How many companies offer a do-not-sell (DNS) link on their websites?
Of the thousand-plus privacy laws and regulations tracked in PwC’s Risk Atlas database, CCPA is the only one in the world to mandate that a covered company that “sells” data should offer a do-not-sell (DNS) link on its websites.
A PwC team analyzed the websites of the 600 largest publicly traded companies and 100 largest privately held corporations and evaluated their approaches to this requirement.
Overall, 16% of the companies offered a DNS link. The percentage breakdowns by industry sector reflect the varied consumer experience we predicted last year.
- Consumer Markets: 29%
- Technology, Media, & Telecom: 23%
- Health Industries: 9%
- Industrial Products & Services: 6%
- Financial Services: 3%
Not surprisingly, industries with direct interactions with consumers are ahead of the other industries. But we expect that even traditionally B2B companies will catch up over time. For example, manufacturers of smart devices that offer services that track consumers in real-time will have to comply.
The 19% overall benchmark is trending above our expectations. In the months running up to the January 1 CCPA go-live date, the prevailing chatter among privacy professionals at industry events and networking groups suggested fewer than 10% would be launching these links, and instead would declare in their privacy policies that they didn’t sell Californians’ data.
How many companies are offering CCPA rights of access and deletion beyond California residents?
We also checked to see how many companies were offering CCPA rights of access and deletion to all consumers, compared to those that restricted them to California residents only. Over the past year, we had advised companies to plan for the long term, adopt operational simplicity, and extend these rights to all consumers. Indeed, during the same industry events and networking groups mentioned before, the large majority of chief privacy officers were inclined to adopt that universal position.
Among companies that were operating a CCPA individual rights portal that we could analyze, we found the large majority were restricting those rights to Californians -- at least in this first phase of CCPA. Here are the sectoral breakdowns of those percentages implementing that restriction:
- Health Industries: 75%
- Financial Services: 67%
- Consumer Markets: 64%
- Technology, Media, & Telecom: 57%
- Industrial Products & Services: 55%
Companies have had to focus on California residents, given the significant resources needed to comply with the deadlines. By the end of the year, we expect coverage beyond California residents, as companies grow more confident about their ability to respond to consumer requests and as more states pass their own privacy legislation.
How many are operating CCPA privacy rights portals?
Companies subject to CCPA had relatively little time to design, test, and launch online triage mechanisms that first verify an individual’s identity before fulfilling their access and delete requests. Those who got the portals into the market achieved a substantial milestone. How many made it?
Across the websites of the 600 largest companies in the United States, we encountered operational CCPA rights portals on 40 percent of them. How did the different sectors rank against each other?
- Financial Services: 57%
- Consumer Markets: 49%
- Technology, Media, & Telecom: 43%
- Health Industries: 39%
- Industrial Products & Services: 19%
Among the 600 sites, we found 33 pacesetters, those that are operating privacy rights portals and extending those rights to all consumers. Will their consumers notice this difference and respond in a way that reflects greater trust and appreciation of these brands? Time will tell.