Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. The CCPA in Brief
- 1.1. Who Has to Comply With the CCPA?
- 1.2. What are the CCPA's Requirements?
- 2. Do You Need a "Do Not Sell My Personal Information" Page?
- 2.1. What is "Selling" Personal Information?
- 2.2. What if You Do Not Sell Personal Information?
- 3. Creating Your "Do Not Sell My Personal Information" Page
- 3.1. Explanation of the Right to Opt Out
- 3.2. Opt-Out Web Form
- 3.3. Other Opt-Out Methods
- 3.4. Explanation of Your Business Practices (Optional)
- 3.5. If You Do Not Sell Personal Information (Optional)
- 4. Displaying Your "Do Not Sell My Personal Information" Page
- 4.1. On Your Homepage
- 4.3. Opt-Out Button (Optional)
- 5. Summary of Your "Do Not Sell My Personal Information" Page
One of the most important aspects of the California Consumer Privacy Act (CCPA) is consumers' "right to opt out" of the sale of their personal information.
To help consumers exercise the right to opt out, the CCPA requires businesses to create a "Do Not Sell My Personal Information" page. If you don't yet have a CCPA-compliant "Do Not Sell" page, you may be in danger of receiving a fine from the California Attorney General.
This article will help you understand whether you need to comply with this part of the CCPA, create a legally-compliant "Do Not Sell My Personal Information" page and display and link to your "Do Not Sell" page in accordance with the CCPA's requirements.
You can build your CCPA Opt-Out code by following the steps below:
- Customize the banner:
- Adjust the settings by adding a description, text for the button and other settings.
The CCPA in Brief
Here's a very brief outline of the CCPA's scope and requirements. We're going to keep this short, but you can skip ahead if you already know that your business is covered by the CCPA.
Who Has to Comply With the CCPA?
The CCPA applies to "businesses," meaning any company doing business in California that does one or more of the following things:
- Raises annual gross revenues of $25 million or more
- Buys, sells, receives for commercial purposes, or shares for commercial purposes, personal information from at least 50,000 California consumers, households, and/or their devices
- Raises at least half of its annual gross revenues from the sale of consumers' personal information
A business does not need to be based in California. Businesses all over the world must comply with the CCPA.
What are the CCPA's Requirements?
The CCPA has a number of requirements, including:
- Allowing consumers to access and delete the personal information you have collected about them
- Allowing consumers to opt out of the sale of their personal information
That last point is our focus in this article and is the purpose of a "Do Not Sell" page.
For more information about your obligations under the CCPA, see our article on CCPA Compliance Requirements.
Do You Need a "Do Not Sell My Personal Information" Page?
Even if you're covered by the CCPA, you don't necessarily have to create a "Do Not Sell" page.
If you already know that the CCPA's opt-out rules apply to your business, you can skip ahead to learn how to create a "Do Not Sell" page.
What is "Selling" Personal Information?
When people think of "selling" something, they think of exchanging it for money. However, the CCPA defines the act of "selling" very broadly.
Here's how the CCPA defines "selling" personal information:
Taken literally, this definition encompasses any act of sharing personal information with any third party in exchange for anything of value.
The CCPA provides some exceptions. "Selling" personal information does not include sharing personal information:
- Under the consumer's instructions
- For business purposes with a service provider
- To inform a third party that the consumer has opted out
- As part of a merger or acquisition
The full scope of this definition is not yet clear. But bear in mind that "personal information" can include data such as cookies, IP addresses, and device IDs.
Therefore, many businesses are interpreting "selling personal information" as including relatively common business activities, such as running personalized ad campaigns that involve third-party cookies. This would require many businesses to create a "Do Not Sell" page.
What if You Do Not Sell Personal Information?
However, if you do sell personal information or have done so in the preceding 12 month period, your obligations continue and you must create a "Do Not Sell" page.
Creating Your "Do Not Sell My Personal Information" Page
The California Attorney General's CCPA Proposed Regulations contain some valuable guidance regarding what businesses must include in their "Do Not Sell" pages (note that the Proposed Regulations are subject to change).
The Proposed Regulations state that the "Do Not Sell" page must contain:
- An explanation of the right to opt out
- An "interactive form" via which a consumer can exercise their right to opt out
- Instructions regarding any other opt out method(s) you provide
Explanation of the Right to Opt Out
Your "Do Not Sell" page must include an explanation of the right to opt out.
The CCPA doesn't provide any prescribed form of explanation that businesses must use. However, your explanation of the right to opt out must be clear and concise.
Here's how The Walt Disney Company explains the right to opt out:
Here's a longer explanation of the right to opt out, from the National Apartment Association:
The National Apartment Association gives a brief explanation of the right to opt out, some examples of personal information, and some information about exceptions to the right. This is a good way to put the right to opt out in context for consumers.
Opt-Out Web Form
Your opt-out form should ask consumers to provide the basic personal information that you need in order to identify them or their devices. If possible, try not to request any "new" personal information that you have not already collected from a consumer.
When processing requests under the right to know and the right to delete, you must take specific steps to verify the consumer's identity. You should not do this when fulfilling a request under the right to opt out (unless you reasonably suspect fraudulent activity).
Here's an example of an opt out form from Stamps.com:
Stamps.com requests that consumers provide an account number. The CCPA states that businesses must not require consumers to create an account in order to exercise their right to opt out. However, this is an optional field in the form, so Stamps.com complies with the CCPA here.
Other Opt-Out Methods
The CCPA requires most businesses to provide at least two "designated methods for submitting a request" under each of the CCPA rights, including the right to opt out.
Your "Do Not Sell" page is one of your two designated methods for submitting a request under the right to opt out. Other designated methods might include:
- A toll-free telephone number
- An email address
- A form submitted in the mail
- A form submitted in person
You can choose which of these other options you provide consumers. Consider how you interact with consumers. For example, if you collect personal information through the mail, consider providing an opt-out form that consumers can submit through the mail.
Your "Do Not Sell" page should include details of any other opt-out methods you provide. Here's an example from Blu Jam Cafe:
Blu Jam Cafe goes beyond what the CCPA requires, providing three alternative methods via which consumers can submit a request to opt out. It's good to provide consumers with as much choice as reasonably possible.
Explanation of Your Business Practices (Optional)
Some businesses use their "Do Not Sell" page to explain their business practices.
This is not a requirement of the CCPA. However, as we've seen, the CCPA defines "selling" quite broadly, and you may wish to put this into context for customer relations purposes.
Here's an example from AT&T:
AT&T shares personal information for marketing and other reasons. While these activities qualify as a "sale" under the CCPA, some consumers may not object to AT&T "selling" their personal information in this way.
If You Do Not Sell Personal Information (Optional)
However, some businesses choose to create a "Do Not Sell" page to allow consumers to opt out of the future sale of personal information.
Here's an example from Blizzard:
Blizzard is very clear that it does not sell personal information. The business simply offers consumers the chance to opt out of any potential future sale of personal information.
Displaying Your "Do Not Sell My Personal Information" Page
Once you've created your "Do Not Sell" page, you need to make it accessible to consumers.
The CCPA and the CCPA Proposed Regulations state that your link must:
- Read as either "Do Not Sell My Personal Information" or "Do Not Sell My Info."
- Appear on the "homepage" of your website or the "landing or download page" of your mobile app.
- Be "clear and conspicuous." Use the same size font (or bigger) as the other text on your page, and use a color that contrasts with the background.
Let's take a look at how businesses are implementing these requirements.
On Your Homepage
Here's what consumers will see when they scroll to the bottom of Coca-Cola's homepage:
Remember that, according to the Proposed Regulations, you can use the phrase "Do Not Sell My Info" rather than "Do Not Sell My Personal Information" if you prefer. Here's an example from Local Measure:
Both of these businesses appear to comply with the CCPA's requirements around giving notice of the right to opt out.
- Explain the right to opt out
- Explain how you sell personal information (or don't)
- Disclose which categories of personal information you have sold in the past 12 months
- Provide a link to your "Do Not Sell" page
Opt-Out Button (Optional)
The CCPA Proposed Regulations provide an icon called the "opt-out button" which businesses can use alongside their "Do Not Sell My Personal Information" link.
Here's the relevant part of the Proposed Regulations:
The Proposed Regulations state that you can use the opt-out button by placing it to the left of your "Do Not Sell" link.
Remember that using the opt-out button is optional. If you want to do so, it might be best to wait until the CCPA Proposed Regulations have been finalized (likely around July 2020).
Summary of Your "Do Not Sell My Personal Information" Page
Take these steps to help ensure that you comply with this important part of the CCPA:
Confirm that you "sell" personal information according to the CCPA's definition.
Create your "Do Not Sell" page. Include:
- An explanation of the right to opt out
- A web form that enables consumers to opt out
- An explanation of any other methods by which consumers can opt out
Display a link titled "Do Not Sell My Personal Information" or "Do Not Sell My Info":
- On your homepage
- On your mobile app's landing or download page