While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, that exception may not apply to the extent that a behavioral advertising network is not contractually prohibited from using the personal information that it collects on a business’s website for the benefit of itself or for the benefit of third parties (i.e., its other clients).1 If courts determine that making personal information available to behavioral advertisers is a “sale,” the CCPA would require the posting of a “Do Not Sell My Personal Information” link.2
Some businesses are considering providing a “do not sell my persona information” link on their homepage, which, when clicked, would activate a cookie management tool from which a consumer could indicate that they do not want third party behavioral advertising cookies to deploy on their browser. The use of a cookie management tool to opt a consumer out of behavioral advertising may not comply with all of the technical requirements of the CCPA, however. Specifically the CCPA requires that a business honor an opt-out request “for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”3 While a cookie management selection may persist for 12 months (or more) on the browser that the consumer used to initially access a website, a consumer could be resolicited to accept cookies before 12 months expire in the following situations:
- The consumer visits the website using a different browser (e.g., first visit in Chrome, second visit in Safari)
- The consumer visits the website from a different machine or device (e.g., first visit from laptop, second visit from smartphone), or
- The consumer clears their browser’s cache.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.