Understanding what is CPRA’s Do Not Sell or Share my Personal Information

To protect the privacy of California residents, the state of California introduced the California Consumer Privacy Act (CCPA) data regulation for businesses to responsibly handle customers’ personal information. Being one of the strictest privacy laws around the world, CCPA requires businesses who operate in or serve customers in California to comply with data privacy requirements.

Enacted in January 2020, CCPA introduced ‘Do not Sell My Information’ option which customers can exercise and avoid having their data sold to third parties. This requirement was further updated in California Privacy Rights Act (CPRA) which went into effect on January 1, 2023, and expanded to ‘Sharing’ of personal information.

This new California data privacy law requires businesses to visibly place a webpage link of ‘Do Not Sell or Share My Personal Information’ in the footer of their website’s homepage and Privacy Policy page. This webpage must include all the information about how the company will use a customer’s personal information if they choose to opt-in for selling or sharing their data.

The webpage also gives customers more power over the sale and sharing of their personal information by choosing to opt-out. The California data privacy law also calls on businesses to offer minimum 2 methods to opt-out from these options – preference center to change privacy controls, dedicated business email address, toll-free phone line, and form submission.

What does it mean to ‘sell’ or ‘share’ a customer’s personal information?

The CPRA defined ‘selling’ of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”

California residents can opt-out from sale of their personal information and businesses need to adhere to this rule if they:

• Generate $25 Million or more in revenue
• Collect data of 100,000 California residents each year
• Generate half (or more) annual revenue by selling or sharing information

 The CPRA defined sharing as, “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”

Businesses share personal information of customers with another entity for advertisement purposes but in California this will be only possible if a customer opts-in. Once the customers have exercised their choice to opt-out through ‘Do Not Sell or Share my Personal Information’ link, businesses should respect their decision and are not allowed to sell or share customer information.

How a business is impacted when a customer opts-out?

Once a customer has opted-out of selling and sharing their personal information, a business should wait at least 12 months before requesting again that the consumer opt-in to the sale of their personal information. Businesses need a customer’s personal information for personalized advertising purposes because they can target sale of a product or a service based on a customer’s past observed behaviour.

Third-party sharing of data is restricted when customers opt-out and so businesses cannot use their personal information for monetary benefits. But this does not apply to cross-context behavioral advertising. Businesses can utilize personal information for their own advertisement purposes on their website even if a customer has opted-out of selling and sharing of their information.

How can Secuvy’s Data Protection platform help organizations comply with CPRA’s ‘Do Not Sell or Share my Personal Information’ requirement?

Secuvy’s comprehensive solution for data privacy enables organizations to achieve CPRA compliance and adapt to the changing consumer opt-out requirements. It is important to understand what kind of data you hold, what is being sold or shared with third-parties, and how your website allows site visitors to opt-out via a global privacy control.

Automated data discovery is a process in which software tools are used to automatically identify, classify, and catalog data across an organization’s various data sources. These tools employ advanced algorithms and machine learning techniques to scan through large volumes of data, including structured and unstructured data, to locate and categorize sensitive or valuable information. This technology is particularly valuable in large enterprises or organizations with complex data environments, where manual data discovery processes would be time-consuming, error-prone, and inefficient.

With Secuvy’s Universal Consent Management Solution, organizations can handle compliance on a global spectrum and ensure user experience remains fluid by creating opt-out pages. By using a pre-designed template or choosing to customize, the right information can be displayed on the webpage so that customers can choose to allow a business to sell or share their personal information.

To seamlessly manage data subject requests made under CPRA, you can streamline request process, deletion, opt-out requests, and more. With high inflow of requests, automating the process can help your business save time and build a more accurate workflow.

Secuvy’s simple approach to Universal Consent Management

Secuvy makes it simple for businesses to comply with CPRA’s Do Not Sell or Share my Personal Information through its Universal Cookie and Consent Management solution.

Choosing Secuvy’s platform for consent management also enables flexibility, transparency, security, and scalability. Powered by self-learning AI, our platform provides a centralized consent data view. It empowers you to craft comprehensive consent assessments, ensuring the management, correlation, and protection of data subjects’ privacy rights for compliance.

There are three major benefits:

Speed – The Secuvy Platform can be up and running in hours, not weeks or months. The platform autoscales, and can discover sensitive data in a fraction of the time of comparable solutions.

Deep Discovery – The Secuvy Platform makes active use of data correlation and lineage to provide the greatest depth of data discovery.

Accuracy – The Secuvy Platform discovers, classifies, and provides a full view of your data at petabyte scale.

Ready to see Secuvy in action? Contact us to see how our platform can work for your organization.