Bolt Image

Compliant “Do Not Sell My Personal Information” Page

Ali Talip Pınarbaşı, CIPP/E, & LLM

by Ali Talip Pınarbaşı, CIPP/E, & LLM

October 14, 2022

Build My CCPA Privacy Policy
Do-Not-Sell-My-Personal-Information

The California Consumer Protection Act (CCPA) is a data privacy regulation that guarantees greater data privacy to consumers by allowing them more power over the sale of their personal information.

One of its requirements is to have a “Do Not Sell My Personal Information” page — a mechanism consumers can use to opt out of the selling or sharing of their personal information by businesses. It’s also referred to as a “Do Not Sell My Data” page.

In this guide, we’ll explain the requirements of a “Do Not Sell My Personal Information” page, when to use one, and where to place the page on your website.

Table of Contents
  1. Brief Overview of the CCPA
  2. The CCPA "Do Not Sell" Rule Explained
  3. What if You Don’t Sell Personal Information?
  4. Examples of “Do Not Sell My Personal Information" Compliance
  5. How to Create a “Do Not Sell My Personal Information" Page
  6. What to Include in Your “Do Not Sell My Personal Information" Page
  7. Where to Display Your “Do Not Sell My Personal Information" Page
  8. Summary

Brief Overview of the CCPA

The CCPA was enacted in January 2020 and regulates the following:

  • The methods companies can use to collect, process, store, and sell Californian residents’ personal information and data.
  • The rights California residents can exercise to protect their personal information.
  • The consequences for companies violating the provisions of the CCPA.

What are CCPA rights?

The CCPA allows greater transparency in the data collection of California residents. It gives consumers more control over what happens to their personal information by conferring to them the following rights:

Right To Know

Is a consumer’s right to request that you disclose the following information:

  • Categories and specific pieces of personal information that you collect
  • Purposes of the collection of that personal information
  • Categories of third parties with whom you share the personal information
  • Categories of the personal information that you share with third parties

Right To Delete

The right of consumers to request that you delete the personal information you collected about them.

Right to Opt-out

This right allows consumers to request that you not sell their personal information — i.e., provide a “Do Not Sell My Personal Information” page. Subject to exceptions, if you receive this request from a consumer, the CCPA mandates you wait at least 12 months before requesting the consumer to opt in again.

Children and Personal Information

The CCPA has special requirements for the privacy of children. You must follow these rules if and when you sell the personal information of children:

  • Children under 13 years old: If a child falls in this age group, you can’t sell their personal information unless their parent or guardian authorizes it, or opts into the selling of the information.
  • Children between 13 and 16 years old: If a child falls in this age group, you must get affirmative authorization to sell their personal information, but this authorization can come from the child.

Right to Non-discrimination

The right to non-discrimination means that you can’t deny a consumer a good or service, offer a different price, or provide them a different quality of goods or service if they exercise their rights under the CCPA.

Do you need to comply with the CCPA?

A company — no matter where it is in the world — must comply with the CCPA if it meets the following criteria:

  • Operates for profit;
  • Collects personal information of its customers;
  • Determines the purpose and means of processing the data;
  • Services California residents AND meets one of the following:
    • Annual gross revenue exceeds $25 million;
    • Buys, receives, sells, or shares, for commercial purposes, the personal information of 50,000 or more consumers, households, or  devices, OR
    • Derives more than 50% of its annual revenue from selling its consumers’ personal information.

Non-profit organizations and government agencies are exempt from the CCPA.

The CCPA “Do Not Sell” Rule Explained

Collecting and selling your consumers’ personal information may be essential to certain businesses’ operations. However, there are rules that they must follow if they’re required to comply with the CCPA.

What is the “Do Not Sell” rule?

One of the rights conferred to consumers under the CCPA is the right to opt out of the sale of their personal information. If they exercise this right, you must comply and cease the sale of their personal information.

If you refuse, you will have to face harsh sanctions from the California Attorney General, potentially resulting in serious fines and penalties.

The CCPA mandates that you must provide a way for consumers to exercise this right by having a “Do Not Sell My Personal Information” page.

What is personal information?

Before discussing the requirements of the “Do Not Sell” rule, let’s look at what the CCPA considers personal information.

Personal information is defined as information that can identify, relate to, describe, associate with, or be linked directly or indirectly with a consumer or household and includes the following:

  1. Identifiers
  2. Any categories of personal information described in subdivision (e) of Section 1798.80
  3. Characteristics of protected classifications under California or federal law
  4. Commercial information (lie purchase history)
  5. Biometric information
  6. Internet or other electronic network activity information
  7. Geolocation data
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Professional or employment-related information
  10. Education information,  that is not publicly available
  11. Inferences from any of the information identified in this subdivision to create a profile about a consumer

Personal information does not include publicly available information, such as federal, state, or local government records.

Requirements of the “Do Not Sell” Rule

Here’s what you need to know about the “Do Not Sell” rule and how to comply with it:

  1. Accessibility and Understanding: The link to your “Do Not Sell My Personal Information” page must be “clear and conspicuous” and “reasonably accessible” to all of your consumers.
  2. Location: You must provide access to opt-out on the homepage, on your CCPA-compliant privacy policy page and on any page that collects personal information.
  3. Two methods: You must provide individuals with two methods to submit “do not sell my personal information” requests and one of these methods must be via an interactive web form accessible through the “do not sell” page. Other method could be a toll-free number, designated email or other methods.
  4. Account: Consumers don’t need to make an account to exercise their right to opt out of the sale of their personal information.
  5. Refrain: You must respect a consumer’s decision to opt out of the sale of their personal information for at least 12 months. After that period, you can reach out to them and ask them to opt in.
  6. Training: You must provide training to personnel responsible for processing these requests. They must know the provisions of the CCPA and how to navigate your company’s policy.
  7. You cannot ask for proof of ID: Businesses cannot ask to verify the identity of individuals who submit the do not sell request.

What if You Don’t Sell Personal Information?

The “Do Not Sell” rule only applies to companies that sell personal information.

The CCPA defines “selling” as:

selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

If you don’t do any of these activities, then you’re not selling the personal information of your customers and don’t need a “Do Not Sell My Personal Information” page.

However, you may still want to let users know that you are not selling their info, as highlighted in some of the examples below.

Examples of “Do Not Sell My Personal Information” Compliance

Here are some examples of how companies comply with the CCPA’s “Do Not Sell” rule:

Rite Aid’s “Do Not Sell My Personal Information” Form

rite-aid-do-not-sell-my-personal-information-page-example

In this example, you can see that Rite Aid explains how its users can opt out of the selling of their personal information and that the opt-out form must be filled out for every browser and device.

For example, if a user surfs the Rite Aid website using the Google browser on their cell phone and the Bing browser on their laptop, they would need to fill out two forms.

If your website operates similarly, make sure you inform your users so they can opt out of all their devices and browsers if they desire to do so.

Yahoo’s “Do Not Sell My Personal Information” Explanation

yahoo-do-not-sell-my-personal-information

Yahoo explains that it does not sell its users’ personal information, but it acknowledges that some of its sharing may constitute “sell” under the CCPA.

Make sure that you investigate the methods in which you utilize your users’ personal information. Just because you do not sell your users’ personal information in the traditional definition of the word, your methods may still qualify as “sell” under the CCPA’s definition of the word.

Chase’s “Sale of Personal Information” Section

chase-bank-do-not-sell-my-personal-info-example

Chase states that it does not offer a way to opt out because it does not sell personal information in exchange for compensation.

Even if you do not “sell” personal information as defined by the CCPA, you should inform users of their rights and explain that you do not sell your consumers’ personal information. Additionally, clarify if you share it, and if so, for what reason.

Spotify’s “Sale of Personal Information” Section

spotify-sale-of-personal-information-section

Spotify clarifies that it does not sell personal information as Chase did. However, it explains its use of the data for target advertising and lets consumers opt out of that.

How to Create a “Do Not Sell My Personal Information” Page

Here are three examples of how you can create a “Do Not Sell My Personal Information” page for your website.

Managed Solution (Termly)

Create a privacy policy using our privacy policy generator — you’ll need to specify that you want to be CCPA compliant. Then, the generator will help you create your “Do Not Sell My Personal Information” page automatically.

Template

You can also build your “Do Not Sell My Personal Information” page by following a template and filling in the relevant information tailored specifically to your company.

DIY

You can always build your “Do Not Sell My Personal Information” page manually. However, if you do, be sure to include all the relevant sections to avoid any penalties.

What to Include in Your “Do Not Sell My Personal Information” Page

If you determine that you need a “Do Not Sell My Personal Information” page, here is an outline of what you need to include in it.

Right to Opt Out

You should explain the CCPA’s right to opt out of the sale of personal information. That way the consumer can make an informed decision about whether they want to exercise their right.

You can give consumers the option of which types of personal information are sold. For example, they might not mind their past transaction history being sold, but don’t want their location and biometric data being sold.

Providing options allows consumers to have control of their personal information, but also provides the opportunity to permit some personal information to be sold, which is useful in your business operations.

How to Opt Out

You must explain how consumers can exercise their right to opt out of the sale of their personal information.

The CCPA requires you to have a web form where individuals submit their opt out request. In addition to this method, you must provide a second way for individuals to submit their request.

This second method could be email, a toll-free number or a global privacy control. Have consumers fill out a form on your website so they can opt out of the sale.

Here is an example of a “Do Not Sell My Personal Information” form from AT&T:

att-do-not-sell-my-info-form

Where to Display Your “Do Not Sell My Personal Information” Page

Remember, the CCPA mandates that the “Do Not Sell My Personal Information” page link be displayed in specific parts of your website:

  • On homepage of its website,
  • On any page that collects personal information
  • On your privacy policy page
  • On download page of its application or on its application’s platform page

The link must be “clear and conspicuous” and easy for the consumers to find.

Website Footer

Users are used to finding a company’s information and legal pages inside the footer, so placing a link to your “Do Not Sell My Information” page there is a safe bet.

Cookie Consent Notice

Another place to include the “Do Not Sell My Personal Information” link is on the cookie banner that pops up when consumers first visit your website. However, since this page only appears the first time the consumer visits your website, be sure to have the “Do Not Sell My Personal Information” link in other parts of your website.

Within Your Privacy Policy

The third location for your “Do Not Sell My Personal Information” link is in your privacy policy. Users will tend to go there for any of their privacy concerns, so, like the website footer, your privacy policy is an appropriate location.

Summary

Under the CCPA, California residents now have more control over their personal information and how businesses can collect and handle it.

The “Do Not Sell My Personal Information” page is the mechanism for which consumers can exercise their right to opt out of the sale of their personal information.

This page needs to be clear, conspicuous, and easy for your consumers to find, so having it in more than one location is ideal.

Be sure that the personnel handling the requests are competently trained to fulfill these requests and comply with the CCPA requirements.

Ali Talip Pınarbaşı, CIPP/E, & LLM
More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author

Related Articles

Explore more resources Explore more resources