Some help with legal information about GDPR and other privacy laws

Privacy laws

Do Not Sell My Personal Information

CCPA „Do Not Sell My Personal Information“ Page

The California Consumer Protection Act (CCPA) is an active data privacy law of California that guarantees strong data privacy to individuals and applies to businesses that collect, use, or share consumer data. 

One of its requirements is to have a “Do Not Sell My Personal Information” page.  Sometimes it is also called a “Do Not Sell My Data” notice. It’s a mechanism that allows consumers to opt out of the selling or sharing of their personal information by businesses.

In this article, we’ll explain the requirements of a “Do Not Sell My Personal Information” page, how to understand the terms “sell” and “Personal Information”, and when and how to use this requirement.

What Is the CCPA “Do Not Sell My Personal Information” Rule?

One of the provisions under the CCPA is the right to opt out of the sale of California consumers’ personal information. CCPA guarantees a right for consumers to ask businesses and organizations to cease the selling of their personal information.

If organizations want to comply with the CCPA, they must stop selling their consumers’ personal information. If they refuse, they will face sanctions from the California Attorney General, potentially resulting in serious fines and penalties.

The CCPA mandates businesses to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website.

Requirements of the “Do Not Sell My Personal Information” Rule

To comply with the “Do Not Sell My Personal Information” rule, businesses must respect the following requirements:

  1. Accessibility and understanding. Businesses must provide a “clear and conspicuous” and “reasonably accessible” link to their “Do Not Sell My Personal Information” page to all their consumers.
  2. Location. Businesses must provide access to the “Do Not Sell My PI” page on the homepage, on their Privacy Policy page, and on any page that collects personal information.
  3. Two methods. Businesses must provide consumers with two methods to submit “do not sell my personal information” requests. One of these methods must be via an interactive web form accessible through the opt-out page. Another method could be a designated email, phone number, or other methods.
  4. Time period. Businesses must respect a consumer’s request to opt out of the sale of their personal information for at least 12 months. Later, they should reach out to them and ask for their preferences.
  5. Without account. Consumers could be able to exercise their right to opt out of the sale of their personal information without creating an account.
  6. Training. Businesses must provide training to personnel responsible for processing “Do Not Sell My PI” requirements. 
  7. You cannot ask for proof of ID. Businesses cannot ask to verify the identity of individuals who submit the “Do Not Sell My PI” request.

Need to be CCPA compliant? Choose CookieScript Consent Management Platform, and we will take care of your website's CCPA and other privacy laws' compliance issues!

What Is Personal Information Under the CCPA?

Under the CCPA, personal information is defined as information that can identify, relate to, describe, associate with, or be linked directly or indirectly with a consumer or household and includes the following data:

  • Direct identifiers;
  • Characteristics of protected classifications under California or federal law;
  • Commercial information;
  • Biometric data;
  • Internet or other electronic network activity data, like browsing history, etc.;
  • Geo-location data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information;
  • Education information, that is not publicly available;
  • Inferences from any of the information identified in this subdivision to create a profile about a consumer;
  • Personal information does not include publicly available information, such as federal, state, or local government records;
  • Genetic data;
  • Medical history.

Personal information does not include publicly available information like federal, state, or local government records.

What Do “Sell” and “Third-party” Mean under the CCPA?

CCPA defines the term “sell” quite broadly. It doesn’t refer only to the payment, but to every action that could benefit the business. According to the CCPA, selling of personal information includes sharing, renting, disclosing, releasing, disseminating, transferring, or communicating personal information to another business or a third party for “monetary or other valuable consideration.”

Third-party means a person or entity other than the business collecting consumers’ personal information. However, this definition excludes service providers. If a business discloses a consumer’s personal information for a business purpose under a written contract that contains specific clauses (a service provider), then sharing personal information with the entity is not defined as selling of personal information.

How to Comply with CCPA “Do Not Sell” requests?

In order to comply with CCPA “Do Not Sell” requirements, you have to perform the following actions:

  • Disclose details related to the selling or sharing of consumers’ personal information in your Privacy Policy.
  • Inform consumers that you intend to sell or share their personal information via a notice of sale.
  • Provide a “Do Not Sell My Personal Information” link within your Privacy Policy and on your website’s homepage. The link must have an option to opt out of the sale.
  • Explain how consumers can exercise their right to opt out of the sale of their personal information. Provide at least two methods to opt-out of the sale: a web form where individuals submit their opt out request, and another method, like a dedicated email, phone number, etc.
  • Provide cookie notice, which includes a link to your Cookie Policy or to the "Do not sell My PI" page.
  • Accept the consumer’s request not to sell their personal data.
  • Wait at least 12 months after a consumer’s request not to sell before requesting authorization to sell their personal information again.

Where to Display Your “Do Not Sell My Personal Information” Page?

The CCPA mandates that the “Do Not Sell My Personal Information” page link be displayed in specific parts of your website:

  1. On the homepage of your website.
  2. On any page that collects personal information.
  3. On your Privacy Policy page.
  4. On the application’s download page or on the application’s platform page.

Another place to include the “Do Not Sell My Personal Information” link is on the Cookie Banner. However, since the consumer sees the banner only when he visits your website for the first time, you must include the “Do Not Sell My Personal Information” link in other parts of your website.

The link must be clear and conspicuous and easy to find.

How CookieScript Can Help?

CookieScript is a Cookie Consent solution that can help your website get compliant with privacy the laws of California (CCPA), Colorado (CPA), Virginia (VCDPA), Utah (UCPA), and others. To comply with the CCPA, create a customized Cookie Banner and block cookies until the consumer gives consent.

CookieScript has a user-friendly interface and presents information about a Cookie Banner and user consent in a clear and concise manner. You could simply add necessary tabs on your Cookie Banner, such as “Accept all cookies”, “Decline all cookies”, and others by simply checking the checkboxes.

With CookieScript CMP, you can display a “Do Not Sell My Personal Information” notice, automatically update your Privacy Policy, easily manage opt-outs, and align with CCPA Compliance.

Frequently Asked Questions

What is CCPA?

The California Consumer Protection Act (CCPA) is an active data privacy law that guarantees strong data privacy to individuals and applies to businesses that collect, use, or share consumer data. Use CookieScript to be CCPA compliant.

What Is the CCPA “Do Not Sell My Personal Information” Rule?

The CCPA guarantees a right for California consumers to ask businesses and organizations to cease the selling of their personal information. If organizations want to comply with the CCPA, they must stop selling their consumers’ personal information. The CCPA mandates businesses to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website.

What does “sell” mean under the CCPA?

CCPA defines the term “sell” quite broadly. It doesn’t refer only to the payment, but to every action that could benefit the business. Selling of personal information includes sharing, renting, disclosing, releasing, disseminating, transferring, or communicating personal information to another business or a third party for “monetary or other valuable consideration.” Use CookieScript CMP to be CCPA compliant.

Where to display your “Do Not Sell My Personal Information” page?

The CCPA mandates that the “Do Not Sell My Personal Information” page link be displayed in specific parts of your website: on the homepage of your website, on any page that collects personal information, on your Privacy Policy page, and on the application’s download page or on the application’s platform page. The “Do Not Sell My Personal Information” link could also be placed on the cookie banner.

How to comply with CCPA “Do Not Sell” requests?

To comply with CCPA “Do Not Sell” requirements, you should: disclose details related to the selling in your Privacy Policy, inform consumers that you intend to sell their personal information, provide a “Do Not Sell My Personal Information” link, explain how consumers can exercise their right to opt out of the sale of their personal information, accept the consumer’s request not to sell their personal data, and wait at least 12 months after a consumers request not to sell before requesting authorization to sell their personal information again.

What is CPRA and does it replace CCPA?

The California Privacy Rights Act (CPRA) is an amendment to the CCPA that will take effect on July 1, 2023. Until then the CCPA will remain the primary personal data protection law in California. The CPRA strengthens business requirements and increases consumer rights, after that it will resemble more the GDPR. The CPRA also creates a new enforcement agency — the California Privacy Protection Agency.

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.