How To: Set Up Consent Management for CCPA's Do Not Sell in the Control Panel

A guide for setting up and managing consent for data sales under the CCPA

CCPA regulation calls for a business that sells consumers' personal information to provide a notice of right to opt-out to consumers. Specifically, a website must host a link on their website titled "Do Not Sell My Personal Information" that allows a user to opt-out of data sales.

Under the CCPA, a sale is defined as"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration"(Cal. Civ. Code Sec. 1798.140). This can include examples such as using data for attribution, look-alike modeling, or using cookies for behavioral advertising.

Ethcya provides a Consent option in your Privacy Center, so users can opt-out of Data Sales. When they go through the Consent experience, a user will land on the Consent Management Portal to manage their opt-out:

28802880

This article will focus on how to set up CCPA's Do Not Sell within Ethyca:

  • Creating your Data Sales Data Use Case
  • Applying Consent Flags to your Data Use Case
  • Understanding the Customer Opt-out Experience
  • Viewing Reports in Your Control Panel

To configure the technical integration for CCPA "Do Not Sell" please visit our technical implementation guide.

Creating your Data Sales Data Use Case

In order to set up your Data Sales Data Use Case for CCPA, there are a few steps you will want to follow in your Control Panel. It is important to note, this Data Use Case will be visible to customers in your Ethyca Privacy Center Consent Management portal depicted above.

When creating your Data Use Case, you will want to ensure that you:

25442544
  • Provide a Title that describes Data Sales (e.g. Data Sales or CCPA's Data Sales)

  • Ensure Requires Consent is set to Yes, so a user can opt-in

  • Include a Description of what your business does with the data. For example:

      Although we do not sell your personal information, from time
      to time we may use some of your personal information for advertising 
      performance analysis and audience modeling for ongoing advertising, 
      which may be interpreted as Data Sales under the California Consumer
      Privacy Act (CCPA). You can opt out of this here and we will ensure 
      your data is no longer used for these purposes.
    
  • Provide the Categories of information involved, such as: e-mail, IP address, behavior data, location, etc.

  • Provide the Phases of data activity. For Data Sales, this will commonly be: Data Collection, Data Processing and Data Retention.

Applying Consent Flags to your Data Use Case

The final step in creating your Data Use Case for CCPA is assigning Consent Flags, which will identify what underlying business processes and systems a users consent will affect.

Applying Consent For Websites will govern how data is handled in front end applications that use cookies and pixels. For example, sending event performance data from an e-commerce flow to Google via the Google Ads pixel.

Applying Consent For Data Integrations will govern how data is handled in backend and service-to-service calls. For example, sending attribution data from physical retail sales to Facebook via their Offline Attribution API.

For your Data Sales Data Use Case, you must check the box on the following flags:

  • Under "Apply Consent for Website", select the checkbox for Data Sales (Facebook, Snap, Pinterest, GTM).
  • Under "Apply Consent for Data Integration", select the checkbox forData Sales.
30183018

Click Save for your Data Use Case, and you're all set with the customer facing consent set up.

Understanding the Customer Opt-out Experience

When you set your Data Sales Data Use Case live, it will be visible to customer's in your Ethyca Privacy Center's Consent Management portal. See mapping guide below:

43204320
Privacy CenterControl Panel
Activities We ProcessBusiness use case for the processing activity. Refers back to the "Title" in the Data Use Case section. (A)
Do you Consent?Allows a user to select YES (opt-in) or NO (opt-out). (B)
DescriptionBusiness description of what a subject is consenting to. Refers back to the "Description" in the Data Use Case section. (C)
Information being processedPII processed in the activity. Refers back to "Category" in the Data Use Case section. (D)

Now let us we'll walk through the subject's consent experience in your Ethyca Privacy Center.

A subject will visit your custom-branded Ethyca Privacy Center and selects the "Consent" option (e.g. https://privacy.<yourcompany>.com).

28802880

The subject will then be shown a popup message that prompts them to provide their email address for identity verification. CCPA regulation requires that you verify the identity of the subject requesting to opt-out to ensure they are who they say they are.

28802880

Once the subject's email address has been submitted, they will be emailed a verification code to confirm their identity and receive the below pop up:

28802880

From the Consent Management page, the subject can choose whether or not they want to consent to having their data sold.

28802880

Once the user confirms their request—"YES" for Opts-In or "NO" for Opts-Out—they will see a confirmation banner (shown below), and a cookie will be set on the user's browser with their consent preference.

28802880

If the user selects "NO", the next time the subject visits your company's site, a cookie will be set on the subject's browser that will suppress their data from being sent back to any downstream systems. This way, Facebook and any other relevant ad products will know the user has opted out.

If the user selects "YES", it will be business as usual until a customer changes their opt-out preferences.

For more information on how to launch your Privacy Center check out this link here.

Viewing Reports in Your Control Panel

All of your subjects' consent status are available in the Control Panel for easy viewing and downloading. This is key for keeping a record of the consumer's opt-out requests you have honored.

Reporting is available on a monthly basis (including month to date). You have the option to open a new window to view the report or download it directly from the Control Panel as a CSV.

31843184

The report will include the data use case(s) consented to, the subjects' emails, their consent status, and the date the consent occurred.

22802280

Support

Please contact [email protected] if you have any questions regarding your account.