CPRA Do Not Sell: A Guide for Businesses in 2024
The California Privacy Rights Act (CPRA) has introduced significant changes to the landscape of data privacy regulations. One crucial aspect that businesses must navigate is the "CPRA do not sell" provision.
In this comprehensive guide, we will explore the intricacies of CPRA's "do not sell" requirement and its implications for businesses operating in California, including CPRA enforcement.
In this article, you will discuss the key definitions, obligations, and exemptions outlined by the CPRA, ensuring businesses have a solid grasp of the requirements.
Additionally, we will offer practical insights and best practices for compliance, including strategies for implementing effective opt-out mechanisms and managing consumer requests.
Let's dive right in.
Consumer Rights Under the CPRA
The California Privacy Rights Act (amended version of the California Consumer Privacy Act) grants consumers enhanced rights and control over their personal information.
Understanding these rights is crucial for businesses to ensure compliance and meet consumer expectations. Below are the key consumer rights provided by the CPRA:
- Right to Know ‒ Consumers have the right to know what personal informatio and sensitive personal information n is collected, how it is used, and with whom it is shared.
- Right to Opt-Out ‒ Consumers can opt out of the sale or sharing of their personal information.
- Right to Deletion‒ Consumers have the right to request the deletion of their personal information, subject to certain exceptions.
- Right to Correct ‒ Consumers can request the correction of inaccurate personal information held by businesses.
- Right to Non-Discrimination ‒ Businesses must not discriminate against consumers who exercise their CPRA rights, such as denying services, charging different prices, or providing inferior quality.
- Private Right of Action ‒ The CPRA introduces a private right of action. This empowers consumers to take legal action against businesses that violate the CPRA, including the "do not sell" provision.
Emphasis should be placed on the right to deletion as it empowers consumers to have their personal information erased, adding an extra layer of control over their data and privacy.
- Need help complying with the CPRA rights? Contact us today for a 100% free consultation.
CPRA “Do Not Sell” Right Explained
The CPRA's "do not sell" right is a crucial aspect of consumer privacy protection under California's data privacy landscape. This right allows consumers to have control over the sale of their personal and sensitive personal information and significantly impacts businesses that handle such data.
Shawn Loveland, the COO or Resecurity, explains that the scope of the Do Not Sell regulation here:
"Any individual in California for a purpose other than temporary, transitory, or domiciled in California but temporarily outside the state has the right to exercise this right."
Understanding the intricacies of this consumer right is essential for businesses to ensure compliance and build trust with their consumers.
Under the CPRA, the term "sell" has a broader definition than its conventional understanding. It encompasses various activities related to the sharing, disclosing, or making available personal information to third parties for monetary or other valuable considerations.
This includes sharing data for targeted advertising, marketing purposes, or any other commercial transactions. It is important for businesses to assess their data practices carefully and determine if they fall within the scope of "selling" under the CPRA.
What does "Sell" mean under the CPRA?
This privacy law defines "sell" as the act of providing or disclosing personal information to another business or third party for monetary or other valuable consideration.
This includes not only the traditional concept of selling data but also activities such as sharing, renting, releasing, or making personal information available to others for commercial purposes.
The California Privacy Rights Act aims to give consumers the right to control how their personal information is used and shared, ensuring transparency and consent in data transactions.
Who Can Submit a Do Not Sell Request?
The CPRA grants the "do not sell" right to California residents or individuals who are considered "consumers" under the CPRA. Any consumer who wishes to exercise this right can submit a "do not sell" consumer request to businesses that handle their personal information.
It is important to note that this right is specifically provided to California residents and extends to both online and offline interactions with businesses.
Entities that can submit a CPRA "do not sell" request include:
- California residents ‒ Any individual who meets the residency requirements under the CPRA can exercise the "do not sell" right.
- Authorized representatives ‒ California residents can designate authorized representatives to submit "do not sell" requests on their behalf. Authorized representatives can be individuals, businesses, or businesses authorized in writing by the consumer to act on their behalf in relation to their personal information.
- Parents or guardians ‒ For minors under the age of 16, parents or legal guardians can submit "do not sell" requests on their behalf. The California Privacy Rights Act recognizes the need for parental or guardian involvement in protecting the privacy of minors.
What Happens Once a Do Not Sell Request is Submitted?
Businesses must respect and comply with the consumer "do not sell" requests under the CPRA. Upon receiving a valid request, businesses must promptly update their systems to follow the consumer's preference, refraining from selling or disclosing their personal information to third parties unless exceptions apply.
Compliance is crucial to avoid fines and build consumer trust. Businesses should establish clear processes, educate consumers on submitting requests, and regularly update privacy policies to demonstrate commitment to honoring preferences.
Your Obligations Under CPRA’s Do Not Sell
Complying with the CPRA's "do not sell" right is not just an obligation but also an opportunity for businesses to build trust, enhance consumer relationships, and demonstrate their commitment to consumer privacy.
Here are the key obligations that businesses must fulfill to ensure compliance with the CPRA requirements:
Visible Do Not Sell Link
Shawn Loveland, COO of Resecurity explains that businesses must:
"Provide a visible and easy-to-find link on their website titled "Do Not Sell or Share My Personal Information." This allows customers to opt-out of the sale or sharing of their personal information."
Additionally, he notes that:
"It is also prohibited for businesses to discriminate against customers who choose to exercise their CPRA rights."
Implement Opt-Out Mechanisms
Businesses must establish clear and accessible opt-out mechanisms that allow consumers to easily exercise their 'do not sell' right in accordance with the CPRA regulations.
This includes prominently displaying opt-out links or buttons on websites, mobile apps, or other consumer-facing platforms.
The opt-out process should be straightforward, require minimal steps, and provide clear instructions to consumers on how to opt out of selling their personal information.
Update Privacy Policies
Businesses should review and update their privacy policies to include information about consumers' "do not sell" rights.
The privacy notice should clearly state how consumers can exercise this right, describe the opt-out process, and explain the consequences of opting out. It is important to provide comprehensive and transparent information to consumers regarding the handling and sale of their personal data.
Honor Opt-Out Requests
Once a valid "do not sell" request is received, businesses have an obligation to honor the consumer's preference and cease selling their personal information to third parties.
This includes implementing mechanisms to ensure that the consumer's opt-out choice is respected and applied throughout the business's data processing systems. Businesses must update their records and processes promptly to reflect the consumer's opt-out status.
Verify Identity and Process Requests
Businesses should establish procedures to verify the identity of consumers making "do not sell" requests. This helps prevent fraudulent or unauthorized requests. Verification methods can include matching information provided by the consumer with existing records or requesting additional information to confirm the consumer's identity.
Once the identity is verified, businesses must promptly process the opt-out request and provide confirmation to the consumer.
Provide Consumer Education
In addition to meeting their obligations, businesses have the opportunity to educate consumers about their "do not sell" rights and the importance of data privacy. By providing clear information, resources, and guidance on how consumers can exercise their rights, businesses can foster transparency, trust, and a positive consumer experience.
By fulfilling these obligations, businesses can comply with the CPRA's "do not sell" right and seize the opportunity to establish themselves as privacy-conscious businesses.
- Wondering how you will be able to meet these CPRA obligations? Contact us today for a complimentary consultation.
Implementing CPRA’s Do Not Sell
When a consumer requests to exercise their "do not sell" right under the CPRA, businesses must follow a defined process to ensure CPRA compliance. Implementing this right involves several key steps that businesses should undertake:
- Acknowledge receipt of request ‒ Upon receiving a "do not sell" request from a consumer, businesses should promptly acknowledge the receipt of the request. This acknowledgment can be in the form of an automated response or a personalized message, informing the consumer that their request has been received and is being processed.
- Verify consumer identity ‒ To ensure the legitimacy of the request, businesses should verify the identity of the consumer. This step helps prevent unauthorized or fraudulent requests. Verification methods can include matching the information provided by the consumer with existing records or requesting additional information to confirm their identity.
- Update consumer records ‒ Once the consumer's identity is verified, businesses should update their records and systems to reflect the consumer's opt-out preference. This involves categorizing the consumer information as "not for sale" and implementing internal processes to ensure compliance with their preference.
- Cease selling personal information ‒ Businesses must cease selling the consumer's personal information to third parties after the opt-out request is verified and processed. This includes refraining from any future sale, disclosure, or sharing of the consumer's personal information for monetary or valuable consideration.
- Communicate Confirmation ‒ It is crucial to communicate confirmation to the consumer that their "do not sell" request has been implemented. This communication can be in the form of an email, letter, or notification through the consumer's preferred communication channel. Providing confirmation assures the consumer that their request has been honored.
- Maintain Opt-Out Preference ‒ Businesses should establish mechanisms to maintain the consumer's opt-out preference over time. This includes regularly reviewing and updating their records to ensure ongoing compliance with the consumer's choice. It is essential to respect and uphold the consumer's opt-out preference for as long as they choose to exercise this right.
Ensuring Compliance with the CPRA’s Do Not Sell
To comply with the CPRA's "do not sell" provision and honor consumers' rights to opt out of the sale of their personal information, businesses should follow a series of steps.
Ensuring compliance with this provision is crucial for businesses to maintain trust with their consumers and meet the requirements of the CPRA. Here are the key steps to ensure compliance:
- Understand the scope of "Sell" ‒ Businesses must grasp the broader definition of "selling" under the CPRA, which includes sharing personal information for monetary or valuable consideration. By assessing their data practices, businesses can determine if they engage in such activities.
- Implement opt-out mechanisms ‒ Businesses must offer an easy way for consumers to exercise their "do not sell" right. This involves displaying opt-out options prominently and ensuring a user-friendly process with clear instructions.
- Update privacy policies ‒ Businesses must update privacy policies to inform consumers about their right to opt out of personal data sales. The policy should explain the opt-out process, demonstrate the business's commitment to consumer choices, and provide transparent information on data handling and sales.
- Honor opt-out requests ‒ Businesses must honor consumer opt-out requests, cease selling their personal information, and update processes for ongoing compliance.
- Maintain documentation ‒ Businesses must document their compliance with the CPRA's "do not sell" provision. This includes recording opt-out requests, verifying consumer identities, and stopping the sale of personal information. Comprehensive documentation ensures accountability and aids in regulatory compliance.
- Train employees ‒ Businesses should train employees to handle consumer requests and personal information in accordance with the CPRA. Training ensures compliant and consistent handling of opt-out requests across the organization.
FAQs
What is the CPRA's "do not sell" provision?
The CPRA's "do not sell" provision grants consumers the right to opt out of the sale or sharing of their personal information by businesses. It aims to provide individuals with greater control over their data and protect their privacy.
What activities fall under the definition of "sell" under the CPRA?
The CPRA defines "sell" broadly and includes activities such as sharing, disclosing, or making available personal information to third parties for monetary or valuable consideration. This encompasses traditional selling, as well as sharing data for targeted advertising, marketing purposes, or any other commercial transactions.
Who can submit a "do not sell" request under the CPRA?
The "do not sell" right is granted to California residents who are considered "consumers" under the CPRA. California residents, authorized representatives designated by the consumer, and parents or legal guardians of minors can submit "do not sell" requests on behalf of the consumer.
What happens once a "do not sell" request is submitted?
Businesses must promptly update their systems to honor the consumer's "do not sell" request. This involves ceasing the sale or disclosure of the consumer's personal information to third parties unless exceptions apply. Businesses should acknowledge the receipt of the request, verify the consumer's identity, update their records, and communicate confirmation to the consumer.
What are the obligations for businesses to comply with the CPRA's "do not sell" provision?
To ensure compliance, businesses must implement opt-out mechanisms, update privacy policies, honor opt-out requests, maintain documentation of processes, and train employees. These obligations help businesses respect consumer choices, maintain transparency, and meet the requirements of the CPRA.
How can businesses implement the CPRA's "do not sell" provision?
Implementing the "do not sell" provision involves understanding the scope of "sell," implementing opt-out mechanisms, updating privacy policies, honoring opt-out requests, maintaining documentation, and training employees. By following these steps, businesses can ensure compliance with the CPRA's requirements.
How Can Captain Compliance Help?
By respecting consumer rights, implementing opt-out mechanisms, and being transparent, businesses can build trust and strong consumer relationships.
Captain Compliance offers expert support in assessing data practices, establishing opt-out mechanisms, updating privacy policies, and ensuring compliance.
Partner with us to demonstrate commitment to privacy and data protection, navigate CPRA complexities, and build trust.