A requirement of the California Consumer Protection Act (CCPA) is to provide consumers with a “Do Not Sell or Share My Personal Information” link so they can opt out of the selling or sharing of their data, sometimes referred to as a “Do Not Sell My Data” page.
Below, I explain the requirements of a “Do Not Sell or Share My Personal Information” page, when to use one, and where to place it on your website.
- The CCPA "Do Not Sell or Share" Rule Explained
- What if You Don’t Sell or Share Personal Information?
- Examples of “Do Not Sell or Share My Personal Information" Compliance
- How To Create a “Do Not Sell or Share My Personal Information" Page
- What To Include in Your “Do Not Sell or Share My Personal Information" Page
- Where To Display Your “Do Not Sell or Share My Personal Information" Page
- Brief Overview of the CCPA and CPRA
- Summary
The CCPA “Do Not Sell or Share” Rule Explained
To lawfully collect and sell your consumers’ personal information under the CCPA, you must follow certain rules.
What Is the “Do Not Sell or Share” Rule?
Under the CCPA, the ‘do not sell or share rule‘ refers to your users’ right to opt out of the selling or sharing of their personal information.
You must provide your users with one or more ways to follow through on this right, and the text of the CCPA recommends adding a ‘Do Not Sell or Share My Personal Information’ link to the footer of your website.
If you don’t follow this guideline you could face harsh sanctions from the California Attorney General, resulting in serious fines and penalties.
What Is Personal Information?
Next let’s look at what the CCPA considers personal information.
Personal information is defined as information that can identify, relate to, describe, associate with, or be linked directly or indirectly with a consumer or household and includes the following:
- Identifiers
- Any categories of personal information described in subdivision (e) of Section 1798.80
- Characteristics of protected classifications under California or federal law
- Commercial information (like purchase history)
- Biometric information
- Internet or other electronic network activity information
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information that is not publicly available
- Inferences from any of the information identified in this subdivision to create a profile about a consumer
- Sensitive personal information
Personal information does not include:
- De-identified or aggregate information
- Publicly available information, such as federal, state, or local government records
Requirements of the “Do Not Sell or Share” Rule
Here’s what you need to know about the “Do Not Sell or Share” rule and how to comply with it:
- Accessibility and Understanding: The link to your “Do Not Sell or Share My Personal Information” page must be “clear and conspicuous” and “reasonably accessible” to all of your consumers.
- Location: Provide access to opt-out on the homepage, on your CCPA-compliant privacy policy page, and on any page that collects personal information.
- Two methods: You must provide individuals with two methods to submit “do not sell or share my personal information” requests and one of these methods must be via an interactive web form accessible through the “do not sell” page. Other method could be a toll-free number, designated email or other methods.
- Account: Consumers don’t need to make an account to exercise their right to opt out of the sale of their personal information.
- Refrain: You must respect a consumer’s decision to opt out of the sale of their personal information for at least 12 months. After that period, you can reach out to them and ask them to opt in.
- Training: You must provide training to personnel responsible for processing these requests. They must know the provisions of the CCPA and how to navigate your company’s policy.
- You cannot ask for proof of ID: Businesses cannot ask to verify the identity of individuals who submit the do not sell request.
What if You Don’t Sell or Share Personal Information?
The “Do Not Sell or Share” rule only applies to companies that sell or share personal information.
The CCPA defines selling as:
… selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.
It defines sharing as:
… sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
If you don’t do any of these activities, then you’re not selling or sharing the personal information of your customers and don’t need a “Do Not Sell or Share My Personal Information” page.
However, you may still want to let users know that you are not selling their info, as highlighted in some of the examples below.
Examples of “Do Not Sell or Share My Personal Information” Compliance
Below are examples of how companies comply with the CCPA’s “Do Not Sell or Share” rule:
T Mobile’s “Do Not Sell or Share My Personal Information” Form
T Mobile has a good example of a “Do Not Sell or Share MY Personal Information” form that is linked to the footer of their website.
As shown below, the link takes you to a page that clearly describes users’ rights over their information, including their right to opt out of the selling or sharing of their data.
Users can toggle a button to opt out of the data processing and control their privacy preferences across other T Mobile accounts as well.
When making one of these pages for your site, try to be as thorough as T Mobile so it’s very easy for your California users to understand what steps they need to take to adequately follow through on their privacy rights.
How To Create a “Do Not Sell or Share My Personal Information” Page
Here are three examples of how you can create a “Do Not Sell or Share My Personal Information” page for your website.
Managed Solution (Termly)
Create a privacy policy using our privacy policy generator — you’ll need to specify that you want to be CCPA compliant.
The generator creates your “Do Not Sell or Share My Personal Information” page automatically.
Template
You can also build your “Do Not Sell or Share My Personal Information” page by following a template and filling in the relevant information tailored specifically to your company.
DIY
You can always build your “Do Not Sell or Share My Personal Information” page manually.
However, if you do, be sure to include all the relevant sections to avoid any penalties.
What To Include in Your “Do Not Sell or Share My Personal Information” Page
If you determine that you need a “Do Not Sell or Share My Personal Information” page, here is an outline of what you need to include in it.
Right To Opt Out
You should explain the CCPA’s right to opt out of the sale or sharing of personal information so the consumer can make an informed decision about whether they want to exercise their right.
Give consumers the option to choose which types of personal information are sold or shared.
For example, they might not mind their past transaction history being sold, but don’t want their location and biometric data being sold.
Providing options lets consumers control which personal information they allow you to share and sell on a granular level, which is useful in your business operations.
How To Opt Out
You must explain how consumers can exercise their right to opt out of the sale or sharing of their personal information.
The CCPA requires you to have a web form for users to submit their opt-out requests.
You must then provide a second way for individuals to submit their requests, which could be:
- An email
- A toll-free number
- A global privacy control
Where To Display Your “Do Not Sell or Share My Personal Information” Page
Remember, the CCPA mandates that the “Do Not Sell or Share My Personal Information” page link be displayed in specific parts of your website:
- On the homepage of its website
- On any page that collects personal information
- On your privacy policy page
- On the download page of its application or its application’s platform page
The link must be “clear and conspicuous” and easy for the consumers to find.
Website Footer
Users are used to finding a company’s information and legal pages inside the footer, so placing a link to your “Do Not Sell or Share My Information” page there is a safe bet.
Cookie Consent Notice
Another place to include the “Do Not Sell or Share My Personal Information” link is on the cookie banner that pops up when consumers first visit your website.
However, since this page only appears the first time the consumer visits your website, be sure to have the “Do Not Sell or Share My Personal Information” link in other parts of your website.
Within Your Privacy Policy
You should also put your “Do Not Sell or Share My Personal Information” link in your privacy policy, as users tend to go there for any of their privacy concerns.
Like the website footer, your privacy policy is an appropriate location.
Brief Overview of the CCPA and CPRA
The CCPA was enacted in January 2020 and regulates the following:
- The methods companies can use to collect, process, store, and sell Californian residents’ personal information and data.
- The rights California residents can exercise to protect their personal information.
- The consequences for companies violating the provisions of the CCPA.
It was amended in January 2023 by the California Privacy Rights Act (CPRA), which introduced:
- A new legal threshold.
- The concept of sharing personal data.
- The addition of the category of sensitive personal data.
- New consumer rights.
- Slight changes to business requirements.
Both are in full effect, and the amended law is still called the CCPA.
What Are CCPA Rights?
The CCPA provides greater transparency in the collection of California residents’ data and gives them more control over what happens to their information by granting them the following rights.
Right To Know
It’s a consumer’s right to request that you disclose the following information:
- Categories and specific pieces of personal information that you collect
- Purposes of the collection of that personal information
- Categories of third parties with whom you share the personal information
- Categories of the personal information that you share with third parties
Right To Delete
Consumers have the right to request that you delete the personal information you collected about them.
Right to Opt-out
The CCPA opt-out rights allow consumers to:
- Request that you not sell or share their personal information — i.e., provide a “Do Not Sell My Personal Information” page.
- Request that you do not collect their sensitive personal data
- Opt out of automated decision-making and profiling
Subject to exceptions, if you receive an opt-out request from a consumer, the CCPA mandates you wait at least 12 months before requesting the consumer to opt in again.
Children and Personal Information
The CCPA has special requirements for the privacy of children that you must follow if and when you sell the personal information of children:
- Children under 16 years old: If a child falls in this age group, you can’t sell or share their personal information unless their parent or guardian authorizes it by opting into the selling of the information.
- Children between 13 and 16 years old: If a child falls in this age group, you must get affirmative authorization to sell or share their personal information, but this authorization can come from the child.
Right to Non-Discrimination
You can’t deny a consumer a good or service, offer a different price, or provide a different quality of good or service if they exercise their rights under the CCPA.
Do You Need to Comply With the CCPA?
A company — no matter where it is in the world — must comply with the CCPA if it meets the following criteria:
- Operates for profit;
- Collects personal information of its customers;
- Determines the purpose and means of processing the data;
- Services California residents AND meets one of the following:
- Annual gross revenue exceeds $25 million;
- Buys, receives, sells, or shares, for commercial purposes, the personal information of 100,000 or more consumers, households, or devices, OR
- Derives more than 50% of its annual revenue from selling or sharing its consumers’ personal information.
Non-profit organizations and government agencies are exempt from the CCPA.
Summary
Under the CCPA, California residents now have more control over their personal information and how businesses can collect and handle it.
The “Do Not Sell or Share My Personal Information” page is the mechanism for which consumers can exercise their right to opt out of the sale or sharing of their personal information.
It must be clear, conspicuous, easy for your consumers to find, and ;inked in more than one location.
Be sure that the personnel handling the requests are competently trained to fulfill these requests and comply with the CCPA requirements.
More about the author
Written by Ali Talip Pınarbaşı, CIPP/E, & LLM
Ali is a London-based Data Privacy Law Solicitor with a Master of Laws Degree in EU Privacy law at King's College London. He has six years of experience in advising businesses on how to comply with data protection laws. More about the author
