"Do Not Sell My Personal Information" Page

One of the most important aspects of the California Consumer Privacy Act (CCPA/CPRA) is consumers' "right to opt out" of the sale of their personal information.

To help consumers exercise the right to opt out, the CCPA (CPRA) requires businesses to create a "Do Not Sell My Personal Information" page. If you don't yet have a CCPA/CPRA-compliant "Do Not Sell" page, you may be in danger of receiving a fine from the California Attorney General.

This article will help you understand whether you need to comply with this part of the CCPA (CPRA), create a legally-compliant "Do Not Sell My Personal Information" page and display and link to your "Do Not Sell" page in accordance with the CCPA/CPRA's requirements.

The CCPA (CPRA) in Brief

Here's a very brief outline of the CCPA/CPRA's scope and requirements. We're going to keep this short, but you can skip ahead if you already know that your business is covered by the CCPA (CPRA).

Note that the CCPA was amended by the CPRA, with the amendments taking effect on January 1, 2023.

Who Has to Comply With the CCPA (CPRA)?

The CCPA (CPRA) applies to "businesses," meaning any company doing business in California that does one or more of the following things:

• Raises annual gross revenues of $25 million or more
• Buys, sells, receives for commercial purposes, or shares for commercial purposes, personal information from at least 100,000 California consumers, households, and/or their devices
• Raises at least half of its annual gross revenues from the sale or sharing of consumers' personal information

A business does not need to be based in California. Businesses all over the world must comply with the CCPA (CPRA).

What are the CCPA/CPRA's Requirements?

The CCPA (CPRA) has a number of requirements, including:

• Updating your Privacy Policy every 12 months to explain how you collect, use, share, and sell personal information
• Allowing consumers to access and delete the personal information you have collected about them
• Allowing consumers to opt out of the sale of their personal information

That last point is our focus in this article and is the purpose of a "Do Not Sell" page.

For more information about your obligations under the CCPA (CPRA), see our article on CCPA (CPRA) Compliance Requirements.

Do You Need a "Do Not Sell My Personal Information" Page?

Even if you're covered by the CCPA (CPRA), you don't necessarily have to create a "Do Not Sell" page.

If you already know that the CCPA/CPRA's opt-out rules apply to your business, you can skip ahead to learn how to create a "Do Not Sell" page.

What is "Selling" Personal Information?

When people think of "selling" something, they think of exchanging it for money. However, the CCPA (CPRA) defines the act of "selling" very broadly.

Here's how the CCPA (CPRA) defines "selling" personal information:

Taken literally, this definition encompasses any act of sharing personal information with any third party in exchange for anything of value.

The CCPA (CPRA) provides some exceptions. "Selling" personal information does not include sharing personal information:

• Under the consumer's instructions
• For business purposes with a service provider
• To inform a third party that the consumer has opted out
• As part of a merger or acquisition

The full scope of this definition is not yet clear. But bear in mind that "personal information" can include data such as cookies, IP addresses, and device IDs.

Therefore, many businesses are interpreting "selling personal information" as including relatively common business activities, such as running personalized ad campaigns that involve third-party cookies. This would require many businesses to create a "Do Not Sell" page.

What if You Do Not Sell Personal Information?

If your business does not sell personal information, the CCPA (CPRA) does not require you to create a "Do Not Sell" page as long as you disclose that you do not sell personal information in your Privacy Policy.

Your Privacy Policy relates to your past 12 months of business activity, so you must disclose whether you sold personal information in the past 12 months. If you sold personal information more than 12 months ago, you do not need to disclose this in your Privacy Policy.

Here's an example from the Privacy Policy of healthcare company LivaNova:

If you don't sell personal information or haven't in the preceding 12 month period, disclose this in your Privacy Policy and your requirements for the "Do Not Sell" page are over.

However, if you do sell personal information or have done so in the preceding 12 month period, your obligations continue and you must create a "Do Not Sell" page.

Creating Your "Do Not Sell My Personal Information" Page

A "Do Not Sell" page must contain:

• An explanation of the right to opt out
• An "interactive form" via which a consumer can exercise their right to opt out
• Instructions regarding any other opt out method(s) you provide

You can either provide this content on the page itself or, alternatively, provide a link to a section of your Privacy Policy that contains it.

Explanation of the Right to Opt Out

Your "Do Not Sell" page must include an explanation of the right to opt out.

The CCPA (CPRA) doesn't provide any prescribed form of explanation that businesses must use. However, your explanation of the right to opt out must be clear and concise.

Here's how The Walt Disney Company explains the right to opt out:

The Walt Disney Company's explanation is short, but the business links to its Privacy Policy where it describes the right to opt out in more detail.

Here's a longer explanation of the right to opt out, from the National Apartment Association:

The National Apartment Association gives a brief explanation of the right to opt out, some examples of personal information, and some information about exceptions to the right. This is a good way to put the right to opt out in context for consumers.

Opt-Out Web Form

Your "Do Not Sell" page should provide a web form that allows consumers to opt out, or else a link to a section of your Privacy Policy that contains this form. Simply providing an "opt-out email address" is not enough.

Your opt-out form should ask consumers to provide the basic personal information that you need in order to identify them or their devices. If possible, try not to request any "new" personal information that you have not already collected from a consumer.

When processing requests under the right to know and the right to delete, you must take specific steps to verify the consumer's identity. You should not do this when fulfilling a request under the right to opt out (unless you reasonably suspect fraudulent activity).

Here's an example of an opt out form from Stamps.com:

Stamps.com requests that consumers provide an account number. The CCPA (CPRA) states that businesses must not require consumers to create an account in order to exercise their right to opt out. However, this is an optional field in the form, so Stamps.com complies with the CCPA (CPRA) here.

Other Opt-Out Methods

The CCPA (CPRA) requires most businesses to provide at least two "designated methods for submitting a request" under each of the CCPA (CPRA) rights, including the right to opt out.

Your "Do Not Sell" page is one of your two designated methods for submitting a request under the right to opt out. Other designated methods might include:

• A toll-free telephone number
• An email address
• A form submitted in the mail
• A form submitted in person

You can choose which of these other options you provide consumers. Consider how you interact with consumers. For example, if you collect personal information through the mail, consider providing an opt-out form that consumers can submit through the mail.

Your "Do Not Sell" page should include details of any other opt-out methods you provide. Here's an example from Blu Jam Cafe:

Blu Jam Cafe goes beyond what the CCPA (CPRA) requires, providing three alternative methods via which consumers can submit a request to opt out. It's good to provide consumers with as much choice as reasonably possible.

Explanation of Your Business Practices (Optional)

Some businesses use their "Do Not Sell" page to explain their business practices.

This is not a requirement of the CCPA (CPRA). However, as we've seen, the CCPA (CPRA) defines "selling" quite broadly, and you may wish to put this into context for customer relations purposes.

Here's an example from AT&T:

AT&T shares personal information for marketing and other reasons. While these activities qualify as a "sale" under the CCPA (CPRA), some consumers may not object to AT&T "selling" their personal information in this way.

If You Do Not Sell Personal Information (Optional)

If you don't sell personal information, the CCPA (CPRA) doesn't require you to create a "Do Not Sell" page (as long as you disclose that you don't sell personal information in your Privacy Policy).

However, some businesses choose to create a "Do Not Sell" page to allow consumers to opt out of the future sale of personal information.

Here's an example from Blizzard:

Blizzard is very clear that it does not sell personal information. The business simply offers consumers the chance to opt out of any potential future sale of personal information.

Displaying Your "Do Not Sell My Personal Information" Page

Once you've created your "Do Not Sell" page, you need to make it accessible to consumers.

The CCPA (CPRA) states that your link must:

• Read as either "Do Not Sell My Personal Information" or "Do Not Sell My Info."
• Appear on the "homepage" of your website or the "landing or download page" of your mobile app.
• Be "clear and conspicuous." Use the same size font (or bigger) as the other text on your page, and use a color that contrasts with the background.

Let's take a look at how businesses are implementing these requirements.

On Your Homepage

Most businesses have a footer on their website's homepage that displays links to key legal documents, such as their Privacy Policy, Terms of Use, Cookie Policy, etc. A "Do Not Sell" page link can appear alongside these other links.

Here's what consumers will see when they scroll to the bottom of Coca-Cola's homepage:

Remember that you can use the phrase "Do Not Sell My Info" rather than "Do Not Sell My Personal Information" if you prefer. Here's an example from Local Measure:

Both of these businesses appear to comply with the CCPA/CPRA's requirements around giving notice of the right to opt out.

In Your Privacy Policy

The CCPA (CPRA) has many implications for your company's Privacy Policy. In fact, updating your Privacy Policy is one of the most important aspects of CCPA (CPRA) compliance.

Among (many) other things, your Privacy Policy should:

• Explain the right to opt out
• Explain how you sell personal information (or don't)
• Disclose which categories of personal information you have sold in the past 12 months
• Provide a link to your "Do Not Sell" page

Here's the relevant part of NBC Universal's Privacy Policy:

For more information on the CCPA/CPRA's Privacy Policy requirements, see our CCPA (CPRA) Privacy Policy Checklist article.

Opt-Out Button (Optional)

The CCPA (CPRA) provides an icon called the "opt-out button" which businesses can use alongside their "Do Not Sell My Personal Information" link.

Here's the relevant part:

It states that you can use the opt-out button by placing it to the left of your "Do Not Sell" link.

Remember that using the opt-out button is optional and it can not be used in lieu of the "Do Not Sell" link.

Summary of Your "Do Not Sell My Personal Information" Page

Take these steps to help ensure that you comply with this important part of the CCPA (CPRA):

• Confirm that you "sell" personal information according to the CCPA/CPRA's definition.

  • If you have not sold personal information in the past 12 months, update your Privacy Policy to reflect this.

• Create your "Do Not Sell" page. Include:

  • An explanation of the right to opt out
  • A web form that enables consumers to opt out
  • An explanation of any other methods by which consumers can opt out

• Display a link titled "Do Not Sell My Personal Information" or "Do Not Sell My Info":

  • On your homepage
  • On your mobile app's landing or download page
  • In your Privacy Policy