California Do Not Sell or Share

Use Transcend to comply with California’s “Do Not Sell or Share My Personal Data” opt-out requirements under CCPA and CPRA, including requests received via browser privacy signals like Global Privacy Control. Completing this guide will also help ensure compliance with requirements of state privacy laws in Virginia, Colorado, and Utah.

While we do our best to provide general background about regulatory issues, this guide is provided for informational purposes only, and should not be construed as legal advice. You should consult with your legal counsel on any specific CCPA questions you have.

  • The California Consumer Privacy Act (CCPA) is in effect and gives California residents the right to opt out of the sale of their personal information, with the opt-out offered via a prominent "Do Not Sell My Personal Information" link on the "selling" party's homepage.
  • The California Privacy Rights Act (CPRA) went into effect on January 1st, 2023, and amends the CCPA with expanded requirements, including more specific requirements for how opt-outs of sale or sharing are handled. CPRA Regulations that further expand on the law are currently in a draft state and expected to become final in the coming months.

CPRA introduced extensive modifications and expansions to CCPA.

If your business runs targeted ad campaigns, it’s likely these requirements apply to you. The definition of "sale" or "sharing":

  • includes sharing data with most ad networks (such as Google, Facebook, LinkedIn, Pinterest, Snap, TikTok, etc.) for the purpose of targeted advertising, or "cross-context behavioral advertising."
  • excludes sharing data with a "service provider", which only processes your data according to your instructions (such as Stripe handling your payments or Zendesk handling your support tickets). A "service provider" cannot use the personal data you share with them to refine their profile about the user (as is typical with ad networks).

To comply with this opt-out requirement, you should:

  1. Catalog all data sharing processes and targeted advertising technologies.
  2. Build an opt-out plan based on your business’ specific data practices and desired user experience.
  3. Update your website and implement Transcend Consent Management to receive opt outs and detect opt-out signals like Global Privacy Control.
  4. Honor opt outs and monitor for any changes in your data practices or technologies that may impact compliance.

The remainder of this guide will walk you through the above steps and help you implement Transcend to ensure compliance.

To achieve full compliance it is essential that you have a comprehensive picture of where personal information is being collected and if it is being shared or sold to a third party.

Transcend Consent Management and Transcend Silo Discovery will automatically scan your full tech stack for ad networks, conversion pixels, and every other technology that may be collecting or sharing personal data.

  • Transcend Consent helps identify and review client-side data flows. Consent reports anonymous telemetry from our script (airgap.js) embedded on your site and gives a richer perspective on your client-side data collection since it’s based on real site sessions
  • Transcend Silo Discovery finds data silos across your business, including backend tooling which may not be visible client-side, such as systems connected to your Customer Data Platform (e.g. Segment) or SSO provider (e.g. Okta). Follow the Silo Discovery guide to auto-populate your Data Inventory.
  • What is a client-side data flow? This refers to data sharing that happens via the site visitor’s device or browser. This is the most common type of data collection and is used by ad platform tracking tools that may be embedded on your site.

Be especially vigilant for any data sharing or sale that is happening somewhere other than client-side. This may include:

  • Backend data transfers (such as data sent to Facebook Ads through your backend application or a cloud-mode connection in Segment or similar CDP).
  • Human processes (such as the marketing team manually uploading customer lists to Facebook Ads). If you do identify data sharing happening via backend or offline processes, consider what information from a consumer you will need to honor their opt-out request across those channels. This will impact the rest of your implementation process.

California regulations require businesses to offer specific, baseline opt-out capabilities. Depending on your data sharing, technology used, and desired user experience, here are additional considerations that may apply.

  • Opt out via a link within the Privacy Policy
  • Out opt via a browser signal like GPC
  • Confirm that their opt out has been processed

Achieving this baseline can be done by implementing Transcend Consent Management to build a “frictionless” opt out flow.

According to CPRA, if a business follows certain rules in collecting opt outs that minimize friction to the site visitor’s experience, they don’t need CCPA opt out links included in their website footer.

  • To opt out, a consumer can either:
    • Use a browser with GPC or other recognized opt-out signal. Their request will be honored and the website will give a visual indication confirming.
    • Visit the privacy policy and use an opt out link there.
  • Note: this is only permissible when the opt out can be fully effectuated without any further action required from the user

See more in § 7025 (f) and (g) of the draft regulations.

However, you may need or want to support additional opt-out experiences. If any of the below scenarios apply to you then you probably aren’t a good candidate for the Frictionless workflow, but don’t worry; set up can still be simple.

  1. Does your business need to collect any additional information in order to fully effectuate the opt-out request?

If the only data sharing taking place is happening client-side, the request can be fully honored by Transcend Consent Management without needing to collect additional information.

However, if data sharing is happening in your backend or via offline channels and you need additional information in order to fully honor the request then you must collect that information. For example, this may include collecting the user’s email address or asking them to log in to their account. We’ll cover how to do this via a Data Subject Request in your Privacy Center in Step 3.

  1. Does your website have user accounts?

If so, you must store an opt-out submitted by a logged-in user to ensure it’s honored on future site visits. This information can be stored within Transcend Consent Management or can be piped out via our API and stored on your backend.

You may already have specific privacy settings for a logged-in user that conflict with their opt-out signal. While the regulation requires that you immediately honor the opt-out signal and process their request, it does permit you to ask them if they would like to re-consent and give permission for you to ignore their opt-out signal. We’ll walk through enabling this flow in Step 3.

  1. Does your business want to offer consumers the ability to narrow their opt-out request to only apply to certain types of data sale or sharing?

You have the option to present consumers with the choice to opt out of the sale or sharing of personal information for certain uses as long as a single option to opt-out for ALL personal information is more prominently presented. We’ll walk through how to do this in Step 3.

Transcend Consent Management automatically detects and honors the GPC browser signal out of the box and allows users to visually verify it is being recognized. We'll keep Consent up to date to ensure it also recognizes other eligible browser signals if and when they become available.

You’re almost done! Just be sure to add the required “frictionless” language to your Privacy Policy:

  • A statement that the business processes opt-out preference signals in a frictionless manner
  • Information on how consumers can setup an opt-out preference signal
  • Information about any other method you offer the consumer may use to submit a request to opt-out of sale/sharing

Review your answers from Step 2 and walk through the following additional implementation flows as needed:

Careful! The regulation only allows your business to collect what is necessary to fulfill the request, and you cannot require a “verifiable consumer request”.

Once you’ve collected an opt out-request, you need to ensure you’re honoring the request by governing all applicable data flows.

As a brief review from Step 1, there are three classes of problems here:

  • Client-side data collection (such as data sent to Facebook Ads directly from your website, via the Facebook Pixel).
  • Backend data transfers (such as data sent to Facebook Ads through your backend application or a Cloud-mode connection in Segment).
  • Human processes (such as the marketing team manually uploading customer lists to Facebook Ads).

Against each: Transcend automatically governs your client-side data collection, encodes opt outs across backend tooling for automated suppression, and gives your marketing team a suppression list to efficiently reference.

By far, the most common process for "sale" or "sharing" is client-side data collection. This is the best place to start, and if this is the only process that applies, you only need to use Transcend Consent Management for this governance step.

Some client-side advertising technologies released updates to their APIs that allow customers to flag tracking events with a special flag that instructs the ad network's systems to restrict how they may use that tracking event. If a tracking event includes this flag, sending this event to them no longer constitutes selling or sharing—in other words, the ad network becomes a "service provider" for that event.

Who supports it: Ad networks that support these options include Facebook Ads and Google Ads. With Facebook, this is called the Limited Data Use ("LDU") flag. With Google, this is called the Restricted Data Processing ("RDP") parameter. Client-side trackers such as the Facebook Pixel and Google Tag Manager support these flags.

We don't recommend building this yourself: Since these tracking events are sent directly from your user's browser to the ad network, this flag can only be added through client-side code. Furthermore, since the inclusion of this flag depends on each user's privacy preferences, this flag must be set dynamically based on the user. Transcend Consent Management integrates with ad networks and modifies payloads with these flags for you.

For users who have opted out, Transcend Consent Management automatically modifies events to include these special flags before they are sent to ad networks. Other than installing Transcend Consent Management on your website and setting it live, this requires no configuration from you. Transcend Consent Management has special integrations with these networks out of the box.

Many ad networks do not have the ability to receive instructions to restrict the way events are used. In this case, it's necessary to stop sending events to those ad networks for users who have opted out.

The power in airgap.js: Since ad conversion events are sent directly from your user's browser to the ad network, this control must also be performed client-side. Furthermore, since halting data flows depends on each user's privacy preferences, data flows must be blocked dynamically based on the user.

airgap.js, a subcomponent of Transcend Consent, acts as a client-side firewall on your website and is uniquely capable of blocking data flows before they are sent from an opted-out user's browser to a third party like LinkedIn Ads.

For users who have opted out, Transcend Consent Management will automatically block data flows before they are sent to these ad networks. All you need to do is ensure the relevant data flows have the tag Sale of Personal Information in the Data Flows section of Transcend Consent.

First, view your data flows in the Admin Dashboard under the Data Flows tab of Transcend Consent. We automatically populate your data flows for you by scanning your website. Each data flow is a domain representing the destination of a data flow. For example, the LinkedIn Insight Tag sends data to px.ads.linkedin.com; so, px.ads.linkedin.com is one data flow.

When Transcend detects a new data flow, three things happen:

  1. The data flow will appear on the Data Flows page, under the Triage tab.
  2. Transcend will attempt to classify the tool associated with the data flow. For example, px.ads.linkedin.com would receive the classification LinkedIn Ads.
  3. Transcend will attempt to classify the relevant purposes of this data flow, like Advertising and Sale Of Personal Information.

For this opt-out, all you need to do is ensure your relevant data flows have the label, Sale of Personal Information. For Transcend Consent Management to begin governing these data flows, make sure these data flows are approved and live. If they are in the Triage tab, click "Approve" on the data flow. When you're ready to push the change to production, click "Set Changes Live".

Your configuration for LinkedIn Ads might look like this:

For more information on regulating your data flows, please refer to the Transcend Consent Management documentation.