If your business is subject to comply with the California Consumer Privacy Act (CCPA), you need to add a Do Not Sell My Personal Information button and page to your website.
A Do Not Sell My Personal Information (DNSMPI) page allows consumers to opt out of the sale of personal information collected about them by your business. Under the CCPA, “sale” is defined as the sharing of consumers’ personal information in exchange for compensation.
To comply with the CCPA, you need to provide a Do Not Sell link on your homepage and within your privacy policy. This link should direct consumers to your Do Not Sell page. Once you’ve verified a consumer’s Do Not Sell request, you need to remove that consumer’s personal information from all selling activities.
Learn more about the CCPA Do Not Sell My Personal Information rule, how to create your DNSMPI page, and where to display it.
What Is the CCPA Do Not Sell Rule?
The CCPA Do Not Sell Rule states that a business must:
- Have a page that allows consumers to opt out of the sale of their personal information (i.e., a Do Not Sell My Personal Information page).
- Provide a link or button titled “Do Not Sell My Personal Information” on the business’s website homepage that directs consumers to the DNSMPI page.
- Link to the Do Not Sell My Personal Information page in their privacy policy, along with a description of California consumer rights.
- Immediately cease the sale of the requesting consumer’s personal information upon verification of a Do Not Sell request.
- Wait at least 12 months before requesting that a consumer opt back in to the sale of their personal information.
The official CCPA text further states that the appropriate links and pages can be made available to California consumers only. For example, you can have a dedicated homepage for California consumers, on which you provide a Do Not Sell My Personal Information link.
However, this is only lawful if:
the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers
In other words, you need to ensure that your California consumers have access to your Do Not Sell My Personal Information button and page.
Creating Your Do Not Sell My Personal Information Page
To create a Do Not Sell My Personal Information page, you can:
- Use Termly’s privacy policy generator to create a free privacy policy and accompanying forms. In the builder, select “Yes, I wish to be CCPA-compliant.”
- Use an online form building service to create and host your Do Not Sell page.
- Create a new page or form in the backend of your site.
If you’re creating your own CCPA Do Not Sell page, read on for details about what information you need to include.
What to Include in Your Do Not Sell Page
If you’re writing your own Do Not Sell My Personal Information page, you need to include the following two items:
1. Consumer Contact Information
Your DNSMPI form must have fillable fields where the consumer can add their contact details, such as their name and email address.
You need the consumer’s name so you can remove them from selling lists, and you need a method of contacting them in case you need to verify the Do Not Sell request.
Many businesses include a state selection menu on the form to confirm that the consumer making the request is a California resident.
Here’s an example from AT&T’s Do Not Sell My Personal Information page:
2. Action Request
Next on your form, you need a button, selection menu, or checkbox that allows the consumer to verify that they’d like to opt out of the sale of their personal information.
Along with the right to opt out of data sale, consumers are given the right to request access to or deletion of their personal information under the CCPA. You can allow consumers to act on all of these rights via your DNSMPI page.
Check out how Coca Cola’s request form asks the consumer to specify what type of request they’re making:
How to Display Your Do Not Sell Page
To display your Do Not Sell My Personal Information page, link to it from your homepage and your privacy policy.
The Do Not Sell button on your homepage needs to read:
Do Not Sell My Personal Information
Here’s how Coca Cola displays their Do Not Sell My Personal Information link in their homepage footer:
Within your privacy policy, your Do Not Sell button or link should be included in a section that details California consumer rights. It doesn’t need to be labeled “Do Not Sell My Personal Information,” but it needs to go to the same page as your homepage link.
Here’s an example of how US News’s privacy policy links to the request page from a section detailing CCPA privacy rights:
There are three types of privacy policies from which you can link your Do Not Sell My Personal Information page:
- Standard Privacy Policy: You can use a single privacy policy for all users (both California consumers and otherwise). You need to include a section dedicated to California consumer rights, and link your Do Not Sell page from that section.
- CCPA Privacy Policy: You may choose to have a unique privacy policy for your California consumers, which focuses on CCPA rights and actions.
- California Privacy Policy: You’re likely subject to comply with other California privacy laws if the CCPA applies to you. You may choose to create a single policy for your California consumers that details their various rights under state law.
Do Not Sell My Personal Information Page Example
Do Not Sell My Personal Information pages vary from business to business. Let’s check out an example of Hulu’s Do Not Sell page.
After a consumer clicks the Do Not Sell link, they’re taken to this page, which explains the CCPA opt out rights and gives instructions for opting out of sale:
Notice how Hulu asks consumers to make their request directly from their accounts. This eliminates the need to collect contact information, and simplifies the process of verifying a user request.
Upon following the instructions to go to Privacy and Settings > California Privacy Rights > Right to Opt Out, a consumer will get the following page where they can indicate which right they’re acting on:
After clicking Change Status under the Right to Opt Out, a consumer will finally confirm their Do Not Sell request with this page:
Hulu is an example of an extensive Do Not Sell page and process. While they make the consumer go through multiple steps, they save time and effort verifying requests, as the consumer changes their settings directly in their account.
Do Not Sell My Personal Information Button Examples
Do Not Sell My Personal Information buttons (or links) appear on businesses’ website homepages. Here are a few examples of how these buttons look:
Here’s how the LA Times displays their Do Not Sell link in their homepage footer, next to their policy links and copyright notice:
The Walt Disney Company takes a similar approach, placing their Do Not Sell button alongside their policies and terms:
Lastly, the Guardian displays a Do Not Sell My Personal Information button in a popup that appears upon entering the site:
Once the popup is dismissed, a Do Not Sell link can also be found in their website footer.
Next Steps
If your business is subject to comply with the CCPA, create a Do Not Sell My Personal Information page now to avoid fines.
If using Termly to create your CCPA privacy policy and Do Not Sell page, follow these instructions:
- Create a privacy policy using Termly’s privacy policy generator.
- When answering questions in the builder, select Yes, I wish to be CCPA compliant:
- Finish answering questions about your business, then publish your privacy policy.
- Click Add to Website and select a method for adding your privacy policy to your site:
- Your new privacy policy will already have a Do Not Sell request link in it. Now, you need to add your Do Not Sell button to your homepage. Go to Cookies > CCPA “Do Not Sell” Link and copy the code snippet:
- Paste the code snippet into your website’s footer, and anywhere else on your website where you want a Do Not Sell My Personal Information button to appear.
