A "Do Not Sell My Personal Information" page enables consumers to opt out of the sale of their personal data.
In this context, personal data includes but is not limited to identifiers such as an individual's name and address, biometric information, geolocation and commercial data, internet activity, employment data, education history and beyond.
We'll show you when a "Do Not Sell My Personal Information" page is required and what yours should include.
The concept of a "Do Not Sell My Personal Information" page was introduced by the California Consumer Privacy Act (CCPA).
Let's briefly consider what the CCPA is, who it applies to and how it may affect your business.
(Note: The CCPA was expanded by the California Privacy Rights Act (CPRA) that took effect on Jan 1, 2023.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. What is the CCPA (CPRA)?
- 1.1. Who Does the CCPA (CPRA) Apply to?
- 2. The CCPA (CPRA) and the Need for a "Do Not Sell My Personal Information" Page
- 3. What Your "Do Not Sell My Personal Information" Page Should Include
- 3.1. The Consumer's Right to Opt Out
- 3.2. Methods of Opting Out
- 3.2.1. An Opt Out Form
- 3.2.2. Provide Contact Information
- 3.3. Other Information
- 4. Where to Display Your "Do Not Sell My Personal Information" Page
- 4.1. Website Footer
- 4.2. Cookie Consent Notice
- 5. Summary
What is the CCPA (CPRA)?
The CCPA (CPRA) is a strict privacy law that demands greater transparency from businesses in respect to how personal data is collected, used and shared. Its purpose is to enhance consumer privacy rights and give them greater control over the use of their personal data.
Who Does the CCPA (CPRA) Apply to?
The CCPA (CPRA) applies to any business that:
- Has an annual gross revenue of at least $25 million,
- Collects or receives the personal data of at least 100,000 people, or
- Makes more than 50% of its gross annual revenue from selling and/or sharing personal data
Your organization does not need to be based in California, or even if the U.S., to be affected by this law.
However, the law only applies to for-profit businesses, meaning any not-for-profit organizations are exempt from compliance with the CCPA (CPRA).
The CCPA (CPRA) and the Need for a "Do Not Sell My Personal Information" Page
The CCPA (CPRA) gives consumers the right to find out what personal information companies collect about them, to have their personal information deleted and to opt out of their personal information being sold or shared with third parties.
It is this 'right to opt out' which creates the need for a "Do Not Sell My Personal Information" page.
If a company sells personal data, they are required to give consumers the opportunity to opt out of the sale by including a 'Do Not Sell My Personal Information' page on their website.
The act defines the sale of personal data to include any company who shares data with a third party "for monetary of other valuable consideration."
Companies that do not sell any personal data are not required to comply with this section of the CCPA (CPRA).
However, many companies still choose to include a "Do Not Sell My Personal Information" page simply to make it clear to consumers that the company does not sell personal data. Choosing to do this can make companies appear more transparent.
What Your "Do Not Sell My Personal Information" Page Should Include
Once you've created a "Do Not Sell My Personal Information" page there are a few things you'll need to include in it.
The Consumer's Right to Opt Out
The page needs to clearly explain the consumer's right to opt out of the sale of their data.
It's not enough to simply state that consumers are able to opt out of the sale of their data. The page must also explain how consumers are able to opt out of the sale.
Methods of Opting Out
You may wish to enable consumers to opt out by including a form on your "Do Not Sell My Personal Information" page. While this isn't necessary, it makes it very convenient and easy for users to exercise this right, which the law will look favorably upon (as will your users). At minimum, you need to include contact information where a user can reach out and make the opto-out request.
Let's take a look at each of the methods.
An Opt Out Form
One option is to include an online form which consumers are able to complete to opt out of the sale of their data. The form should be easily accessible and it should not require the consumer to provide unnecessary information. You should only ask for the information you need in order to complete the consumer's request.
Wilmington Endocrinology has a "Do Not Sell My Personal Information" page which includes a form to object to the sale of personal data. Consumers are able to opt out by entering their name and email address:
Similarly, Mirion Technologies also provides an opt out form on the website's "Do Not Sell My Personal Information" page:
Note the checkbox that a user can click to request their personal information not be sold.
Provide Contact Information
Alternatively, if you don't wish to include a form, you can simply provide contact information for your business.
Make sure that you advise consumers that they can contact your company to opt out of the sale of their personal information. You should provide a couple of methods of contacting your business, for example, by post, email and phone to make sure everyone is able to reach you.
If you provide your organization's phone number it is crucial that it is toll-free. This is because the CCPA (CPRA) includes a requirement that businesses must provide free methods of opting out of data sales, which includes toll-free phone numbers.
Deluxe advises of the right to opt out of personal data sales, as well as informing users how to exercise this right.
The company provides an email address which users can use to submit a request. The company also advise users to include their name, coupled with their email address or mailing address. Alternatively, users with an account can just include their account information:
It's important to note that Deluxe provides options for both account holders and non account holders because the CCPA states that companies are not allowed to force consumers to make an account to complete the opt-out process.
When creating your "Do Not Sell My Personal Information" page remember that it is crucial to enable consumers to submit their opt out request without creating an account.
Valiant states that the company does not sell personal information, however the website still includes a "Do Not Sell My Personal Information" page which contains contact information:
The company has included a toll-free telephone number as well to make it even easier for users to reach out.
Although not essential, you may also wish to include details about what personal data your company sells and why.
This may be particularly important to you if your business is reliant on personal data sales and you are concerned how opt out requests could affect your business's income.
For example, companies that sell marketing lists, generate leads for other businesses or run a blog that uses an advert supported business model are all reliant on personal data sales. Being upfront about what data is sold may make some consumers trust your company more and decide not to opt out of sale.
Something else to consider is whether you wish to provide consumers with the option to consent to selling specific types of information for specific reasons.
In addition, business owners must ensure that any employee tasked with handling opt out requests, or consumer inquiries relating to privacy, understands the law regarding the same. The employee must also be able to inform users how to exercise their rights under the law.
Where to Display Your "Do Not Sell My Personal Information" Page
When a user clicks the link, it must take them to a web page which enables the user to opt out of the sale of their data.
However, it's important to note that a company can choose not to include the link on the main homepage providing it includes a separate web page which is solely for citizens of California.
The business must also take reasonable steps to make sure that citizens of California end up on the California consumer homepage and not the main homepage. In addition, this separate homepage must include the necessary links.
Ideally, you should include a link to the "Do Not Sell My Personal Information" page in multiple locations as this will enable users to find it and demonstrate your company's compliance with the CCPA (CPRA).
Let's consider where you could include a link to your "Do Not Sell My Personal Information" page.
A great place to include a link to your "Do Not Sell My Personal Information" page is in your website's footer. This is an ideal place since consumers usually check the footer for important policies and it is easily accessible from every page of your website.
Semasio includes a link to the company's 'Opt-Out - Do Not Sell My Information' page in the website's footer:
West Hills Web also includes a link to the website's "Do Not Sell My Personal Information" page in the footer:
Cookie Consent Notice
You may also wish to include the link in your website's pop-up cookie consent notice. This can be a good place to include important policies and pages since the pop-up will appear to all of your website's users upon first visit to your site.
Wilmington Endocrinology includes a "Do Not Sell My Personal Information" link in the site's cookie consent notice, which pops up as soon as a user arrives on the website for the first time:
This is a great additional way of including the link, however it's important to note that the link should also be featured elsewhere on the website. This is because the cookie consent notice only shows up once and once a user has accepted it, they may be unable to access it again. Therefore the link should also be included somewhere the user would know to look and can look to at any time, such as in the website's footer.
Be sure to include a clear link within the policy which takes the user to the "Do Not Sell My Personal Information" page. Alternatively, you could include the entire page within the policy.
Deluxe has written a Privacy Notice specifically for residents of California which includes a clause about how a user can opt out of the sale of personal information. The clause includes the link to the website's "Do Not Sell My Personal Information" page:
The section includes a box for California consumers to click to be shown their California-specific rights:
This link takes users to a page that is intended solely for residents of California and includes the "Do Not Sell My Personal Information" page link:
Again, the more places you link to this page, the better. Users should be able to access it at any time, as well as be made aware of it as soon as possible upon arriving at your website.
The requirement for a "Do Not Sell My Personal Information" page was created by the CCPA (CPRA), which is a strict privacy law that gives consumers greater rights over their personal data and forces companies to be more transparent about their use of the same.
If your company sells personal information, you must give consumers the opportunity to opt out of the sale by including a "Do Not Sell My Personal Information" page on your website. A 'Do Not Sell My Personal Information Page' enables consumers to opt out of the sale of their personal data.
If a consumer chooses to exercise their right to opt out of the sale of their personal data it is essential to comply with the request. It is therefore crucial to know what categories of personal data your company sells in order to be able to comply with opt out requests.
If a consumer makes a request, your business would need to stop selling any personal data it has collected about the consumer. In addition, you would need to allow a minimum of a year prior to asking the customer if they wish to opt back in to the sale of their data.
Your "Do Not Sell My Personal Information" page must advise consumers of their right to opt out of the sale of their personal data and advise how to exercise this right.
Commonly, companies include a form or contact details which consumers can complete to make the request. It's important to allow users to complete a request without making an account, since this is a requirement of the CCPA (CPRA).
Once you have created a "Do Not Sell My Personal Information" page you will need to ensure that residents of California can find it easily. It's best to include a link to the page in at least a couple of different locations.
It's very important that the link is 'clear and conspicuous' wherever it's placed.
Lastly, it's essential to comply with any opt -out requests that your company receives from California consumers and do so in a timely manner.