Do Not Sell Has Regulatory Teeth

California Attorney General Rob Bonta recently announced a settlement with the Walt Disney Company over allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to fully execute on consumers’ requests to opt-out of the sale or sharing of their data. Under the settlement, Disney must pay $2.75 million in civil penalties and must implement opt-out methods that fully stop the sale or sharing of consumers’ personal information. This is the highest fine to date under the CCPA.

The CCPA recognizes that personal data has a tangible economic value when it is sold, shared, or otherwise monetized by businesses. By treating personal information as an asset with a monetary value, the CCPA also established that consumers should then have control over whether their data can be sold. This principle directly led to the “Do Not Sell My Personal Information” requirement.

Compliance Capabilities

The Capabilities needed to meet Do Not Sell Requirements involve the accurate management of the personal information being processed. Companies collecting and selling for value consumer personal information should consider the following capabilities.

1. Maintain an accurate inventory of the personal data being processed.
   1. Where PI is stored.
   2. Whose data is stored.
   3. The sensitivity and classifications of the data.
2. Understand why you have it.
   1. For what purposes is the data being used
   2. How was the PI collected?
   3. What is it being used for?
3. Does the privacy notice clearly inform consumers that;
   1. Their data could be shared or sold?
   2. That consumers have an option to opt-out of sharing or selling?
   3. Contain a mechanism to collect an opt-out choice?
      

As sensitive data volumes grow and regulatory requirements expand, organizations face escalating risks and costs from regulatory penalties. Traditional data protection methods are failing to keep up with complex data environments, unable to discover, map, track and protect consumers individuals preferences regarding how their sensitive information is used or not used with any speed or accuracy

How Lightbeam can help

Lightbeam has technical capabilities designed to support the Do Not Sell requirement. Lightbeam is deployed in an organization’s cloud or data center to discover and classify sensitive data across structured, unstructured, and semi-structured data sources. The Lightbeam Data Identity Graph analyzes sensitive data, gathers the business context for the collection of personal data and maps the data and personal preferences including consent and Do Not Sell options.

The Lightbeam Consent Management module provides an intuitive Consumer Preference Center where consumers can self manage their options regarding their personal information. The intuitive dashboard allows for tracking, visualizing, and managing user consents and preferences. This helps privacy professionals meet their data privacy compliance requirements with actionable controls. Lightbeam enforces Do not Sell with customizable security policies that track preferences and data labeling to support management’s compliance efforts regarding sharing or selling personal information.

FAQ Section

What does “Do Not Sell My Personal Information” mean?

The “Do Not Sell My Personal Information” provision under the California Consumer Privacy Act (CCPA) allows consumers to opt out of businesses selling their personal data to third parties.

Who must comply with the CCPA “Do Not Sell” requirement?

Businesses that collect personal data from California residents and meet certain revenue, data processing, or data selling thresholds must provide consumers with a clear opt-out mechanism.

How must organizations provide a “Do Not Sell” option?

Organizations must provide a clear and accessible “Do Not Sell My Personal Information” link on their website and honor consumer opt-out requests across their systems.

Why is the “Do Not Sell” requirement important?

This requirement strengthens consumer privacy rights by giving individuals control over how their personal information is shared or sold to third parties.

How can companies ensure compliance with CCPA opt-out requirements?

Organizations should maintain a clear data inventory, track personal data sharing activities, and implement systems that automate consent management and opt-out enforcement.