Creating and Displaying a "Do Not Sell My Personal Information" Page
The "Do Not Sell My Personal Information" page only covers California residents - not the whole country. A survey conducted by the USC Annenberg Center for Public Relations says 87 percent of consumers would opt-out of third party sales if given the opportunity. And given the recent coverage of the CCPA in the state, you better believe that eagle-eyed Californians will be looking out for these pages and actively opting out.
What is the Do Not Sell rule, and what do you need to comply with this aspect of the law? Keep reading to learn more and see some live examples of the "Do Not Sell My Personal Information" page.
What is the Do Not Sell Rule?
The Do Not Sell Rule is a provision of the CCPA that allows California residents to opt-out of the sales of their personal data. Note: the CCPA uses the word "sale," but it also means share. The CCPA defines selling as:
"Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
The wide application of the term is likely a way to cover companies like Facebook, who don't "sell" data, strictly speaking, but who do "give it away."
You aren't "selling" information if you need to share data for core business functions, but it does count as selling if there's money or other value involved. The statute doesn't go much further in defining what that means, but you need to comply with the Do Not Sell rule guidelines regardless of whether you "sell" or share for gain or for core business purposes.
To facilitate this rule, businesses covered by the law must create a mechanism for residents to choose whether to skip sales/sharing without requiring them to make an account.
The CCPA is clear about how it wants this done.
If you fall under the jurisdiction of the CCPA, there's no way for your business to opt-out of creating the page. That means that you need a "Do Not Sell My Personal Information" page no matter what data you sell, if any.
Remember that you need to comply with the CCPA if you:
- Generate $25 million or more in revenue,
- Collect data from more than 50,000 CA residents each year, or
- Make half (or more) of your annual revenue from selling information
Title and Content of Your "Do Not Sell My Personal Information" Page
The CCPA requires the "Do Not Sell My Personal Information" page to be titled as such. The on-page title and the hyperlink title both need to carry the name exactly as "Do Not Sell My Personal Information." There are no exceptions to this.
Beyond this, however, the CCPA isn't exactly prescriptive, at least when it comes to the page itself.
So far, businesses seem to be accommodating the request in two ways.
The first is through creating a contact form style mechanism that allows consumers to enter their details and send them to you to add their name to the "no sale" list. The other method is by including contact information where consumers can reach out to request you add them to the "no sale" list.
It then includes a simple contact form for users to fill out, with a checkbox mechanism to request to not have their personal information sold:
Keep in mind when creating the contact form that you need to sort through this data and manage it according to the new regulations. It may be helpful to practice data minimization here: only collect what you need to confirm the request.
As far as we know, these forms are a perfectly acceptable way of deploying the "Do Not Sell My Personal Information" page, as long as you honor those requests.
Another more granular mechanism has also started to appear across the web. These show up more when businesses actively collect and sell/share personal data through both cookies and other sharing mechanisms.
It then provides two different consent mechanisms for opting out of sales. The first is a simple button that declares whether the site currently collects cookies from your browser and uses a simple "Revoke" button:
The second covers data not collected via cookies. AtomBeam says it sold first and last names to third parties in the past year. If you don't want your data sold, you can just enter your name and email address into the boxes at 11.2 to opt-out.
What if You Don't Sell Personal Data?
According to the CCPA, if you don't sell personal data you aren't actually required to have a "Do Not Sell My Personal Information" page.
However, a lot of companies are choosing to provide one anyway that simply states that the company doesn't sell data. This can be a nice way to be more transparent than legally required with your customers. Otherwise they may wonder if you're actually selling their personal information and at the same time violating the CCPA.
Here's how Accusonics does this in a quick statement:
Basically, if you fall under the jurisdiction of the CCPA, you should have this page regardless of whether or not you are actively selling personal information. It helps with transparency and overall compliance.
So far, these are the most common and comprehensive styles of "Do Not Sell My Personal Information" pages up on the internet. As of early December of 2019, few of the largest corporations most affected by this rule have published their own versions yet.
Where to Display Your "Do Not Sell My Personal Information" Page
Your "Do Not Sell My Personal Information" page can appear in a few main places.
At the very least, you need a link to it in your website footer so that it can be available across the site from every page. Your footer link should have the same title ("Do Not Sell My Personal Information").
Here's how Newmeyer and Dillion does this:
Here's another example from AtomBeam:
Will anyone use it? Only time will tell, but surveys suggest that Californians who are aware of their rights are very likely to hit that button.
Your willingness to uphold your end of the deal will make a difference to consumers and regulators alike. As Californians and Americans in general look towards ways to secure their privacy, they will remember what businesses respected their rights to keep their data their own.