There is no one strategy for disclosing privacy practices to consumers, or for complying with the federal and state laws – including the CCPA – that govern data privacy. The following summarizes current industry trends:
- Privacy notices are, on average, over a year old.
- The majority of companies have not updated their privacy notices for the CCPA.
- Privacy notices that reference enumerated categories are evenly split between using tables and lists.
- 10x more privacy notices disclose that they do not sell personal information than disclose that they do sell personal information.
- The majority of privacy notices are silent or unclear about selling practices.
- The vast majority of privacy notices do not include a “Do Not Sell” option.
- Those companies that are disclosing the sale of information are complying with the CCPA’s requirement to provide a “Do Not Sell” option.
- Only a small number of companies that don’t sell personal information are still providing a “Do Not Sell” option.
- Most companies are not including a “Do Not Sell” link on their homepage.
- Some companies include the “Do Not Sell” link, but it is non-functional.
- Most companies offer access and deletion rights.
- The average quantity of behavioral advertising cookies on a corporate homepage is 6.74
- Most companies are not deploying a cookie notice or banner.
- Those that do are split in terms of whether to use an opt-in, notice, or deemed consent banner.
