CCPA include:
Companies with over $25 million in revenue: If you are a company that serves California residents and generate over $25 million in revenue annually, you are legally required to comply with CCPA. The revenue meant by the CCPA is total global revenue, not just revenue generated in California. Companies of this size must comply with the CCPA to do business in California.
Companies that generate over $50k from consumer information: All companies that generate over $50k directly from consumer information are required to comply with the CCPA. Since these businesses profit directly from the use of consumer personal data, the CCPA must ensure their operations are within their guidelines, and they are not hurting California users.
Companies that derive >50% of revenue from consumer data: Additionally, companies that generate more than 50% of their revenue from consumer data have to comply with the CCPA. This is a different distinction than the last requirement because it encompasses companies of all sizes that derive the majority of their revenue from consumer data.
Enable Compliance with CHEQ Privacy
To stay compliant with these laws, you can’t rely on vendors that offer nominal compliance or privacy management through simple workflow mechanisms that rely on connections to additional systems, to enact any policy put in place and greatly aggravate data leakage vulnerabilities. CHEQ’s comprehensive solution enforces privacy preferences and requests in real-time without the need to interact with any other supply chain technology, therefore eliminating the risk of data leakage
With CHEQ Privacy you can set up opt-out of sale links for California consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. And our low-code, zero-integration deployment means Privacy is easy to use. A simple line of code added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.
Schedule a demo today to see how CHEQ can help your organization comply with the CPRA and other privacy laws.