California Do Not Sell or Share
Use Transcend to easily comply with California's "Do Not Sell or Share My Personal Data" opt-out requirements under CCPA and CPRA. Completing this guide will also help prepare you for upcoming state laws in Virginia, Colorado, and Utah.
- The California Consumer Privacy Act (CCPA) is in effect and gives California residents the right to opt out of the sale of their personal information, with the opt-out offered via a prominent "Do Not Sell My Personal Information" link on the "selling" party's homepage.
- The California Privacy Rights Act (CPRA) goes into effect on January 1st, 2023, and amends the CCPA with expanded requirements. This opt-out will be expanded to "Do Not Sell or Share My Personal Information".
TLDR: this opt-out includes targeted advertising (such as advertising with Facebook, Google, LinkedIn, etc.)
- Read our expanded summary of the new requirements: CCPA vs. CPRA: California's privacy laws explained.
- Read the changes to the law with Transcend's diffed document, showing the changes between CCPA and CPRA.
The definition of "sale" or "sharing":
- … includes sharing data with most ad networks (such as Google, Facebook, LinkedIn, Pinterest, Snap, TikTok, etc.) for the purpose of targeted advertising, or "cross-context behavioral advertising." It was once murky whether this was the case under CCPA, but under the CPRA, it's crystal clear. Other states such as Virginia, Colorado, and Utah followed suit with the same opt-out requirements surrounding targeted advertising.
- … excludes sharing data with a "service provider", which only processes your data according to your instructions (such as Stripe handling your payments or Zendesk handling your support tickets). A "service provider" cannot use the personal data you share with them to refine their profile about the user (as is typical with ad networks).
If your business runs targeted ad campaigns, you likely need to offer this opt-out choice.
To comply with this opt-out requirement, you should:
- Catalog all data flows and targeted advertising technologies.
- Halt any processes that constitute "sale" or "sharing" for the users who have opted out.
- Offer a web interface for your users to opt out of the sale and sharing of their personal information and detect opt-outs via the Global Privacy Control (GPC) signal.
The remainder of this guide will help you easily implement all the above using Transcend.
- Transcend Data Mapping scans your website remotely using a headless Chromium browser, and groks your backend tooling that may not be visible client-side, such as systems connected to Segment or Okta.
- Transcend Consent additionally reports anonymous telemetry from our client-side script (airgap.js) embedded on your site. Telemetry gives you a richer perspective on your client-side data collection since it's based on real site sessions, and includes pages that not be visible to our site scanner, such as logged-in pages within a web application.
There are three classes of problems here:
- Client-side data collection (such as data sent to Facebook Ads directly from your website, via the Facebook Pixel).
- Backend data transfers (such as data sent to Facebook Ads through your backend application or a Cloud-mode connection in Segment).
- Human processes (such as the marketing team manually uploading customer lists to Facebook Ads).
Against each: Transcend automatically governs your client-side data collection, encodes opt-outs across backend tooling for automated suppression, and gives your marketing team a suppression list to efficiently reference.
By far, the most common process for "sale" or "sharing" is client-side data collection. This is the best place to start, and if this is the only process that applies, you only need to use Transcend Consent for this governance step.
Some client-side advertising technologies released updates to their APIs that allow customers to flag tracking events with a special flag that instructs the ad network's systems to restrict how they may use that tracking event. If a tracking event includes this flag, sending this event to them no longer constitutes selling or sharing—in other words, the ad network becomes a "service provider" for that event.
Who supports it: Ad networks that support these options include Facebook Ads and Google Ads. With Facebook, this is called the Limited Data Use ("LDU") flag. With Google, this is called the Restricted Data Processing ("RDP") parameter. Client-side trackers such as the Facebook Pixel and Google Tag Manager support these flags.
We don't recommend building this yourself: Since these tracking events are sent directly from your user's browser to the ad network, this flag can only be added through client-side code. Furthermore, since the inclusion of this flag depends on each user's privacy preferences, this flag must be set dynamically based on the user. Transcend Consent Manager integrates with ad networks and modifies payloads with these flags for you.
For users who have opted out, Transcend Consent automatically modifies events to include these special flags before they are sent to ad networks. Other than installing Transcend Consent on your website and setting it live, this requires no configuration from you. Transcend Consent has special integrations with these networks out of the box.
Many ad networks do not have the ability to receive instructions to restrict the way events are used. In this case, it's necessary to stop sending events to those ad networks for users who have opted out.
The power in
airgap.js: Since ad conversion events are sent directly from your user's browser to the ad network, this control must also be performed client-side. Furthermore, since halting data flows depends on each user's privacy preferences, data flows must be blocked dynamically based on the user.
airgap.js, a subcomponent of Transcend Consent, acts as a client-side firewall on your website and is uniquely capable of blocking data flows before they are sent from an opted-out user's browser to a third party like LinkedIn Ads.
For users who have opted out, Transcend Consent will automatically block data flows before they are sent to these ad networks. All you need to do is ensure the relevant data flows have the tag
Sale of Personal Information in the Data Flows section of Transcend Consent.
First, view your data flows in the Admin Dashboard under the Data Flows tab of Transcend Consent. We automatically populate your data flows for you by scanning your website. Each data flow is a domain representing the destination of a data flow. For example, the LinkedIn Insight Tag sends data to
px.ads.linkedin.com is one data flow.
When Transcend detects a new data flow, three things happen:
- The data flow will appear on the Data Flows page, under the Triage tab.
- Transcend will attempt to classify the tool associated with the data flow. For example,
px.ads.linkedin.comwould receive the classification LinkedIn Ads.
- Transcend will attempt to classify the relevant purposes of this data flow, like
Sale Of Personal Information.
For this opt-out, all you need to do is ensure your relevant data flows have the label,
Sale of Personal Information. For Transcend Consent to begin governing these data flows, make sure these data flows are approved and live. If they are in the Triage tab, click "Approve" on the data flow. When you're ready to push the change to production, click "Set Changes Live".
Your configuration for LinkedIn Ads might look like this:
For more information on regulating your data flows, please refer to the Transcend Consent documentation.
Lastly, you'll need a way to receive "Do Not Sell or Share" opt-outs from consumers.
Transcend Consent has a pre-built interface which you can use for an out-of-the-box solution, by following this guide.
Transcend Consent automatically detects and honors the GPC browser signal.