California Do Not Sell or Share

Use Transcend to comply with California’s “Do Not Sell or Share My Personal Data” opt-out requirements under CCPA and CPRA, including requests received via browser privacy signals like Global Privacy Control. Completing this guide will also help ensure compliance with requirements of state privacy laws in Virginia, Colorado, and Utah.

While we do our best to provide general background about regulatory issues, this guide is provided for informational purposes only, and should not be construed as legal advice. You should consult with your legal counsel on any specific CCPA questions you have.

  • The California Consumer Privacy Act (CCPA) is in effect and gives California residents the right to opt out of the sale of their personal information, with the opt-out offered via a prominent "Do Not Sell My Personal Information" link on the "selling" party's homepage.
  • The California Privacy Rights Act (CPRA) goes into effect on January 1st, 2023, and amends the CCPA with expanded requirements. This opt-out will be expanded to "Do Not Sell or Share My Personal Information". The amended regulations also provide new guidelines for how opt outs should be collected and enforced.

CPRA introduced extensive modifications and expansions to CCPA.

If your business runs targeted ad campaigns, it’s likely these requirements apply to you. The definition of "sale" or "sharing":

  • includes sharing data with most ad networks (such as Google, Facebook, LinkedIn, Pinterest, Snap, TikTok, etc.) for the purpose of targeted advertising, or "cross-context behavioral advertising."
  • excludes sharing data with a "service provider", which only processes your data according to your instructions (such as Stripe handling your payments or Zendesk handling your support tickets). A "service provider" cannot use the personal data you share with them to refine their profile about the user (as is typical with ad networks).

To comply with this opt-out requirement, you should:

  1. Catalog all data sharing processes and targeted advertising technologies.
  2. Build an opt-out plan based on your business’ specific data practices and desired user experience.
  3. Update your website and implement Transcend Consent to receive opt outs and detect opt-out signals like Global Privacy Control.
  4. Honor opt outs and monitor for any changes in your data practices or technologies that may impact compliance.

The remainder of this guide will walk you through the above steps and help you implement Transcend to ensure compliance.

To achieve full compliance it is essential that you have a comprehensive picture of where personal information is being collected and if it is being shared or sold to a third party.

Transcend Consent and Transcend Data Mapping will automatically scan your full tech stack for ad networks, conversion pixels, and every other technology that may be collecting or sharing personal data.

  • Transcend Data Mapping does an initial remote scan of your website using a headless Chromium browser and also identifies backend tooling that may not be visible client-side, such as systems connected to your Customer Data Platform (e.g. Segment) or SSO provider (e.g. Okta). Follow the Data Mapping implementation docs to catalog your company's entire data inventory and ensure you aren’t missing any data silos that might keep you from being fully compliant.

  • Transcend Consent helps identify and review client-side data flows. Consent reports anonymous telemetry from our script (airgap.js) embedded on your site and gives a richer perspective on your client-side data collection since it’s based on real site sessions

    • What is a client-side data flow? This refers to data sharing that happens via the site visitor’s device or browser. This is the most common type of data collection and is used by ad platform tracking tools that may be embedded on your site.

Transcend Consent showing an initial list of detected data flows.

Be especially vigilant for any data sharing or sale that is happening somewhere other than client-side. This may include:

  • Backend data transfers (such as data sent to Facebook Ads through your backend application or a cloud-mode connection in Segment or similar CDP).
  • Human processes (such as the marketing team manually uploading customer lists to Facebook Ads). If you do identify data sharing happening via backend or offline processes, consider what information from a consumer you will need to honor their opt-out request across those channels. This will impact the rest of your implementation process.

California regulations require businesses to offer specific, baseline opt-out capabilities. Depending on your data sharing, technology used, and desired user experience, here are additional considerations that may apply.

  • Opt out via a link within the Privacy Policy
  • Out opt via a browser signal like GPC
  • Confirm that their opt out has been processed

Achieving this baseline can be done by implementing Transcend Consent to build a “frictionless” opt out flow.

According to CPRA, if a business follows certain rules in collecting opt outs that minimize friction to the site visitor’s experience, they don’t need CCPA opt out links included in their website footer.

  • To opt out, a consumer can either:
    • Use a browser with GPC or other recognized opt-out signal. Their request will be honored and the website will give a visual indication confirming.
    • Visit the privacy policy and use an opt out link there.
  • Note: this is only permissible when the opt out can be fully effectuated without any further action required from the user

See more in § 7025 (f) and (g) of the draft regulations.

However, you may need or want to support additional opt-out experiences. If any of the below scenarios apply to you then you probably aren’t a good candidate for the Frictionless workflow, but don’t worry; set up can still be simple.

  1. Does your business need to collect any additional information in order to fully effectuate the opt-out request?

If the only data sharing taking place is happening client-side, the request can be fully honored by Transcend Consent without needing to collect additional information.

However, if data sharing is happening in your backend or via offline channels and you need additional information in order to fully honor the request then you must collect that information. For example, this may include collecting the user’s email address or asking them to log in to their account. We’ll cover how to do this via a Data Subject Request in your Privacy Center in Step 3.

  1. Does your website have user accounts?

If so, you must store an opt-out submitted by a logged-in user to ensure it’s honored on future site visits. This information can be stored within Transcend Consent or can be piped out via our API and stored on your backend.

You may already have specific privacy settings for a logged-in user that conflict with their opt-out signal. While the regulation requires that you immediately honor the opt-out signal and process their request, it does permit you to ask them if they would like to re-consent and give permission for you to ignore their opt-out signal. We’ll walk through enabling this flow in Step 3.

  1. Does your business want to offer consumers the ability to narrow their opt-out request to only apply to certain types of data sale or sharing?

You have the option to present consumers with the choice to opt out of the sale or sharing of personal information for certain uses as long as a single option to opt-out for ALL personal information is more prominently presented. We’ll walk through how to do this in Step 3.

Transcend Consent automatically detects and honors the GPC browser signal out of the box and allows users to visually verify it is being recognized. We'll keep Consent up to date to ensure it also recognizes other eligible browser signals if and when they become available.

Transcend Consent Manager, showing the detection of the Global Privacy Control

You’re almost done! Just be sure to add the required “frictionless” language to your Privacy Policy:

  • A statement that the business processes opt-out preference signals in a frictionless manner
  • Information on how consumers can setup an opt-out preference signal
  • Information about any other method you offer the consumer may use to submit a request to opt-out of sale/sharing

Review your answers from Step 2 and walk through the following additional implementation flows as needed:

With the exception of sites following the narrowly defined Frictionless opt out flow, every site needs to include a “Do Not Sell or Share My Personal Information” header or footer link on their homepage to help consumers opt out. Review our Consent Documentation for how to code this link on your site.

The ideal flow is to link directly to the opt-out request flow in your Transcend Privacy Center. You can customize this request to collect the information you need to fully effectuate the request.

Careful! The regulation only allows your business to collect what is necessary to fulfill the request, and you cannot require a “verifiable consumer request”.

Ensure you’re associating opt-out requests with a user’s account by syncing Do Not Sell or Share state from our API to your own endpoint.

The ability to let users select specific sub-uses of data sale/sharing that they're willing to permit is coming to Transcend Consent later this year.

Once you’ve collected an opt out-request, you need to ensure you’re honoring the request by governing all applicable data flows.

As a brief review from Step 1, there are three classes of problems here:

  • Client-side data collection (such as data sent to Facebook Ads directly from your website, via the Facebook Pixel).
  • Backend data transfers (such as data sent to Facebook Ads through your backend application or a Cloud-mode connection in Segment).
  • Human processes (such as the marketing team manually uploading customer lists to Facebook Ads).

Against each: Transcend automatically governs your client-side data collection, encodes opt outs across backend tooling for automated suppression, and gives your marketing team a suppression list to efficiently reference.

By far, the most common process for "sale" or "sharing" is client-side data collection. This is the best place to start, and if this is the only process that applies, you only need to use Transcend Consent for this governance step.

Some client-side advertising technologies released updates to their APIs that allow customers to flag tracking events with a special flag that instructs the ad network's systems to restrict how they may use that tracking event. If a tracking event includes this flag, sending this event to them no longer constitutes selling or sharing—in other words, the ad network becomes a "service provider" for that event.

Who supports it: Ad networks that support these options include Facebook Ads and Google Ads. With Facebook, this is called the Limited Data Use ("LDU") flag. With Google, this is called the Restricted Data Processing ("RDP") parameter. Client-side trackers such as the Facebook Pixel and Google Tag Manager support these flags.

We don't recommend building this yourself: Since these tracking events are sent directly from your user's browser to the ad network, this flag can only be added through client-side code. Furthermore, since the inclusion of this flag depends on each user's privacy preferences, this flag must be set dynamically based on the user. Transcend Consent Manager integrates with ad networks and modifies payloads with these flags for you.

For users who have opted out, Transcend Consent automatically modifies events to include these special flags before they are sent to ad networks. Other than installing Transcend Consent on your website and setting it live, this requires no configuration from you. Transcend Consent has special integrations with these networks out of the box.

Many ad networks do not have the ability to receive instructions to restrict the way events are used. In this case, it's necessary to stop sending events to those ad networks for users who have opted out.

The power in airgap.js: Since ad conversion events are sent directly from your user's browser to the ad network, this control must also be performed client-side. Furthermore, since halting data flows depends on each user's privacy preferences, data flows must be blocked dynamically based on the user.

Diagram of airgap.js, showing the data flow to LinkedIn Ads getting blocked.

airgap.js, a subcomponent of Transcend Consent, acts as a client-side firewall on your website and is uniquely capable of blocking data flows before they are sent from an opted-out user's browser to a third party like LinkedIn Ads.

For users who have opted out, Transcend Consent will automatically block data flows before they are sent to these ad networks. All you need to do is ensure the relevant data flows have the tag Sale of Personal Information in the Data Flows section of Transcend Consent.

First, view your data flows in the Admin Dashboard under the Data Flows tab of Transcend Consent. We automatically populate your data flows for you by scanning your website. Each data flow is a domain representing the destination of a data flow. For example, the LinkedIn Insight Tag sends data to px.ads.linkedin.com; so, px.ads.linkedin.com is one data flow.

When Transcend detects a new data flow, three things happen:

  1. The data flow will appear on the Data Flows page, under the Triage tab.
  2. Transcend will attempt to classify the tool associated with the data flow. For example, px.ads.linkedin.com would receive the classification LinkedIn Ads.
  3. Transcend will attempt to classify the relevant purposes of this data flow, like Advertising and Sale Of Personal Information.

For this opt-out, all you need to do is ensure your relevant data flows have the label, Sale of Personal Information. For Transcend Consent to begin governing these data flows, make sure these data flows are approved and live. If they are in the Triage tab, click "Approve" on the data flow. When you're ready to push the change to production, click "Set Changes Live".

Your configuration for LinkedIn Ads might look like this:

The Data Flows tab in Transcend Consent, showing data flows with a purpose set to "Sale of Personal Information".

For more information on regulating your data flows, please refer to the Transcend Consent documentation.