Insight | Feb 18, 2020
Don't Expose Your Brand: What CCPA Privacy Changes Really Look Like in 2020
By Rob Browning
California Consumer Privacy Act officially went into effect on January 1st, 2020. However, questions remain about how to comply with the law. As corporations attempt to adhere to the law's most fundamental requirements, significant industry trends are beginning to take shape.
In this article, we observe some popular trends and generate insights into how companies are attempting CCPA compliance. If you still are getting familiar with what CCPA is, we covered some of the law’s fundamentals in our previous post. As always, companies should consult with their lawyer to ensure full compliance. These CCPA trends can serve as a starting point for taking action on your website.
Do Not Sell My Info (DNSMI) Buttons (Trend #1)
Many businesses are placing "Do Not Sell My Info" buttons throughout their website, even if they might not be selling consumer data. Companies that use this button likely determined that their relationship with ad-tech companies for interest-based advertising might be considered a sale.
Certain areas of California’s data privacy law are vague and some companies feel that data collected via a third-party cookie, tag, or pixel may count as selling information. This belief is because the company shares personal information with an advertising platform or provider with paid services.
For example, collecting audience data with a Google Ads pixel and targeting users with specific demographics could be classified as a sale. Under this, Google has issued a protocol for restricting the collection of personal information.
The Restricted Data Process Settings help advertisers using Google Analytics and Google Ads to prevent collecting personalization data when tracking. This setting is a simple parameter added to the tracking code.
Companies are using this in two ways:
- Applying the modified website visitor tracking code after a user has opted out of data collection or opting-out of the sale of their personal information.
- Applying the modified tracking code to all users located within California, regardless of if they have opted-out or not, to avoid collecting personalized data from anyone in the state.
Many websites are posting the DNSMI link on every web page in the footer area of the page. The CCPA requires businesses that sell personal information to post clear links on any internet web page where personal information is collected. The DNSMI link must take consumers to a webpage that enables them to opt-out of the sale of their data.
Each business will need to evaluate whether it's interest-based advertising, analytics, or other forms of tracking may constitute a sale under the CCPA, especially if the company is advertising to California residents.
Privacy Statements by Major Service Providers (Trend #2)
Major service providers for online vendors have already made statements regarding the sale of personal information. Some great examples are:
- Google explains they never sell personal data and provides advertisers/publishers with an array of restricted data processing options, as discussed previously. These options allow businesses to tell Google to handle personal data as a service provider and for no other reason.
- Facebook also claims they don't sell your data to advertisers. Facebook has also released California specific terms that outline their compliance to CCPA’s service provider structure.
- LinkedIn also states it does not sell your personal information and does not have an official opt-out. LinkedIn has not defined itself as a service provider in terms of its advertising services.
These terms are especially important for users who are visiting your website. If you utilize tracking or advertising services through Google or any social media platform, it may be a good idea to include links to these sections of that platform’s privacy statement.
Data Privacy Automation Tools (Trend #3)
Technology services have assisted companies with the backend technology needed to fulfill data subject access requests that comply with both GDPR and CCPA. These tools leave cookies on a consumer's device, indicating that the consumer has opted out of the sale of their personal information. Some tools can turn off cookies associated with the purchase of personal data and cookies related to vendors classified as service providers.
These tools cover many of the provisions required by CCPA, including:
- Data Subject Access Requests which give consumers the ability to request their personal information, opt-out of future data collection, or erase their existing data.
- Do Not Sell My Information Requests, which give consumers the ability to opt-out of the sale of their personal information.
- Cookie Management which gives consumers the ability to review the cookies that are placed by a website.
- Identity Verification Tools that give businesses the ability to verify DSAR requests and ensure the user requesting their data is the person in question.
The leading tools for CCPA are:
Adopting one of these compliance solutions typically involves a substantial investment, and it can be difficult to unwind or migrate to a different vendor. Consultations with a private attorney can help companies determine whether a vendor-based solution is right.
CCPA Specific Changes to Privacy Policies (Trend #4)
With the New Year, there has been a wave of websites updating their privacy policy and sending out emails to notify their clients. These privacy policies generally include statements of:
- CCPA Consumer Rights
- How To Request Access and Deletion of Data
- A “Do Not Sell” Information Statement
- List of Personal Information That May Be Collected
- Purpose Statement for Collecting Data
- Types of Personal Information Sold (If Any)
- Examples of Personal Information Disclosed With Third Parties (If Any)
- Processes in Place for Managing Data Inventory and Handling Data Breaches
Additionally, some corporations have added a specific “California Privacy Rights” section in their existing Privacy Policy. Some examples include:
Some other examples of updated Privacy Policies include:
These privacy policies give a great sense of the language required by CCPA. Reading them can help guide you in preparing the changes you may need to make to your website’s privacy policy statement.
Questions? Because we are not lawyers, we strongly advise reaching out to your legal team to discuss compliance. But we are here to help by providing some general information and help modify your website to add some of these features discussed. Don’t hesitate to contact us today to discuss your CCPA needs.
Drop us a line
Have a project in mind?
Contacting Third and Grove may cause awesomeness. Side effects include a website too good to ignore. Proceed at your own risk.