Privacy and consent in the United States are slowly but steadily taking shape, starting with a rework of California CCPA “Do Not Sell My Personal Information” to CPRA and the addition of more states following suit, surely waiting for a federal response. For example in addition to California (also available in Complianz):
- Colorado CPA
- Connecticut CTDPA
- Nevada NRS (603A)
- Utah UCPA
- Virginia CDPA
Selling or Sharing Information
Targeting Visitors from one of these States
For California, the CPRA requires websites to include a conspicuous link Do Not Sell or Share My Personal Information on the homepage or the cookie banner and in the privacy statement. The CPRA also introduces a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution. Both links should take consumers to an intake method, an interactive form, for consumer requests.
New CPRA Requirement
However: the CPRA also allows websites to forgo providing these links separately and instead choose to provide a single link that enables the consumer to opt-out of the sale and sharing of personal information and to limit the use and disclosure of sensitive personal information.
In Complianz, this single link is called “Opt-out preferences,” and the functionality is called “Global Opt-out.” You can easily rename this page yourself to Do Not Sell or Share My Information.
Additionally, Complianz provides your website with the option of recognizing an opt-out preference signal from a browser as a valid consumer request to opt out of the sale or sharing of personal information and to limit the use of sensitive personal information.
Dealing with a Global Opt-out
If a visitor uses Global opt-out, you will see their data request with their name and email address in the backend of the plugin. This gives you the possibility to research if their name or email address is indeed being sold or shared with third parties. The email address is also needed so you can contact the visitor. Upon receiving a Global Opt-Out request an organisation can respond by acknowledging its receipt ( a step that Complianz automatically does), confirming or rejecting the opt-out, or responding that the right is not applicable. In general, an organisation must comply with a Global Opt-Out request within 15 business days from the date of receipt and have to respect a consumer’s opt-out for at least 12 months before requesting the consumer to consent to the sale of personal information again.
A good starting point is the Export Personal data tool in WordPress. This tool quickly tells you if an email address is indeed stored in the database of your website.
Upon receiving the Global Opt-out request, Complianz will also make sure that previously given browser and device-based consent will automatically be revoked and that marketing or tracking techniques used for cross-context behavioural advertising are blocked immediately.
With Complianz Premium, you can also easily create a Privacy Statement that contains one or more sections for every state, in which we describe among other things the specific rights a consumer has in certain states. Some states also mandate that a privacy statement discloses how long an organization keeps each category of personal information or if that’s not possible, the criteria they use to determine the retention periods.