Last updated on 24 December 2020 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
One of the most important aspects of the California Consumer Privacy Act (CCPA) is consumers' "right to opt out" of the sale of their personal information.
To help consumers exercise the right to opt out, the CCPA requires businesses to create a "Do Not Sell My Personal Information" page. If you don't yet have a CCPA-compliant "Do Not Sell" page, you may be in danger of receiving a fine from the California Attorney General.
This article will help you understand whether you need to comply with this part of the CCPA, create a legally-compliant "Do Not Sell My Personal Information" page and display and link to your "Do Not Sell" page in accordance with the CCPA's requirements.
Here's a very brief outline of the CCPA's scope and requirements. We're going to keep this short, but you can skip ahead if you already know that your business is covered by the CCPA.
The CCPA applies to "businesses," meaning any company doing business in California that does one or more of the following things:
A business does not need to be based in California. Businesses all over the world must comply with the CCPA.
The CCPA has a number of requirements, including:
That last point is our focus in this article and is the purpose of a "Do Not Sell" page.
You can build your CCPA Opt-Out code by following the steps below:
For more information about your obligations under the CCPA, see our article on CCPA Compliance Requirements.
Even if you're covered by the CCPA, you don't necessarily have to create a "Do Not Sell" page.
If you already know that the CCPA's opt-out rules apply to your business, you can skip ahead to learn how to create a "Do Not Sell" page.
When people think of "selling" something, they think of exchanging it for money. However, the CCPA defines the act of "selling" very broadly.
Here's how the CCPA defines "selling" personal information:
Taken literally, this definition encompasses any act of sharing personal information with any third party in exchange for anything of value.
The CCPA provides some exceptions. "Selling" personal information does not include sharing personal information:
The full scope of this definition is not yet clear. But bear in mind that "personal information" can include data such as cookies, IP addresses, and device IDs.
Therefore, many businesses are interpreting "selling personal information" as including relatively common business activities, such as running personalized ad campaigns that involve third-party cookies. This would require many businesses to create a "Do Not Sell" page.
However, if you do sell personal information or have done so in the preceding 12 month period, your obligations continue and you must create a "Do Not Sell" page.
The California Attorney General's CCPA Proposed Regulations contain some valuable guidance regarding what businesses must include in their "Do Not Sell" pages (note that the Proposed Regulations are subject to change).
The Proposed Regulations state that the "Do Not Sell" page must contain:
Your "Do Not Sell" page must include an explanation of the right to opt out.
The CCPA doesn't provide any prescribed form of explanation that businesses must use. However, your explanation of the right to opt out must be clear and concise.
Here's how The Walt Disney Company explains the right to opt out:
Here's a longer explanation of the right to opt out, from the National Apartment Association:
The National Apartment Association gives a brief explanation of the right to opt out, some examples of personal information, and some information about exceptions to the right. This is a good way to put the right to opt out in context for consumers.
Your opt-out form should ask consumers to provide the basic personal information that you need in order to identify them or their devices. If possible, try not to request any "new" personal information that you have not already collected from a consumer.
When processing requests under the right to know and the right to delete, you must take specific steps to verify the consumer's identity. You should not do this when fulfilling a request under the right to opt out (unless you reasonably suspect fraudulent activity).
Here's an example of an opt out form from Stamps.com:
Stamps.com requests that consumers provide an account number. The CCPA states that businesses must not require consumers to create an account in order to exercise their right to opt out. However, this is an optional field in the form, so Stamps.com complies with the CCPA here.
The CCPA requires most businesses to provide at least two "designated methods for submitting a request" under each of the CCPA rights, including the right to opt out.
Your "Do Not Sell" page is one of your two designated methods for submitting a request under the right to opt out. Other designated methods might include:
You can choose which of these other options you provide consumers. Consider how you interact with consumers. For example, if you collect personal information through the mail, consider providing an opt-out form that consumers can submit through the mail.
Your "Do Not Sell" page should include details of any other opt-out methods you provide. Here's an example from Blu Jam Cafe:
Blu Jam Cafe goes beyond what the CCPA requires, providing three alternative methods via which consumers can submit a request to opt out. It's good to provide consumers with as much choice as reasonably possible.
Some businesses use their "Do Not Sell" page to explain their business practices.
This is not a requirement of the CCPA. However, as we've seen, the CCPA defines "selling" quite broadly, and you may wish to put this into context for customer relations purposes.
Here's an example from AT&T:
AT&T shares personal information for marketing and other reasons. While these activities qualify as a "sale" under the CCPA, some consumers may not object to AT&T "selling" their personal information in this way.
However, some businesses choose to create a "Do Not Sell" page to allow consumers to opt out of the future sale of personal information.
Here's an example from Blizzard:
Blizzard is very clear that it does not sell personal information. The business simply offers consumers the chance to opt out of any potential future sale of personal information.
Once you've created your "Do Not Sell" page, you need to make it accessible to consumers.
The CCPA and the CCPA Proposed Regulations state that your link must:
Let's take a look at how businesses are implementing these requirements.
Here's what consumers will see when they scroll to the bottom of Coca-Cola's homepage:
Remember that, according to the Proposed Regulations, you can use the phrase "Do Not Sell My Info" rather than "Do Not Sell My Personal Information" if you prefer. Here's an example from Local Measure:
Both of these businesses appear to comply with the CCPA's requirements around giving notice of the right to opt out.
The CCPA Proposed Regulations provide an icon called the "opt-out button" which businesses can use alongside their "Do Not Sell My Personal Information" link.
Here's the relevant part of the Proposed Regulations:
The Proposed Regulations state that you can use the opt-out button by placing it to the left of your "Do Not Sell" link.
Remember that using the opt-out button is optional. If you want to do so, it might be best to wait until the CCPA Proposed Regulations have been finalized (likely around July 2020).
Take these steps to help ensure that you comply with this important part of the CCPA:
Confirm that you "sell" personal information according to the CCPA's definition.
Create your "Do Not Sell" page. Include:
Display a link titled "Do Not Sell My Personal Information" or "Do Not Sell My Info":