This article is the third and final article in a multi-part series covering concepts which can be applied to an organization’s process for managing privacy rights requests. The first article in this series discussed designing a process that considers data privacy regulation expansion, managing different data subject types and gaining process efficiencies. The second article discussed strategies for communicating with requestors, common methods to “delete” data and handling requests from authorized agents. This final article covers strategies for handling Do Not Sell My Information requests and addressing unstructured data.
Do Not Sell My Information Requests
The California Consumer Privacy Act (CCPA) grants California residents the right to request an organization to stop selling their personal information, also known as the right to opt-out of sale. Challenges relating to the sale of personal information include the difficulty in assessing if a sale of personal information is occurring. Below are topics to consider when determining how to process requests for the opt-out of sale:
- Is there a sale of personal information? A sale of personal information is defined under the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”  While it is generally straightforward to determine if monetary consideration is being exchanged, the “other valuable consideration” component of the CCPA’s definition increases the scope of potential sale scenarios. A thorough examination of this topic and what is or isn’t a sale is beyond the scope of this article and continues to be interpreted and debated by the legal community. Determining whether or not an organization sells personal information, as defined by the CCPA, is not straightforward and a good practice is to seek legal advice as to whether your organization’s sharing of personal data with third parties may constitute a sale.
- Is the Company conducting targeted or behavioral advertising? Another activity that involves a potential sale of personal information relates to “targeted advertising” or “behavioral advertising.” Most of these ads are supplied by third-party ad brokers which specialize in serving up ads dynamically in real-time for a variety of businesses. Ad brokers try to serve ads they deem to be most relevant to the specific person viewing the website, increasing the likelihood of the ad being clicked. This technique requires using digital identifiers (most often cookies) to track a user’s behavior across various websites to discern what interests them. The broker then selects which ads to display based on this behavior (this is how a product viewed on one’s phone might cause ads for similar products to appear on other websites browsed by the same individual or household, even on different devices). The CCPA considers digital identifiers to be personal information and in many cases these identifiers are being shared with ad brokers. The primary question remains as to whether this sharing constitutes a sale. While the debate around this continues, it seems likely that the use of third-party tracking technologies for advertising purposes will be discontinued and major companies in this space such as Google have already started working on phasing them out. Until then, if your organization uses third-party digital advertising, it is important to assess how the organization handles this functionality when a user opts out of a sale.
- Is it possible the Company will sell personal information in the future? Even if your organization does not sell personal information, it may be wise to log do not sell requests anyway. If your organization’s practices change in the future or the organization’s determination of what constitutes a sale changes, the organization can refer back to historical requests and honor them going forward.
Individuals who share personal information with an organization likely do not understand the degree to which it is shared with third parties and whether a sale of personal information is occurring. Organizations that review and manage these risks on behalf of their customers will instill goodwill with their customers.
Addressing Unstructured Data
The data which organizations store, including personal information, can be categorized as structured, unstructured or in some cases semi-structured. Structured data is comprised of easily identifiable data elements, stored in defined locations that follow defined data types and patterns. Structured data resides most commonly in relational databases. Unstructured data includes essentially everything else and may include textual files (documents, spreadsheets, presentations, emails, etc.), media files (pictures, audio files, videos, etc.) and social media content. Unstructured data can also include machine-generated data such as surveillance footage or information collected from sensors. Structured data is generally easy to handle when processing privacy rights requests because it is well defined and easy to search.
The California Privacy Rights Act (CPRA) which is set to be effective January 1, 2023, states, “This title shall not be construed to require a business, service provider, or contractor to: (1) reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal Information; (2) retain any personal Information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained; or (3) maintain information in identifiable, linkable or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of /Inking or associating a verifiable consumer request with personnel information.” 
This clause outlined above, which builds on language found in the CCPA, allows for organizations to be strategic when defining what type of data and which repositories an organization determines to be in scope for privacy rights requests.
Relative to structured data, the processing of unstructured data for privacy rights requests can be more challenging for a variety of reasons:
- Difficult to Search/Analyze: Tools for searching and analyzing structured data have existed for many years and are quite mature. Corollary tools for unstructured data are still developing and are typically expensive. As a result, many organizations do not use them on a regular basis. File scanning and modern data analysis tools are rapidly evolving, and costs are coming down. Companies should continue to monitor and assess options in the future.
- High Volume: Although structured data is typically the most critical to an organization, from a volume perspective, most organizations maintain much more unstructured data than structured. Unstructured data is estimated to comprise 80 percent or more of enterprise data already and is continuing to grow rapidly. As such, it is even more important to understand where personal information resides within unstructured repositories so that it can be handled properly when complying with emerging privacy laws. It is also important to minimize the unstructured data your company maintains, especially if it is likely to contain personal information. It is common for large volumes of unstructured data to be stored for years. Organizations can reduce their risk by identifying and eliminating data which is of low value.
- Deletion Versus Redaction: Deleting structured personal information in response to a deletion request is generally simple since individual data elements are well structured and easy to identify/search. Deleting unstructured personal information can be much more difficult. For example, a Microsoft Word document might contain a person’s name, email address and social security number but also may contain other important information that the company wants to maintain. As a result, an organization may not be able to simply delete the document if it contains other critical information. Instead, an organization would consider redacting the personal information from the document and leaving everything else intact. An even more complex example might be a video in which identifiable people appear. If an organization can’t or doesn’t want to delete the entire video, it may instead determine it is feasible to edit sections of the video to remove the imagery of a certain person. Organizations must consider different ways for handling the “deletion” of unstructured data.
 “California Consumer Privacy Act of 2018.” SB-1121 California Consumer Privacy Act of 2018., https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.