Creating and Displaying a "Do Not Sell My Personal Information" Page

by Nicole O. Legal writer.
Creating and Displaying a "Do Not Sell My Personal Information" Page

The California Consumer Privacy Act (CCPA) requires the creation and publication of a "Do Not Sell My Personal Information" page. Unlike other documents, like the Privacy Policy, this is a unique CCPA requirement. It's also brand new, so you're likely to see a lot of different formats popping up over the next few months as businesses start to adapt and comply.

The "Do Not Sell My Personal Information" page only covers California residents - not the whole country. A survey conducted by the USC Annenberg Center for Public Relations says 87 percent of consumers would opt-out of third party sales if given the opportunity. And given the recent coverage of the CCPA in the state, you better believe that eagle-eyed Californians will be looking out for these pages and actively opting out.

What is the Do Not Sell rule, and what do you need to comply with this aspect of the law? Keep reading to learn more and see some live examples of the "Do Not Sell My Personal Information" page.

What is the Do Not Sell Rule?

The Do Not Sell Rule is a provision of the CCPA that allows California residents to opt-out of the sales of their personal data. Note: the CCPA uses the word "sale," but it also means share. The CCPA defines selling as:

"Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."

The wide application of the term is likely a way to cover companies like Facebook, who don't "sell" data, strictly speaking, but who do "give it away."

You aren't "selling" information if you need to share data for core business functions, but it does count as selling if there's money or other value involved. The statute doesn't go much further in defining what that means, but you need to comply with the Do Not Sell rule guidelines regardless of whether you "sell" or share for gain or for core business purposes.

To facilitate this rule, businesses covered by the law must create a mechanism for residents to choose whether to skip sales/sharing without requiring them to make an account.

The CCPA is clear about how it wants this done.

First, you need a page on your website titled "Do Not Sell My Personal Information." You also need to disclose the categories of personal information you have typically sold/shared in the past year in your CCPA Privacy Policy.

If you fall under the jurisdiction of the CCPA, there's no way for your business to opt-out of creating the page. That means that you need a "Do Not Sell My Personal Information" page no matter what data you sell, if any.

Remember that you need to comply with the CCPA if you:

  • Generate $25 million or more in revenue,
  • Collect data from more than 50,000 CA residents each year, or
  • Make half (or more) of your annual revenue from selling information

Title and Content of Your "Do Not Sell My Personal Information" Page

Title and Content of Your

The CCPA requires the "Do Not Sell My Personal Information" page to be titled as such. The on-page title and the hyperlink title both need to carry the name exactly as "Do Not Sell My Personal Information." There are no exceptions to this.

Beyond this, however, the CCPA isn't exactly prescriptive, at least when it comes to the page itself.

So far, businesses seem to be accommodating the request in two ways.

The first is through creating a contact form style mechanism that allows consumers to enter their details and send them to you to add their name to the "no sale" list. The other method is by including contact information where consumers can reach out to request you add them to the "no sale" list.

Newmeyer and Dillon, a California/Nevada-based attorney practice, correctly titles its page and includes a description of the firm's data sales/sharing practices. It also includes a link to the Privacy Policy, which isn't strictly required but it is a smart idea because it makes the document more visible.

Newmeyer Dillion Do Not Sell My Personal Information page intro section

It then includes a simple contact form for users to fill out, with a checkbox mechanism to request to not have their personal information sold:

Newmeyer Dillion Do Not Sell My Personal Information page contact form

Keep in mind when creating the contact form that you need to sort through this data and manage it according to the new regulations. It may be helpful to practice data minimization here: only collect what you need to confirm the request.

As far as we know, these forms are a perfectly acceptable way of deploying the "Do Not Sell My Personal Information" page, as long as you honor those requests.

Another more granular mechanism has also started to appear across the web. These show up more when businesses actively collect and sell/share personal data through both cookies and other sharing mechanisms.

For example, AtomBeam created its "Do Not Sell My Personal Information" page in a way that has multiple informative paragraphs and almost looks like a Privacy Policy in structure:

AtomBeam: Do Not Sell My Personal Information Page - Intro and Cookies sections

It then provides two different consent mechanisms for opting out of sales. The first is a simple button that declares whether the site currently collects cookies from your browser and uses a simple "Revoke" button:

AtomBeam: Do Not Sell My Personal Information Page - Cookies Consent section

The second covers data not collected via cookies. AtomBeam says it sold first and last names to third parties in the past year. If you don't want your data sold, you can just enter your name and email address into the boxes at 11.2 to opt-out.

AtomBeam: Do Not Sell My Personal Information Page - Selling data to third parties section with object form

What if You Don't Sell Personal Data?

According to the CCPA, if you don't sell personal data you aren't actually required to have a "Do Not Sell My Personal Information" page.

However, a lot of companies are choosing to provide one anyway that simply states that the company doesn't sell data. This can be a nice way to be more transparent than legally required with your customers. Otherwise they may wonder if you're actually selling their personal information and at the same time violating the CCPA.

Here's how Accusonics does this in a quick statement:

Accusonics Do Not Sell My Personal Information Page: Selling data to third parties section

Basically, if you fall under the jurisdiction of the CCPA, you should have this page regardless of whether or not you are actively selling personal information. It helps with transparency and overall compliance.

So far, these are the most common and comprehensive styles of "Do Not Sell My Personal Information" pages up on the internet. As of early December of 2019, few of the largest corporations most affected by this rule have published their own versions yet.

Where to Display Your "Do Not Sell My Personal Information" Page

Where to Display Your

Your "Do Not Sell My Personal Information" page can appear in a few main places.

At the very least, you need a link to it in your website footer so that it can be available across the site from every page. Your footer link should have the same title ("Do Not Sell My Personal Information").

Here's how Newmeyer and Dillion does this:

Newmeyer and Dillion website footer with links

Here's another example from AtomBeam:

AtomBeam website footer with links

The CCPA requires that you include a link to your "Do Not Sell My Personal Information" page in your Privacy Policy. Remember that your Privacy Policy also needs to disclose whether and what information you sell/share with third parties, so this clause is a natural place to include the link to your "Do Not Sell" page.

Alternatively, you can include it in your California residents' rights section of your Privacy Policy if you have one, as Newmeyer and Dillion have done here:

Newmeyer and Dillion Privacy Policy - Your California Privacy Rights section: Personal Information Sales Opto-Out and Opt-In Rights clause

The CCPA goes into effect on January 1, 2020, which means your "Do Not Sell My Personal Information" page needs to be live by then. It will need to give users a way to opt out of you selling their personal information, whether it's via contact information or a convenient form. You also need to add a correctly-labeled link to both your website footer and your Privacy Policy.

Will anyone use it? Only time will tell, but surveys suggest that Californians who are aware of their rights are very likely to hit that button.

Your willingness to uphold your end of the deal will make a difference to consumers and regulators alike. As Californians and Americans in general look towards ways to secure their privacy, they will remember what businesses respected their rights to keep their data their own.

Last updated on 06 December 2019

Article categories

Nicole O.

Legal writer.