CCPA: How to add a notice of collection and a “Do not sell” link

In this guide, we’ll show you how to meet the notice of collection and opt-out requirements of the California Consumer Privacy Act (CCPA) with our Cookie Solution.

Our Solution allows you to meet these requirements in three ways:

Functionality of the solution (how it helps you to comply)

Displays CCPA notice of Collection

Our solution allows you to display a notice which informs Californian consumers that their data might be collected and of their right to opt-out. The notice also displays a “Do Not Sell My Personal Information” link as legally required.

Displays “Do Not Sell My Personal Information” Link

Our solution displays a DNSMPI (opt-out) link within the collection notice (as legally required) and also allows you to add the link to your site for easy user access (as legally required).

Facilitates opt-out

The CCPA also requires that you facilitate consumers’ opt-out requests. Our solution handles this in the following ways:

• Signal opt-out status to third parties that adhere to the IAB U.S Privacy Framework. Our solution integrates IAB’s U.S. Privacy Framework into its CCPA functionality, which essentially allows you to signal a consumer’s opt-out status to the entire network of IAB global vendors (this list includes vendors like Google and AdRoll) that support the U.S Framework.
• Manually block scripts that do not adhere to the IAB U.S Privacy Framework. Our solution will automatically block (manually) tagged scripts when a user opts out.

Allows you to Auto-detect and apply the correct standards (including multiple standards) based on location.

Our solution allows you to automatically apply either or both CCPA and GDPR standards to the same users when legally required.

Support for Facebook Limited Data Use

Facebook’s new Limited Data Use (LDU) allows site owners who fall under the CCPA and who use Facebook’s services in their advertising or on their site, to request that Facebook limit their data processing for Californian residents.

According to Facebook:

“If we receive a flag for a person in California, we will process data in accordance with our role as a service provider and limit the use of that data subject to our State-Specific Terms. Limited Data Use is only effective for people in California. If businesses do not set the parameters to US and California, we will determine if a person is in California. Businesses may notice an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited.”

In general, there are two ways by which facebook identifies where to apply these settings:

• Facebook detects Californian consumers on your behalf and applies LDU settings broadly.
• You detect Californian consumers via your onsite CMP, and pass the data to facebook’s pixel, allowing you to set up their LDU setting to only run for Californian users that have already opted-out via your cookie notice.

Obviously the second approach is generally preferable and gives you more control.

We’re happy to say that iubenda’s Cookie Solution supports Facebook’s Limited Data Usage.

For a look at how you can set up your Cookie Solution to pass relevant LDU settings data to Facebook, please see the code example below.

See the Pen Facebook Limited Data Use by iubenda (@iubenda) on CodePen.

This setup will allow you to seamlessly pass the right variables when your users apply a CCPA opt-out.

How to activate the CCPA functionality

The following scenarios and the accompanying instructions will allow you to:

• Display a CCPA notice of collection
• Display a “Do Not Sell My Personal Information” link in the notice
• Support the CCPA Compliance Framework by IAB

If you want to support the CCPA Compliance Framework by IAB (recommended)

Add <script src="//cdn.iubenda.com/cs/ccpa/stub.js"></script> before your Cookie Solution embedding code and make sure that both codes are placed as very first scripts of the page (e.g. right after the opening of the <head> tag).

Scenario 1: You’d like to apply CCPA standards but not GDPR standards

For example, you’re a non-EU business that has Californian users but does not have EU-based users.
This particular scenario actually has two use cases:

(a) You’d like to apply CCPA standards to all your users.
If you want to apply CCPA standards to all your users, but not apply the GDPR to any of them, select “Apply CCPA” and “Always Apply CCPA“:

Code:

"enableCcpa": true,
"ccpaApplies": true,
"enableGdpr": false,
"gdprApplies": false,
"gdprAppliesGlobally": false,

(b) You’d like to apply CCPA standards to only your Californian users.
If you want grant CCPA standards only to users from California by automatically detecting users connecting from California and only applying the CCPA to them, select “Apply CCPA” and “Automatically detect when to apply CCPA based on user location“:

Code:

"enableCcpa": true,
"countryDetection": true,
"enableGdpr": false,

See scenario 1 example below:

Open on CodePen

Scenario 2: You’d like to apply CCPA standards to Californian users and GDPR to EU users

For example, you’re a non-EU business that has both EU-based and Californian users

Based on country detection, we’ll apply the CCPA when we detect that the user is connecting from California and the GDPR when the user is connecting from the EU. Select “Apply both” and “Automatically detect when to apply CCPA based on user location“:

Then, select “Request consent to EU users only” in “Advanced View”:

Code:

"enableGdpr": true, //true by default, so it's not strictly needed
"enableCcpa": true,
"gdprAppliesGlobally": false,
"countryDetection": true,

Scenario 3: You’d like to apply CCPA standards to Californian users and GDPR worldwide

For example, you’re an EU business that has Californian users.

Important: remember that, if you’re based in the EU, you are required to apply the GDPR worldwide.

Select “Apply both” and “Automatically detect when to apply CCPA based on user location“:

Code:

"enableGdpr": true, //true by default, so it's not strictly needed
"enableCcpa": true,
"gdprAppliesGlobally": true,
"countryDetection": true,

In this case, we’ll show Californian users a notice that incorporates both the GDPR and the CCPA requirements, while users outside of California receive only the GDPR standards.

See examples for both scenarios 2 & 3 below:

The examples below cover both scenarios 2 & 3. For this reason, we suggest opening these examples in CodePen in order to read the full description.

CCPA & GDPR enabled:

Open on CodePen

CCPA & GDPR enabled with TCF active:

Open on CodePen

Scenario 4: You’d like to apply GDPR standards but not the CCPA

For example, you’re an EU business that does not have Californian users

If the CCPA doesn’t apply to you, you can use the default Cookie Solution snippet.

How to make sure that “Do Not Sell” is honored

If the user expresses the choice to opt-out of the sale of their data, this choice must be honored. There are three ways to make sure of this.

If the sale is performed by a service/vendor that adheres to the CCPA Compliance Framework

In this case, our integration with the CCPA Compliance Framework will take care of notifying the vendors that an opt-out from sale has occurred.

If the sale is performed by a service/vendor that provides a specific configuration to signal that the user has opted out from sale

This is, for instance, the case with Google, which allows you to send a specific signal whenever an opt-out has occurred. The instructions are provided in this article and apply to Google Ads and to Google Analytics.

Other vendors may provide similar instructions.

If the sale is performed by a service/vendor that does not adhere to the CCPA Compliance Framework nor provides a way to communicate the opt-out

In this case, you’ll have to apply the class _iub_cs_activate to the script tag of each of these services, change the type attribute from text/javascript to text/plain and add the data-iub-blockifccpaoptout attribute:

<script class="_iub_cs_activate" type="text/plain" data-iub-blockifccpaoptout src="...">
...
</script>

This can be done manually or via a tag manager like Google Tag Manager.

Example showing tagging via Google Tag Manager (GTM)

The CodePen example here demonstrates how to manage scripts for the CCPA (and the GDPR) using Google Tag Manager.

“Do Not Sell My Personal Information” link

As a requirement under the consumer’s right to opt-out, you must provide an easily accessible, clear and conspicuous “Do Not Sell My Personal Information” link on your website.

By following the instructions above, you’ll be displaying a “Do Not Sell” link in the CCPA notice, but we also offer the possibility to add a standalone link, by adding the class iubenda-ccpa-opt-out. It is recommended that you add an easily accessible link somewhere on your site (typically the footer) so that users can still opt-out even after closing the notice, if they so choose (legally required).

For example, you could add a link to the footer as follows:

<a href="javascript:void(0)" class="iubenda-ccpa-opt-out">Do Not Sell My Personal Information</a>

When clicked, this link will display a dialog where the user can confirm their intention to opt-out from the sale of their personal information.

Do not show a visible CCPA notice

If you prefer not to display an actual banner to notify users about CCPA, you can do so by using the following settings:

ccpaNoticeDisplay: false

This option is also available through the configurator (“Only link the privacy policy on every page”).

“Notice given” signal

You can choose to:

• display a banner and only send the “notice given” signal when the user explicitly dismisses the banner (ccpaAcknowledgeOnDisplay: false, default);
• display a banner and send a “notice given” signal when the banner is loaded, without need for user action (ccpaAcknowledgeOnDisplay: true); or
• not display a banner and only add a link to every page, sending the “notice given” signal when the page is loaded.

These settings are also available through the configurator.

Other settings

ccpaCookie: { expireAfter: 365 } – Allows you to customize the expiration of the cookie that stores the acknowledgment of the notice.

privacyPolicyUrl: "https://yoursite.com/privacypolicy" – Allows you to customize the privacy policy link. On the configurator (under “Advanced view”):

ccpaLspa: true / false / undefined (default) – Allows you to specify whether the transaction should be performed under the Limited Service Provider Agreement (LSPA) by iab.

Callbacks

onCcpaAcknowledged – Invoked when the CCPA notice has been acknowledged.

onCcpaFirstAcknowledged – Invoked the first time the CCPA notice has been acknowledged.

onCcpaOptOut – Invoked when the user has opted out from sale.

onCcpaFirstOptOut – Invoked the first time the user has opted out from sale.

Methods

_iub.cs.api.ccpaApplies() – Returns whether the CCPA protections are applied to the current user.

_iub.cs.api.askCcpaOptOut() – Pops up the dialog to request confirmation for the opt-out from sale.

_iub.cs.api.isCcpaAcknowledged() – Returns whether the CCPA notice has been acknowledged.

_iub.cs.api.isCcpaOptedOut() – Returns whether the user has opted out from sale.

See also

• CCPA Guide
• How to Apply CCPA Standards for Californian Consumers within the Generator