These Self-Regulatory Guidelines for California “Do Not Sell My Personal Information” requests (“CA Do Not Sell”) augment the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Principles and Guidelines by addressing how Publishers and Third Parties should address CA Do Not Sell requests for “Personal Information” as defined and required under the California Consumer Privacy Act (“CCPA”) and its implementing regulations. Cal. Civ. Code §§ 1798.100 et seq. This guidance and program are a voluntary tool for entities that desire to participate in the DAA program and leverage its tools in compliance with the guidelines described herein.¹
Under the CCPA there are two types of entities that collect personal information from a digital property. First, the entity that owns and operates the digital property and that collects Personal Information directly from a consumer (“Publisher”). Second, a third party that indirectly collects Personal Information about consumers through the Publisher’s digital property (“Third Party”).
As Businesses, both Publishers and Third Parties are required to honor CA Do Not Sell requests received from California residents for their respective activities related to Personal Information. These DAA Guidelines explain how the DAA’s California Do Not Sell Opt-out Tool (“CCPA Opt-Out Tool”) can be used to effectuate these requests for participating entities when consumers make CA Do Not Sell requests through those tools, stopping the Sale of Personal Information, including for online behavioral advertising, and further explains what activities participating entities can “engage” in following such a request.
The DAA guidance enables consumers to exercise their CA Do Not Sell rights through a consistent, recognizable system across digital properties, and to express an opt-out through a single location for participating entities that is effective across a participating company’s activity on the Internet.
A. Third-Party Requirements
- When a consumer exercises their CA Do Not Sell rights through the CCPA Opt-Out Tool, Third Parties engaged in the collection of Personal Information as defined by the CCPA may use and transfer such Personal Information only for the following operations and system management purposes when that activity is undertaken in compliance with the CCPA:
a. intellectual property protection;
b. compliance, public purpose and consumer safety;
c. authentication, verification, fraud prevention and security;
d. billing or product or service fulfillment; or
e. reporting or delivery.
- Any Business in receipt of a user-enabled opt-out signal from the Publisher Opt-out Tool may only use or transfer Personal Information as permitted in A.1.a-e for information collected from a browser or device that exercised a user-enabled Publisher Opt-out Tool signal.
B. Publisher Requirements
- Notice/Link. Publisher must include the following CA Do Not Sell link on its digital properties: CA Do Not Sell My Personal Information . This link should lead to the Publisher’s notice that states the fact that Third Parties collect Personal Information through the digital property for advertising and analytics purposes, and links to the DAA CCPA Opt-out Tool through which consumers can opt-out of the sale of personal information by participating Third Parties.
- Flag. Publisher must place a flag on its digital properties that can be read by Third Parties that indicates the transparency and opt-out tool set forth in B.1 has been provided.
- Publisher Choice. If a Publisher collects Personal Information and transfers it to a Third Party, it must provide a Do Not Sell choice. If a consumer exercises a CA Do Not Sell opt-out for the Publisher, then the Publisher must convey to any entities to which it transfers or has transferred in the prior 90 days Personal Information that the consumer has expressed the CA Do Not Sell opt-out. Personal Information sold by that Publisher shall be subject to such a choice may only be used or transferred as permitted in A.1.a-e in compliance with the CCPA.
¹ This is not legal advice. The CCPA is a new law, the regulations are in draft form and any interpretations thereof are interpretations of first impression. Companies should consult with their counsel for compliance purposes.
* * *