Risk and Compliance

CCPA Update, FAQ and CCPA 2.0

Ron Naulls
January 10, 2020
4 min read

In a recent news briefing, the California Attorney General (AG) gave insight on two topics regarding the California Consumer Privacy Act (CCPA), which took effect on January 1. A question frequently asked is whether an organization has to include the “Do Not Sell My Personal Information” button or link on the business’ homepage? Furthermore, the Consumer Privacy Rights Act of 2020, colloquially CCPA 2.0, has moved on to the next phase in the referendum process.

CCPA Update

“If you’re going to see real enforcement — aggressive, early, decisive enforcement action — early on, it will deal with kids,” is one key takeaway the CA AG, Xavier Becerra, said during a news conference in Sacramento. Aside from enforcing parental consent for children under 13 years of age, and explicit consent for consumers between 13 to 16 years of age, the other enforcement priority after January 1 will focus on sensitive information like health data, Social Security numbers and dating patterns. In particular, the AG mentioned that his office will be patient with small businesses making a real effort to comply, yet indicated that “ignorance of the law is not an excuse.”

Do we have to include the “Do Not Sell My Personal Information” button or link?

Clients often ask whether or not they have to include the “Do Not Sell My Personal Information” link on their business’ homepage. This is a question for general counsel, the legal department or outside counsel. Nuances surround questions such as whether the organization generates annual revenues over $25 million, or collects information on more than 50,000 California residents in a year, or derives 50 percent or more of annual revenues from “selling” the personal information of California residents.

However, a business does not “sell” personal information under the CCPA when the business: 1) provides notice that the consumer’s information is being used or shared according to terms and conditions outlined in its consumer-facing privacy notice; 2) the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose. Most businesses already have a consumer-facing privacy notice, also known as an online privacy policy, thereby meeting the first criterion.

For the second criterion, the business must be a “service provider.” Under the CCPA, a “service provider” is a business that processes information on behalf of a business that discloses a consumer’s personal information for business purposes under a contract, provided the agreement contains the personal information use restrictions other than performing the services outlined in the contract (see 1798.140 (v). Therefore, a “service provider” does not have to include the “Do Not Sell My Personal Information” link on their business homepage if they satisfy conditions one and two.

Do we have to include the “Do Not Sell My Personal Information” button or link when we do not meet the “service provider” definition above and do not “sell” any personal information under the CCPA?

According to the proposed regulations in Section 999.306 (d)(2) implementing the CCPA, if a business does not (and will not) sell personal information, it is not required to post a “Do Not Sell My Personal Information” link or button on its website or in-person equivalent.

However, the business is required to include a disclosure or wording in the consumer-facing privacy policy or notice that the business does not and will not sell personal information.

The California Privacy Rights and Enforcement Act of 2020

On December 17, the CA AG released the title and summary for Initiative 19-0021, the California Privacy Rights Act. The Initiative would fundamentally change and replace the CCPA, which some have dubbed the CCPA 2.0. Of note, the increased annual state costs of roughly $10 million dollars for a new state agency to monitor compliance and enforcement of consumer privacy laws along with increased state costs for increased Department of Justice workloads and state courts.

Next, at least 623,212 signatures must be gathered (based on 5 percent of the total votes cast in the last gubernatorial election) by late June. Ironically, this is just before the Attorney General is about to begin enforcement of the CCPA 1.0.

Conclusion

Organizations should immediately look to implement tightened consent controls around children and minors, increase controls around secure sensitive information as a hedge against heightened AG enforcement, and probe whether or not the business is “selling” personal information and to include or exclude the “Do Not Sell My Personal Information” link.  Finally, stand up privacy compliance programs that are scalable and adaptable to meet the events and changes framing the CCPA.

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More