Compliant “Do Not Sell or Share My Personal Information” Page

The California Consumer Protection Act (CCPA) is a data privacy regulation that gives greater privacy to consumers by allowing them more power over the sale of their personal information.

One of its requirements is to have a “Do Not Sell or Share My Personal Information” link — a mechanism consumers can use to opt out of the selling or sharing of their personal information by businesses, also referred to as a “Do Not Sell My Data” page.

In this guide, we’ll explain the requirements of a “Do Not Sell or Share My Personal Information” page, when to use one, and where to place the page on your website.

Brief Overview of the CCPA and CPRA

The CCPA was enacted in January 2020 and regulates the following:

• The methods companies can use to collect, process, store, and sell Californian residents’ personal information and data.
• The rights California residents can exercise to protect their personal information.
• The consequences for companies violating the provisions of the CCPA.

It was amended in January 2023 by the California Privacy Rights Act (CPRA), which introduced:

• A new legal threshold.
• The concept of sharing personal data.
• The addition of the category of sensitive personal data.
• New consumer rights.
• Slight changes to business requirements.

Both are in full effect, and the amended law is still called the CCPA.

What Are CCPA Rights?

The CCPA provides greater transparency in the collection of California residents’ data and gives them more control over what happens to their information by granting them the following rights.

Right To Know

It’s a consumer’s right to request that you disclose the following information:

• Categories and specific pieces of personal information that you collect
• Purposes of the collection of that personal information
• Categories of third parties with whom you share the personal information
• Categories of the personal information that you share with third parties

Right To Delete

Consumers have the right to request that you delete the personal information you collected about them.

Right to Opt-out

The CCPA opt-out rights allow consumers to:

• Request that you not sell or share their personal information — i.e., provide a “Do Not Sell My Personal Information” page.
• Request that you do not collect their sensitive personal data
• Opt out of automated decision-making and profiling

Subject to exceptions, if you receive an opt-out request from a consumer, the CCPA mandates you wait at least 12 months before requesting the consumer to opt in again.

Children and Personal Information

The CCPA has special requirements for the privacy of children that you must follow if and when you sell the personal information of children:

• Children under 16 years old: If a child falls in this age group, you can’t sell or share their personal information unless their parent or guardian authorizes it by opting into the selling of the information.
• Children between 13 and 16 years old: If a child falls in this age group, you must get affirmative authorization to sell or share their personal information, but this authorization can come from the child.

Right to Non-Discrimination

You can’t deny a consumer a good or service, offer a different price, or provide a different quality of good or service if they exercise their rights under the CCPA.

Do You Need to Comply With the CCPA?

A company — no matter where it is in the world — must comply with the CCPA if it meets the following criteria:

• Operates for profit;
• Collects personal information of its customers;
• Determines the purpose and means of processing the data;
• Services California residents AND meets one of the following:
  • Annual gross revenue exceeds $25 million;
  • Buys, receives, sells, or shares, for commercial purposes, the personal information of 100,000 or more consumers, households, or  devices, OR
  • Derives more than 50% of its annual revenue from selling or sharing its consumers’ personal information.

Non-profit organizations and government agencies are exempt from the CCPA.

The CCPA “Do Not Sell or Share” Rule Explained

Collecting and selling your consumers’ personal information may be essential to certain businesses’ operations, but there are rules you must follow to comply with the CCPA.

What Is the “Do Not Sell or Share” Rule?

One of the rights conferred to consumers under the CCPA that you must comply with is the right to opt out of the sale or sharing of their personal information.

If you refuse, you face harsh sanctions from the California Attorney General, potentially resulting in serious fines and penalties.

The CCPA mandates that you provide a way for consumers to exercise this right by having a “Do Not Sell or Share My Personal Information” link.

What Is Personal Information?

Before discussing the requirements of the “Do Not Sell or Share” rule, let’s look at what the CCPA considers personal information.

Personal information is defined as information that can identify, relate to, describe, associate with, or be linked directly or indirectly with a consumer or household and includes the following:

1. Identifiers
2. Any categories of personal information described in subdivision (e) of Section 1798.80
3. Characteristics of protected classifications under California or federal law
4. Commercial information (like purchase history)
5. Biometric information
6. Internet or other electronic network activity information
7. Geolocation data
8. Audio, electronic, visual, thermal, olfactory, or similar information
9. Professional or employment-related information
10. Education information that is not publicly available
11. Inferences from any of the information identified in this subdivision to create a profile about a consumer
12. Sensitive personal information

Personal information does not include:

• De-identified or aggregate information
• Publicly available information, such as federal, state, or local government records

Requirements of the “Do Not Sell or Share” Rule

Here’s what you need to know about the “Do Not Sell or Share” rule and how to comply with it:

What if You Don’t Sell or Share Personal Information?

The “Do Not Sell or Share” rule only applies to companies that sell or share personal information.

The CCPA defines “selling” as:

… selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.

It defines “sharing” as:

… sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

If you don’t do any of these activities, then you’re not selling or sharing the personal information of your customers and don’t need a “Do Not Sell or Share My Personal Information” page.

However, you may still want to let users know that you are not selling their info, as highlighted in some of the examples below.

Examples of “Do Not Sell or Share My Personal Information” Compliance

Below are examples of how companies comply with the CCPA’s “Do Not Sell or Share” rule:

Rite Aid’s “Do Not Sell or Share My Personal Information” Form

Rite Aid links to their “Do Not Sell or Share My Personal Information” form in the footer of their site. When clicked on, it clearly explains how users can opt out of different processing activities.

See an example of a portion of their form in the screenshot below.

Yahoo’s “Do Not Sell or Share My Personal Information” Explanation

In a section of its privacy policy outlining California privacy rights, Yahoo explains that it sells technical identifiers to provide content, ads, and relevant services.

It lets users easily toggle between Allow and Don’t Allow, as shown in the screenshot below.

Spotify’s “Sale or Share of Personal Information” Section

Spotify describes how California consumers can opt out of the selling or sharing of their personal data or targeted advertising in their supplemental U.S. privacy policy, shown in the screenshot below.

It’s important to be just as clear and concise in your own privacy policy so users know how to follow through on their rights.

How To Create a “Do Not Sell or Share My Personal Information” Page

Here are three examples of how you can create a “Do Not Sell or Share My Personal Information” page for your website.

Managed Solution (Termly)

Create a privacy policy using our privacy policy generator — you’ll need to specify that you want to be CCPA compliant.

The generator creates your “Do Not Sell or Share My Personal Information” page automatically.

Template

You can also build your “Do Not Sell or Share My Personal Information” page by following a template and filling in the relevant information tailored specifically to your company.

DIY

You can always build your “Do Not Sell or Share My Personal Information” page manually.

However, if you do, be sure to include all the relevant sections to avoid any penalties.

What To Include in Your “Do Not Sell or Share My Personal Information” Page

If you determine that you need a “Do Not Sell or Share My Personal Information” page, here is an outline of what you need to include in it.

Right To Opt Out

You should explain the CCPA’s right to opt out of the sale or sharing of personal information so the consumer can make an informed decision about whether they want to exercise their right.

Give consumers the option to choose which types of personal information are sold or shared.

For example, they might not mind their past transaction history being sold, but don’t want their location and biometric data being sold.

Providing options lets consumers control which personal information they allow you to share and sell on a granular level, which is useful in your business operations.

How To Opt Out

You must explain how consumers can exercise their right to opt out of the sale or sharing of their personal information.

The CCPA requires you to have a web form for users to submit their opt-out requests.

You must then provide a second way for individuals to submit their requests, which could be:

• An email
• A toll-free number
• A global privacy control

See an example of a “Do Not Sell or Share My Personal Information” form from AT&T in the screenshot below.

Where To Display Your “Do Not Sell or Share My Personal Information” Page

Remember, the CCPA mandates that the “Do Not Sell or Share My Personal Information” page link be displayed in specific parts of your website:

• On the homepage of its website
• On any page that collects personal information
• On your privacy policy page
• On the download page of its application or its application’s platform page

The link must be “clear and conspicuous” and easy for the consumers to find.

Website Footer

Users are used to finding a company’s information and legal pages inside the footer, so placing a link to your “Do Not Sell or Share My Information” page there is a safe bet.

Cookie Consent Notice

Another place to include the “Do Not Sell or Share My Personal Information” link is on the cookie banner that pops up when consumers first visit your website.

However, since this page only appears the first time the consumer visits your website, be sure to have the “Do Not Sell or Share My Personal Information” link in other parts of your website.

Within Your Privacy Policy

You should also put your “Do Not Sell or Share My Personal Information” link in your privacy policy, as users tend to go there for any of their privacy concerns.

Like the website footer, your privacy policy is an appropriate location.

Summary

Under the CCPA, California residents now have more control over their personal information and how businesses can collect and handle it.

The “Do Not Sell or Share My Personal Information” page is the mechanism for which consumers can exercise their right to opt out of the sale or sharing of their personal information and must be:

• Clear
• Conspicuous
• Easy for your consumers to find
• Linked in more than one location

Be sure that the personnel handling the requests are competently trained to fulfill these requests and comply with the CCPA requirements.

More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author