- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
CCPA Privacy FAQs: Is a business required to post a “do not sell” link if it offers a loyalty program?
Not necessarily.
California has two statutes that apply to the sale of information – The California Shine the Light Law and the California Consumer Protection Act.
The California Shine the Light Law applies to companies that have a business relationship with a consumer that is “primarily for personal, family, or household purposes” and that collect personal information online.1 As a result, the statute generally applies to B2C loyalty programs that are operated online. If the statute applies, it generally requires that a business that allows third parties to use information collected from consumers for the third parties’ own direct marketing tell consumers how they can request more information concerning the identity of those third parties.2 It is important to note, however, that if a business does not sell personal information (or allow other third parties to use personal information for their direct marketing), the business is not required to make an affirmative statement to that effect. In other words, if a loyalty program provides personal information to other companies and allows those companies to market products and services to consumers, the statute requires that the company discloses that fact; it does not require a loyalty program that does not share information with third parties for their own use to make any disclosures.
The CCPA requires that a business that sells personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.”3 The business must then include a link on its homepage titled “Do Not Sell My Personal Information” and allow consumers to opt-out of the sale.
The net result is that if a business sells loyalty program information, the business must disclose that fact and then include a “Do Not Sell” link; if a business does not sell loyalty program information, the business is not required to include such a link.