One of the most important aspects of the California Consumer Privacy Act (CCPA) is consumers' "right to opt out" of the sale of their personal information.
To help consumers exercise the right to opt out, the CCPA requires businesses to create a "Do Not Sell My Personal Information" page. If you don't yet have a CCPA-compliant "Do Not Sell" page, you may be in danger of receiving a fine from the California Attorney General.
This article will help you understand whether you need to comply with this part of the CCPA, create a legally-compliant "Do Not Sell My Personal Information" page and display and link to your "Do Not Sell" page in accordance with the CCPA's requirements.
To inform a third party that the consumer has opted out
As part of a merger or acquisition
The full scope of this definition is not yet clear. But bear in mind that "personal information" can include data such as cookies, IP addresses, and device IDs.
Therefore, many businesses are interpreting "selling personal information" as including relatively common business activities, such as running personalized ad campaigns that involve third-party cookies. This would require many businesses to create a "Do Not Sell" page.
What if You Do Not Sell Personal Information?
However, if you do sell personal information or have done so in the preceding 12 month period, your obligations continue and you must create a "Do Not Sell" page.
Creating Your "Do Not Sell My Personal Information" Page
The California Attorney General's CCPA Proposed Regulations contain some valuable guidance regarding what businesses must include in their "Do Not Sell" pages (note that the Proposed Regulations are subject to change).
The Proposed Regulations state that the "Do Not Sell" page must contain:
An explanation of the right to opt out
An "interactive form" via which a consumer can exercise their right to opt out
Instructions regarding any other opt out method(s) you provide
The National Apartment Association gives a brief explanation of the right to opt out, some examples of personal information, and some information about exceptions to the right. This is a good way to put the right to opt out in context for consumers.
Opt-Out Web Form
Your opt-out form should ask consumers to provide the basic personal information that you need in order to identify them or their devices. If possible, try not to request any "new" personal information that you have not already collected from a consumer.
When processing requests under the right to know and the right to delete, you must take specific steps to verify the consumer's identity. You should not do this when fulfilling a request under the right to opt out (unless you reasonably suspect fraudulent activity).
Here's an example of an opt out form from Stamps.com:
Stamps.com requests that consumers provide an account number. The CCPA states that businesses must not require consumers to create an account in order to exercise their right to opt out. However, this is an optional field in the form, so Stamps.com complies with the CCPA here.
Other Opt-Out Methods
The CCPA requires most businesses to provide at least two "designated methods for submitting a request" under each of the CCPA rights, including the right to opt out.
Your "Do Not Sell" page is one of your two designated methods for submitting a request under the right to opt out. Other designated methods might include:
You can choose which of these other options you provide consumers. Consider how you interact with consumers. For example, if you collect personal information through the mail, consider providing an opt-out form that consumers can submit through the mail.
Your "Do Not Sell" page should include details of any other opt-out methods you provide. Here's an example from Blu Jam Cafe:
Blu Jam Cafe goes beyond what the CCPA requires, providing three alternative methods via which consumers can submit a request to opt out. It's good to provide consumers with as much choice as reasonably possible.
Explanation of Your Business Practices (Optional)
Some businesses use their "Do Not Sell" page to explain their business practices.
This is not a requirement of the CCPA. However, as we've seen, the CCPA defines "selling" quite broadly, and you may wish to put this into context for customer relations purposes.
AT&T shares personal information for marketing and other reasons. While these activities qualify as a "sale" under the CCPA, some consumers may not object to AT&T "selling" their personal information in this way.
If You Do Not Sell Personal Information (Optional)
Blizzard is very clear that it does not sell personal information. The business simply offers consumers the chance to opt out of any potential future sale of personal information.
Displaying Your "Do Not Sell My Personal Information" Page
Once you've created your "Do Not Sell" page, you need to make it accessible to consumers.
The CCPA and the CCPA Proposed Regulations state that your link must:
Read as either "Do Not Sell My Personal Information" or "Do Not Sell My Info."
Appear on the "homepage" of your website or the "landing or download page" of your mobile app.
Be "clear and conspicuous." Use the same size font (or bigger) as the other text on your page, and use a color that contrasts with the background.
Let's take a look at how businesses are implementing these requirements.
On Your Homepage
Here's what consumers will see when they scroll to the bottom of Coca-Cola's homepage:
Remember that, according to the Proposed Regulations, you can use the phrase "Do Not Sell My Info" rather than "Do Not Sell My Personal Information" if you prefer. Here's an example from Local Measure:
Both of these businesses appear to comply with the CCPA's requirements around giving notice of the right to opt out.
Explain the right to opt out
Explain how you sell personal information (or don't)
Disclose which categories of personal information you have sold in the past 12 months