Creating and Displaying a "Do Not Sell My Personal Information" Page
The California Consumer Privacy Act (CCPA/CPRA) requires the creation and publication of a "Do Not Sell My Personal Information" page. Unlike other documents, like the Privacy Policy, this is a unique CCPA (CPRA) requirement. It's also brand new, so you're likely to see a lot of different formats popping up over the next few months as businesses start to adapt and comply.
The "Do Not Sell My Personal Information" page only covers California residents - not the whole country. A survey conducted by the USC Annenberg Center for Public Relations says 87 percent of consumers would opt-out of third party sales if given the opportunity. And given the recent coverage of the CCPA (CPRA) in the state, you better believe that eagle-eyed Californians will be looking out for these pages and actively opting out.
What is the Do Not Sell rule, and what do you need to comply with this aspect of the law? Keep reading to learn more and see some live examples of the "Do Not Sell My Personal Information" page.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
What is the Do Not Sell Rule?
The Do Not Sell Rule is a provision of the CCPA (CPRA) that allows California residents to opt-out of the sales of their personal data. Note: the CCPA (CPRA) uses the word "sale," but it also means share. The CCPA (CPRA) defines selling as:
"Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
The wide application of the term is likely a way to cover companies like Facebook, who don't "sell" data, strictly speaking, but who do "give it away."
You aren't "selling" information if you need to share data for core business functions, but it does count as selling if there's money or other value involved. The statute doesn't go much further in defining what that means, but you need to comply with the Do Not Sell rule guidelines regardless of whether you "sell" or share for gain or for core business purposes.
To facilitate this rule, businesses covered by the law must create a mechanism for residents to choose whether to skip sales/sharing without requiring them to make an account.
The CCPA (CPRA) is clear about how it wants this done.
First, you need a page on your website titled "Do Not Sell My Personal Information." You also need to disclose the categories of personal information you have typically sold/shared in the past year in your CCPA (CPRA) Privacy Policy.
If you fall under the jurisdiction of the CCPA (CPRA), there's no way for your business to opt-out of creating the page. That means that you need a "Do Not Sell My Personal Information" page no matter what data you sell, if any.
Remember that you need to comply with the CCPA (CPRA) if you:
- Generate $25 million or more in revenue,
- Collect data from at least 100,000 CA residents each year, or
- Make half (or more) of your annual revenue from selling or sharing information
Title and Content of Your "Do Not Sell My Personal Information" Page
The CCPA (CPRA) requires the "Do Not Sell My Personal Information" page to be titled as such. The on-page title and the hyperlink title both need to carry the name exactly as "Do Not Sell My Personal Information." There are no exceptions to this.
Beyond this, however, the CCPA (CPRA) isn't exactly prescriptive, at least when it comes to the page itself.
So far, businesses seem to be accommodating the request in two ways.
The first is through creating a contact form style mechanism that allows consumers to enter their details and send them to you to add their name to the "no sale" list. The other method is by including contact information where consumers can reach out to request you add them to the "no sale" list.
Newmeyer and Dillon, a California/Nevada-based attorney practice, correctly titles its page and includes a description of the firm's data sales/sharing practices. It also includes a link to the Privacy Policy, which isn't strictly required but it is a smart idea because it makes the document more visible.
It then includes a simple contact form for users to fill out, with a checkbox mechanism to request to not have their personal information sold:
Keep in mind when creating the contact form that you need to sort through this data and manage it according to the new regulations. It may be helpful to practice data minimization here: only collect what you need to confirm the request.
As far as we know, these forms are a perfectly acceptable way of deploying the "Do Not Sell My Personal Information" page, as long as you honor those requests.
Another more granular mechanism has also started to appear across the web. These show up more when businesses actively collect and sell/share personal data through both cookies and other sharing mechanisms.
For example, AtomBeam created its "Do Not Sell My Personal Information" page in a way that has multiple informative paragraphs and almost looks like a Privacy Policy in structure:
It then provides two different consent mechanisms for opting out of sales. The first is a simple button that declares whether the site currently collects cookies from your browser and uses a simple "Revoke" button:
The second covers data not collected via cookies. AtomBeam says it sold first and last names to third parties in the past year. If you don't want your data sold, you can just enter your name and email address into the boxes at 11.2 to opt-out.
What if You Don't Sell Personal Data?
According to the CCPA (CPRA), if you don't sell personal data you aren't actually required to have a "Do Not Sell My Personal Information" page.
However, a lot of companies are choosing to provide one anyway that simply states that the company doesn't sell data. This can be a nice way to be more transparent than legally required with your customers. Otherwise they may wonder if you're actually selling their personal information and at the same time violating the CCPA (CPRA).
Here's how Accusonics does this in a quick statement:
Basically, if you fall under the jurisdiction of the CCPA (CPRA), you should have this page regardless of whether or not you are actively selling personal information. It helps with transparency and overall compliance.
So far, these are the most common and comprehensive styles of "Do Not Sell My Personal Information" pages up on the internet. As of early December of 2019, few of the largest corporations most affected by this rule have published their own versions yet.
Where to Display Your "Do Not Sell My Personal Information" Page
Your "Do Not Sell My Personal Information" page can appear in a few main places.
At the very least, you need a link to it in your website footer so that it can be available across the site from every page. Your footer link should have the same title ("Do Not Sell My Personal Information").
Here's how Newmeyer and Dillion does this:
Here's another example from AtomBeam:
The CCPA (CPRA) requires that you include a link to your "Do Not Sell My Personal Information" page in your Privacy Policy. Remember that your Privacy Policy also needs to disclose whether and what information you sell/share with third parties, so this clause is a natural place to include the link to your "Do Not Sell" page.
Alternatively, you can include it in your California residents' rights section of your Privacy Policy if you have one, as Newmeyer and Dillion have done here:
The CCPA (CPRA) goes into effect on January 1, 2020, which means your "Do Not Sell My Personal Information" page needs to be live by then. It will need to give users a way to opt out of you selling their personal information, whether it's via contact information or a convenient form. You also need to add a correctly-labeled link to both your website footer and your Privacy Policy.
Will anyone use it? Only time will tell, but surveys suggest that Californians who are aware of their rights are very likely to hit that button.
Your willingness to uphold your end of the deal will make a difference to consumers and regulators alike. As Californians and Americans in general look towards ways to secure their privacy, they will remember what businesses respected their rights to keep their data their own.
