Episode 12 of The GDPR Guy is Carl discussing the new requirements of the CCPA for a Do Not Sell My Personal Information link on your website, and what selling really means in the context of the CCPA.

Audio

PUBLISHED AS A PODCAST

Useful Resources

LINKS AND FURTHER READING

• The CCPA – https://theccpa.org

Transcript

Working in Privacy is great, but it generally means that website marketing people don’t like you very much, what with you constantly defacing their creations with cookie banners. And now that the 1st of January 2020 is upon us, I’m once again in the marketer bad books with the arrival of another abomination that you’ll no doubt start to see.

I’m talking about the “Do Not Sell My Personal Information” links that you’ll see in website footers, app download pages, privacy notices and cookie banners. And you have the American State of California to thank for this one.

So what’s all this about?

Well, from the 1st January, the Californian Consumer Privacy Act, or the CCPA to you and me, requires organisations give consumers the ability to opt out of them selling their data to third parties. And that sounds nice and everything, but it’s not quite what you think.

Within the context of the CCPA, when we say “sell” we don’t actually mean “sell”. That would be way too simple. Here we mean share for some commercial purpose, and that doesn’t need to involve money.

Virtually all websites and apps run on cloud services that rely on a myriad of other backend services to make them run, such as web hosters, email providers, content delivery networks, load balancers, all sorts of things really. So these third party companies generally act as a “service provider”. Your company pays them some money, they provide some web hosting. In the GDPR world we call these Data Processors.

But if you flip this around, it’s common for some online services to pay “you” rather than you pay “them”, and that can be with money or often with some free services or functionality. Want a nice shiny button for your website? Great, just install this free code and off you go.

Oh! Did they not mention? There is the other side of the equation here. Why are they giving you this for free, or even paying you? Well, that’s simple, it’s because you’re giving them a lot in return and might not even be realising it.

That Facebook Like button you installed on your website, well that is sending information to Facebook about all your visitors for Facebook to use however they’d like. And Facebook will also let you see some of those analytics and use them to send marketing to those visitors in the future.

Most website operators would see this as a fair deal. You give Facebook data, they give you something in return. What we have here is best described as a data sharing model rather than a service provider model. And whilst we aren’t paying Facebook with money here, they are providing a service that helps us with our commercial interests and there is an exchange of something valuable, which is the data.

Payment for this service is in data, not money, but this is still a payment of sorts, and it still has value. A legal term for payment or benefit is “consideration” and you’ll often see this mentioned in contracts and contract law.

This is what the CCPA regulates. It describes “sell” as where personal information is shared for valuable consideration. So using a Facebook Like button on your website would constitute “selling” personal information within the CCPA’s definition.

And this applies far and wide.

Showing a Twitter Follow button – that’s selling.

Showing a personalised ad banner – that’s selling.

Creating remarketing lists with Google Analytics – that’s selling

Even if you get no money in return.

To make this all even more strange, sometimes you have a situation where you’re paying a service provider for a service, and you are also giving them data which you allow them to use for their own purposes. This again would be a sale. So whilst they’re selling a service to you, you’re also selling data to them. Of course you’re not actually selling them anything, but the CCPA says you are.

You’ll see a lot of service providers try to fight this confusion over the coming months, with some in the advertising industry already trying to claim that if they are a service provider then that precludes them from also being a business that has been sold data. (That’s just plainly incorrect by the way.)

So all this might sound stupid, crazy or excessive, but it’s here and we’re just going to have to live with it, probably until California comes up with another term for this supposed data selling.

The CCPA isn’t just about data selling by any means, but it is a notorious part of it, and one that you’ll need to look at if CCPA compliance is on your table. The Do Not Sell link needs to be provided where you’re going to be collecting data and where you’re providing your website or app. This means that it’ll be on the homepage for most websites and either within apps or on the app download pages within the app stores.

The link itself can probably take a few forms. By default the law says that it would be the exact text, “Do Not Sell My Personal Information”, but the draft implementation regulations currently allow for an alternative, “Do Not Sell My Info”. Personally I don’t see a huge difference between Do Not Sell My Personal Information and Do Not Sell My Info, and those web marketers that I have spoken to didn’t seem to care either way, so most websites are choosing the Personal Information link. You could probably get away with a very similar variant such as Do Not Sell My Data, but there’s no guidance from the California Attorney General that this would be permitted. There is also the alternative of using a button instead of the text, but as yet there is no specification of what that button should look like, so we’re still some time away from people being able to use that.

So you’re stuck with this ugly link, most likely in your website footer, making it look like you’ve got some rogue data broker secrets to hide, and the link needs to point to something, usually a section in your privacy notice.

Just a quick reminder of the annoying jargon that us privacy people use. A Privacy Notice is that user facing explanation of what a website is doing with your data and of your data rights. Many people, websites and laws refer to a Privacy Notice as a Privacy Policy, whereas us privacy people often think of a Privacy Policy as being an internal document for employees rather a public facing notice. But none of this really matters. On a website, a Privacy Notice and a Privacy Policy are exactly the same thing, and it doesn’t matter which term you use, and personally I use both.

So the Do Not Sell link will likely point to a section in the website privacy notice that is either California specific or for everyone. The CCPA only applies to Californian residents, so you could choose to only show the link and give rights to those Californians, or you could make it easy on yourself and blanket provide this to everyone across the US or the world. Giving increased data rights to everyone is nice and your users will appreciate it, but bear in mind the business might have an increased workload and loss of revenue as a result.

The CCPA’s data selling opt out right is something you’ll see implemented in many different ways, and for very different reasons. Some data selling is performed on the user’s device, or “client side”, with the use of web beacons and cookies, for which EU style cookie controls are the answer. So expect to see a link to buttons and toggles where you can select which data selling you want to opt out of. Remember that in the EU this already exists within the ePrivacy Directive for which EU people get the opportunity to opt in rather than opt out.

For data selling that is user account based, such as your health provider sharing data with an insurance company, that will usually require you logging in to a server side control panel to express your opt out, or phoning or emailing their customer services team. Where organisations need to verify your identity, expect them to rightly make you jump through a few hoops to provide your opt out. But sadly, a few nefarious companies will make the opt out process prohibitively hard to try and keep you away. I’d expect some regulatory action in the future over behaviour like that.

We’re now only a few days into the CCPA being live and already dozens of big name websites have piblished their Do Not Sell links. But with much debate about what constitutes a sale, and the negative impact on a business’s bottom line if people do opt out, adherence to this law will be inconsistent and patchy, just like we have seen and continue to see within the EU for the ePrivacy Directive, or “cookie law”. Strong and clear guidance from the California Attorney General, backed up by enforcement, is the only way to straighten this out.

In the meantime we’re going to be talking about data selling a lot in 2020, and I for one am not overly happy about it. Companies selling your data sounds bad for your privacy, but this alone misses the mark. It doesn’t affect me either way if my health provider gets paid or not by the insurance company it sent my data to, it’s the loss of control and inappropriate usage that affects my privacy. I fully understand why US lawmakers talk about data selling. It’s a much more emotive soundbite than terms like data sharing or concepts such as legitimate interest in the EU. And to be fair, using terminology that engages the general public in privacy is a good thing, even if it is slightly misdirected. But we need to keep sight of the bigger picture that selling isn’t the problem, it’s all the data processing and loss of rights that goes with it. The GDPR nails this, and hopefully next year’s updates to the CCPA will shift towards this way of thinking.

If you want to read the CCPA, head over to theccpa.org for an amazing, well structured, linkable word-for-word copy that has been made usable by Jake Snow at ACLU.