Avoiding the Dreaded Link under CCPA: “Do Not Sell My Personal Information”

Many companies that do substantial business in CCPA may fall under the scope of the CCPA. If they do, and they don’t take actions beforehand, they are required to put a link, in a clear and conspicuous manner, on the company’s homepage (as well as in the privacy policy), that reads “Do Not Sell My Personal Information“. If this link is clicked on it must provide a mechanism (that must work) in which the consumer can opt of of having its personal information “sold”, and the company must refrain from soliciting the sale date of the opted out individual for 12 months after the opt out. It should be noted that the CCPA allows the link to not appear on the company’s main web-page if the company creates a web-page for CA residents only (because of the technology infrastructure needed to do this, its likely most companies subject to CCPA will not be able to do so, at least not right away).

When the company’s legal department or outside counsel tells the marketing department that the link has to be put on the main website of the company by January 1, 2020, the reaction is “We can’t do that. How do we avoid it?” Anyone involved in sales or business development understands that a link of that nature will not help revenue generation and the PR issues associated with it are not favorable.

By way of background the CCPA applies to any business (of a certain size or that generates over a threshold amount of revenue from CA), that “sells” personal information about California consumers to third parties. CCPA Section 1798.120(a). “Sell” under the CCPA is defined broadly meaning sharing the personal information for any value at all.

The answer to the marketing department’s question of how the company gets out of putting the link on the company’s homepage is that the company has to take action to ensure that it is not subject to the requirements of the CCPA, specifically that the company does not “sell” personal information. Each company likely has multiple vendors, subcontracts, service providers and other parties it has contracted with. A number of those agreements likely involve the sharing, making available, or outright sale of personal information to the third party. Usually the agreement includes more than simply the personal information. What the company should do is go through all of their agreements and amend any that involve the sharing or making available of personal information so that it is clear that any consideration provided by the third party under the agreement is not in exchange for personal information (i.e. that no consideration is changing hands related to the personal information). This assumes that the company’s business operations do not generally involve sale of this data (if they do, the CCPA will apply, absent a fundamental change in the company’s business model), and this course of action may not be available for all companies.

Updates to the California Consumer Privacy Act of 2018

We introduced the California Consumer Privacy Act of 2018 (CCPA) before, and there has been some updates since then.  While the CCPA was to take effect on January 1, 2020, the date of effectiveness and the date when the California Attorney General has to promulgate the regulations for same has been pushed back to July 1, 2020.  Similarly, the time of enforcement of same is to be that date if the regulations are published then and if not, then six months from the date of publication of the regulations.


There was lobbying in California regarding the private right of action in the CCPA and there was some language added to clarify the limits of consumer suits against companies.

On the federal level, Senator Marco Rubio introduced what he called the American Data Dissemination Act (and used the acronym “ADD Act”), which he presents as a federal data protection bill which would require the FTC to promulgate national regulations on data protection and would explicitly preempt state laws like the CCPA. It is to be based on the antiquated Privacy Act of 1974. Its unclear without specific statutory language or regulations on the ADD Act to determine the reasons for its genesis. If it were to follow the European model, an entirely new statutory scheme would likely be needed. The purpose could also be to halt the rise of 50 different data protection laws, one from each state. In any event, the members of Congress have been getting heavily lobbied by the US Chamber of Commerce and other business groups. It should be interesting to see how it all plays out. Companies should not however, presume that the CCPA will be pre-empted and should begin to prepare for same now.  

The California Consumer Privacy Act of 2018

So the wave of privacy laws originating in Europe has hit the United States.  On June 28, 2018, the California Consumer Privacy Act of 2018 was signed into law (referred to in this post as the “Act” or the “Law”).  It is both similar to, and distinct from, the GDPR.  Companies should absolutely not assume that if they are GDPR compliant, that they would also compliant with the California law.  The California law has broad out of state reach and violations carry serious monetary penalties, including actions from the Attorney General of the State of California, or individuals (either separately or as a class action).   Companies should make sure they are out in front of this law.  The date the Act is set to take effect is January 1, 2020. Read more

Individual Data Subject Rights Under the GDPR

Any company that is subject to the GDPR, among other things, must ensure that it does and can timely comply with requests from any EU data subject with respect to the data subject’s rights under the GDPR, which are:

  1. Right of access – EU data subjects are entitled to know if their data is being processed and if so the terms of same.
  2. Right to rectification – EU data subjects have the right to correct information held by any controller.
  3. Right to erasure – Be ready to completely remove any EU data subject’s personal data from your systems (if anything cannot be removed they need to be told why) upon their request.
  4. Right to restriction of processing – Be ready to restrict certain EU data subject’s personal data from being processed in any manner in which a specific EU data subject states it no longer consents to (even if he/she provided consent for such processing earlier).
  5. Right to data portability – Be ready to provide a copy of each EU data subject’s personal data upon their request, and this can include sending it to the data subject or sending it to a third party. Your company should be able to comply with any request within 30 days at no charge to EU user.
  6. Right to object – Be ready to halt certain activities with respect to the personal data of any EU data subject if notice is provided to you by such EU data subject (this is in addition to the right to restricting processing and prior consent can be modified or taken away at EU data subject’s whim).

Global Scope of the GDPR & Applicability to Companies in the United States

So this is the question that is coming up more and more here in the United States – Does the GDPR apply to our company?

Remember that GDPR was put in place to protect individuals from improper use of their personal data and also to allow them to freely move same, and to enjoy certain other rights with respect to their personal data.  While its reach is broad, the GDPR does not apply to processing of data if it falls outside the scope of EU law (processing for public safety, or government issues is not subject to it). If your company interacts with customers within the EU for purposes of trade, and you you store, process or share EU citizen’s personal data then the GDPR rules apply to your company.  Read more

GDPR’s Restrictions on “Processing” of Personal Data

At the heart of it, the European Union’s new data privacy legislation, the General Data Protection Regulation (“GDPR”), restricts what the company’s that hold or manipulate personal data of individuals can do with it, and what type of consent is required for what acts.  Like all regulations, there are a number of defined terms, which must be understood to grasp the coverage of the GDPR.  In summary it covers a lot of activities that companies may not have thought would be regulated.   Read more

Software License Agreements II – Source Code Escrow Agreements

So if you are a licensee of a software service or product, which you use internally or you sell (sub-license) to end users,  you’ll want to be sure that there is no interruption in service for the term of the license provided you pay the license fees.  Interruptions in access to the software can come in many forms, sometimes the licensor has issues with the software or its delivery (such as hosting provider’s downtime), and sometimes the licensor is acquired by a larger company that doesn’t pay as much attention to the particular software, or worse, the licensor has financial troubles and either ceases to operate as a going concern or files bankruptcy.  You as a licensee, who needs the software to keep your operations steady or to keep your stream of revenue uninterrupted, will want to ensure that there is no break in the access to the software. Read more

Software License Agreements I – Scope of the License

We’ll be looking at the typical items addressed in a business to business software license agreement (as compared to an end user license agreement).  The purpose of a software license between two companies are generally for the licensor, who has valuable software, to set forth how that software may be used by a licensee and the compensation and other items applicable to the licensee’s use.  Read more

New York’s BitLicense – License to Engage in Virtual Currency Business Activity

New York’s Department of Financial Services passed regulations which apply to virtual currencies, and require licensing of certain entities engaging in certain activities in connection with the state.  It is referred to by the State as the “BitLicense”.

The State says that any individual or entity which is involved in the following is required to obtain a BitLicense:

  • Virtual currency transmission
  • Storing, holding, or maintaining custody or control of virtual currency on behalf of others
  • Buying and selling virtual currency as a customer business
  • Performing exchange services as a customer business
  • Controlling, administering, or issuing a virtual currency.

Read more