Compliant “Do Not Sell or Share My Personal Information” Page

Ali Talip Pınarbaşı, CIPP/E, & LLM

written by Ali Talip Pınarbaşı, CIPP/E, & LLM December 21, 2023

Build My CCPA Privacy Policy
Do-Not-Sell-My-Personal-Information

The California Consumer Protection Act (CCPA) is a data privacy regulation that gives greater privacy to consumers by allowing them more power over the sale of their personal information.

One of its requirements is to have a “Do Not Sell or Share My Personal Information” link — a mechanism consumers can use to opt out of the selling or sharing of their personal information by businesses, also referred to as a “Do Not Sell My Data” page.

In this guide, we’ll explain the requirements of a “Do Not Sell or Share My Personal Information” page, when to use one, and where to place the page on your website.

Table of Contents
  1. Brief Overview of the CCPA and CPRA
  2. The CCPA "Do Not Sell or Share" Rule Explained
  3. What if You Don’t Sell or Share Personal Information?
  4. Examples of “Do Not Sell or Share My Personal Information" Compliance
  5. How To Create a “Do Not Sell or Share My Personal Information" Page
  6. What To Include in Your “Do Not Sell or Share My Personal Information" Page
  7. Where To Display Your “Do Not Sell or Share My Personal Information" Page
  8. Summary

Brief Overview of the CCPA and CPRA

The CCPA was enacted in January 2020 and regulates the following:

  • The methods companies can use to collect, process, store, and sell Californian residents’ personal information and data.
  • The rights California residents can exercise to protect their personal information.
  • The consequences for companies violating the provisions of the CCPA.

It was amended in January 2023 by the California Privacy Rights Act (CPRA), which introduced:

  • A new legal threshold.
  • The concept of sharing personal data.
  • The addition of the category of sensitive personal data.
  • New consumer rights.
  • Slight changes to business requirements.

Both are in full effect, and the amended law is still called the CCPA.

What Are CCPA Rights?

The CCPA provides greater transparency in the collection of California residents’ data and gives them more control over what happens to their information by granting them the following rights.

Right To Know

It’s a consumer’s right to request that you disclose the following information:

  • Categories and specific pieces of personal information that you collect
  • Purposes of the collection of that personal information
  • Categories of third parties with whom you share the personal information
  • Categories of the personal information that you share with third parties

Right To Delete

Consumers have the right to request that you delete the personal information you collected about them.

Right to Opt-out

The CCPA opt-out rights allow consumers to:

  • Request that you not sell or share their personal information — i.e., provide a “Do Not Sell My Personal Information” page.
  • Request that you do not collect their sensitive personal data
  • Opt out of automated decision-making and profiling

Subject to exceptions, if you receive an opt-out request from a consumer, the CCPA mandates you wait at least 12 months before requesting the consumer to opt in again.

Children and Personal Information

The CCPA has special requirements for the privacy of children that you must follow if and when you sell the personal information of children:

  • Children under 16 years old: If a child falls in this age group, you can’t sell or share their personal information unless their parent or guardian authorizes it by opting into the selling of the information.
  • Children between 13 and 16 years old: If a child falls in this age group, you must get affirmative authorization to sell or share their personal information, but this authorization can come from the child.

Right to Non-Discrimination

You can’t deny a consumer a good or service, offer a different price, or provide a different quality of good or service if they exercise their rights under the CCPA.

Do You Need to Comply With the CCPA?

A company — no matter where it is in the world — must comply with the CCPA if it meets the following criteria:

  • Operates for profit;
  • Collects personal information of its customers;
  • Determines the purpose and means of processing the data;
  • Services California residents AND meets one of the following:
    • Annual gross revenue exceeds $25 million;
    • Buys, receives, sells, or shares, for commercial purposes, the personal information of 100,000 or more consumers, households, or  devices, OR
    • Derives more than 50% of its annual revenue from selling or sharing its consumers’ personal information.

Non-profit organizations and government agencies are exempt from the CCPA.

The CCPA “Do Not Sell or Share” Rule Explained

Collecting and selling your consumers’ personal information may be essential to certain businesses’ operations, but there are rules you must follow to comply with the CCPA.

What Is the “Do Not Sell or Share” Rule?

One of the rights conferred to consumers under the CCPA that you must comply with is the right to opt out of the sale or sharing of their personal information.

If you refuse, you face harsh sanctions from the California Attorney General, potentially resulting in serious fines and penalties.

The CCPA mandates that you provide a way for consumers to exercise this right by having a “Do Not Sell or Share My Personal Information” link.

What Is Personal Information?

Before discussing the requirements of the “Do Not Sell or Share” rule, let’s look at what the CCPA considers personal information.

Personal information is defined as information that can identify, relate to, describe, associate with, or be linked directly or indirectly with a consumer or household and includes the following:

  1. Identifiers
  2. Any categories of personal information described in subdivision (e) of Section 1798.80
  3. Characteristics of protected classifications under California or federal law
  4. Commercial information (like purchase history)
  5. Biometric information
  6. Internet or other electronic network activity information
  7. Geolocation data
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Professional or employment-related information
  10. Education information that is not publicly available
  11. Inferences from any of the information identified in this subdivision to create a profile about a consumer
  12. Sensitive personal information

Personal information does not include:

  • De-identified or aggregate information
  • Publicly available information, such as federal, state, or local government records

Requirements of the “Do Not Sell or Share” Rule

Here’s what you need to know about the “Do Not Sell or Share” rule and how to comply with it:

  1. Accessibility and Understanding: The link to your “Do Not Sell or Share My Personal Information” page must be “clear and conspicuous” and “reasonably accessible” to all of your consumers.
  2. Location: Provide access to opt-out on the homepage, on your CCPA-compliant privacy policy page, and on any page that collects personal information.
  3. Two methods: You must provide individuals with two methods to submit “do not sell or share my personal information” requests and one of these methods must be via an interactive web form accessible through the “do not sell” page. Other method could be a toll-free number, designated email or other methods.
  4. Account: Consumers don’t need to make an account to exercise their right to opt out of the sale of their personal information.
  5. Refrain: You must respect a consumer’s decision to opt out of the sale of their personal information for at least 12 months. After that period, you can reach out to them and ask them to opt in.
  6. Training: You must provide training to personnel responsible for processing these requests. They must know the provisions of the CCPA and how to navigate your company’s policy.
  7. You cannot ask for proof of ID: Businesses cannot ask to verify the identity of individuals who submit the do not sell request.

What if You Don’t Sell or Share Personal Information?

The “Do Not Sell or Share” rule only applies to companies that sell or share personal information.

The CCPA defines “selling” as:

… selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.

It defines “sharing” as:

… sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

If you don’t do any of these activities, then you’re not selling or sharing the personal information of your customers and don’t need a “Do Not Sell or Share My Personal Information” page.

However, you may still want to let users know that you are not selling their info, as highlighted in some of the examples below.

Examples of “Do Not Sell or Share My Personal Information” Compliance

Below are examples of how companies comply with the CCPA’s “Do Not Sell or Share” rule:

Rite Aid’s “Do Not Sell or Share My Personal Information” Form

Rite Aid links to their “Do Not Sell or Share My Personal Information” form in the footer of their site. When clicked on, it clearly explains how users can opt out of different processing activities.

See an example of a portion of their form in the screenshot below.

Rite-Aid_Do-Not-Sell-Or-Share-Form-Example

Yahoo’s “Do Not Sell or Share My Personal Information” Explanation

In a section of its privacy policy outlining California privacy rights, Yahoo explains that it sells technical identifiers to provide content, ads, and relevant services.

It lets users easily toggle between Allow and Don’t Allow, as shown in the screenshot below.

Yahoo-Do-Not-Sell-or-Share-Form-Example

Spotify’s “Sale or Share of Personal Information” Section

Spotify describes how California consumers can opt out of the selling or sharing of their personal data or targeted advertising in their supplemental U.S. privacy policy, shown in the screenshot below.

spotify-do-not-sell-or-share-info-example

It’s important to be just as clear and concise in your own privacy policy so users know how to follow through on their rights.

How To Create a “Do Not Sell or Share My Personal Information” Page

Here are three examples of how you can create a “Do Not Sell or Share My Personal Information” page for your website.

Managed Solution (Termly)

Create a privacy policy using our privacy policy generator — you’ll need to specify that you want to be CCPA compliant.

The generator creates your “Do Not Sell or Share My Personal Information” page automatically.

Template

You can also build your “Do Not Sell or Share My Personal Information” page by following a template and filling in the relevant information tailored specifically to your company.

DIY

You can always build your “Do Not Sell or Share My Personal Information” page manually.

However, if you do, be sure to include all the relevant sections to avoid any penalties.

What To Include in Your “Do Not Sell or Share My Personal Information” Page

If you determine that you need a “Do Not Sell or Share My Personal Information” page, here is an outline of what you need to include in it.

Right To Opt Out

You should explain the CCPA’s right to opt out of the sale or sharing of personal information so the consumer can make an informed decision about whether they want to exercise their right.

Give consumers the option to choose which types of personal information are sold or shared.

For example, they might not mind their past transaction history being sold, but don’t want their location and biometric data being sold.

Providing options lets consumers control which personal information they allow you to share and sell on a granular level, which is useful in your business operations.

How To Opt Out

You must explain how consumers can exercise their right to opt out of the sale or sharing of their personal information.

The CCPA requires you to have a web form for users to submit their opt-out requests.

You must then provide a second way for individuals to submit their requests, which could be:

  • An email
  • A toll-free number
  • A global privacy control

See an example of a “Do Not Sell or Share My Personal Information” form from AT&T in the screenshot below.

att-do-not-sell-or-share-form-example

Where To Display Your “Do Not Sell or Share My Personal Information” Page

Remember, the CCPA mandates that the “Do Not Sell or Share My Personal Information” page link be displayed in specific parts of your website:

  • On the homepage of its website
  • On any page that collects personal information
  • On your privacy policy page
  • On the download page of its application or its application’s platform page

The link must be “clear and conspicuous” and easy for the consumers to find.

Website Footer

Users are used to finding a company’s information and legal pages inside the footer, so placing a link to your “Do Not Sell or Share My Information” page there is a safe bet.

Cookie Consent Notice

Another place to include the “Do Not Sell or Share My Personal Information” link is on the cookie banner that pops up when consumers first visit your website.

However, since this page only appears the first time the consumer visits your website, be sure to have the “Do Not Sell or Share My Personal Information” link in other parts of your website.

Within Your Privacy Policy

You should also put your “Do Not Sell or Share My Personal Information” link in your privacy policy, as users tend to go there for any of their privacy concerns.

Like the website footer, your privacy policy is an appropriate location.

Summary

Under the CCPA, California residents now have more control over their personal information and how businesses can collect and handle it.

The “Do Not Sell or Share My Personal Information” page is the mechanism for which consumers can exercise their right to opt out of the sale or sharing of their personal information and must be:

  • Clear
  • Conspicuous
  • Easy for your consumers to find
  • Linked in more than one location

Be sure that the personnel handling the requests are competently trained to fulfill these requests and comply with the CCPA requirements.

Ali Talip Pınarbaşı, CIPP/E, & LLM
More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author

Related Articles

Explore more resources