Menu

The CCPA Has Placed a Mandatory Link on Your Company’s Homepage

Cybersecurity and Privacy   |   June 26, 2019
Download   
Share Page
If a company sells personal information of California consumers, then the California Legislature has claimed real estate on its homepage. This article summarizes this new requirement of a “Do Not Sell My Personal Information” link and provides some practical guidance.
 
The California Consumer Privacy Act of 2018 (CCPA) in certain instances requires a business to “[p]rovide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.” Sec. 1798.135(a)(1).
 
This requirement applies only to businesses that “sell” personal information about California consumers to third parties. Sec. 1798.120(a). “Sell” in the world of the CCPA does not really mean “sell” — it means share for any benefit at all. Sec. 1798.140(t). What this homepage requirement does is make operational the CCPA’s much-discussed “right to opt out,” that is, a consumer’s right to demand that a company stop transferring his or her personal data for value to others. Sec. 1790.120(a).
 
Compliance requires more than a cosmetic website tweak. By January 1, 2020, the effective date of the CCPA, the company must also:
 
  • Construct a back-end system that takes opt-out requests from the webpage and turns it into a reality. Sec. 1798.135(a)(4).
  • Train individuals responsible for “handling consumer inquiries” on how to direct consumers to exercise the right to opt out. Sec. 1798.135(a)(3).
  • Figure out a system so that the company refrains from soliciting the sale data of an opting-out customer for 12 months from the date of opting out. Sec. 1798.135(a)(5).
 
A website’s landing page is not the only place where this “Do Not Sell My Personal Information” link must appear. A company must also install it in the company’s (i) online privacy policy or policies if the business has one; and (ii) any California-specific description of consumers’ privacy rights. Sec. 1798.135(a)(2). The CCPA also defines “homepage” to include “any Internet Web page where personal information is collected,” suggesting that some may interpret the statute to require that the link be included on other parts of the website where the user inputs data or user data is tracked or collected. Sec. 1798.140(l).
 
We have already observed a number of websites adopting a separate “California privacy rights” link from its general “privacy rights” link for residents of every other state, accessible from the homepage. Such a strategy does not deploy the actual language that the statute requires for the “do not sell” link and may face compliance challenges.
 
A more certain way to avoid having this “do not sell” link on the common homepage, other than not selling California residents’ data, is both an engineering and advertising challenge. That is, the law allows an entirely separate homepage for California residents (with the link) and one for everyone else (without the link). Sec. 1798.135(b). If a company takes California up on that challenge, it must further “take[] reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.” Id. We look forward to seeing enterprising web engineers experiment with what “reasonable steps” might work here.
 


©2019 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.