Back
Complying with the CCPA's "Do Not Sell" Requirement

In 2018, California passed the California Consumer Privacy Act (CCPA) to give state residents more control over their personal data. It came into effect two years later. One key provision is the right to opt out of their personal information being sold. Businesses should clearly display an easy way for consumers to exercise this right. That is done by implementing a "Do Not Sell My Personal Information" page.


In this post, we'll discuss the CCPA requirements for the "Do Not Sell" page, how to create one, and tips for ongoing compliance.


Understanding the CCPA

The CCPA grants California consumers the right to direct a business that sells their personal information to stop selling it. This empowers people to decide if they are comfortable with how a company uses its data.


What Constitutes "Selling" Personal Information?

The CCPA has a broad definition of selling. It includes renting, releasing, disclosing, disseminating, or transferring personal information for monetary value. For example, many companies sell data to advertising networks for targeted ads.

Other sites monetize consumer data by sharing it with data brokers. These activities would be considered "selling personal information" under the CCPA even though no direct sale takes place.


Which Businesses Must Comply?

The law applies to any for-profit company in California that collects consumers' personal information and meets certain thresholds. The companies in question must have gross revenue of over $25 million, buy or share info on 50,000+ people, or make 50%+ of revenue from selling consumer data.

Non-profit organizations and government institutions are exempt.


Creating Your Compliant "Do Not Sell" Page

To uphold the CCPA's right to opt-out, businesses must have a clear and conspicuous "Do Not Sell My Personal Information" link on their website that enables users to submit a request.

Businesses can use template generators or create their custom "Do Not Sell" page. The key is to include all required components clearly and conspicuously.


Explaining the Right to Opt-Out

An effective "Do Not Sell" page will begin by explaining the CCPA provides consumers with the right to direct a business to stop selling their personal information. This context helps users make an informed decision about whether to exercise their opt-out rights.

Take it a step further by allowing consumers to opt out of specific categories of personal information, such as their geolocation, biometric data, browsing history, or demographic info. This makes the process more transparent by revealing what kinds of data you collect while enabling more user control.


Enabling Users to Opt-Out

At a minimum, businesses must have two methods of opting. The most popular is an online web form where users can submit 'do not sell' requests. It's also a good idea to provide an easy method like email or toll-free number.

Note that users should not have to make an account to opt-out. Keep it simple and accessible.


Confirming and Verifying Requests

Upon receiving do not sell requests, send users an immediate confirmation that you have received their submission and will process it. However, the CCPA strictly prohibits asking consumers to provide additional verification like government IDs or account numbers.

Of course, you should document all requests in your records and track how each is addressed. This supports compliance and your ability to demonstrate adherence to the regulations.


Displaying Your "Do Not Sell" Page

To make it easy for consumers to exercise their right to opt out, the links to your page must be placed on your website and noticeable at first glance. Some key areas to display compliance links include:

●     Website Footer: Many sites place legal and informational links in the footer. Put your "Do Not Sell" link here.

●     Cookie Notice Banner: If you have a cookie notice banner, include the link so users see it when first visiting.

●     Privacy Policy Page: Your privacy policy is where users expect to find data practices. Add the opt-out link here for increased efficiency.

●     Mobile App Stores: For apps, place the link on your app's page in the app store.


Ensuring Ongoing Compliance

Creating a compliant "Do Not Sell" page is not a set-it-and-forget-it exercise. You must monitor your practices and user response on an ongoing basis. Keep detailed records of all opt-out requests received and how they were handled.

The CCPA mandates businesses must respond to verifiable consumer requests within 45 days. Strive to complete opt-out requests faster, ideally within 15 business days. Also, you must honor users' preferences for at least 12 months before asking them to opt-in to sales again.


The Importance of "Do Not Sell" Compliance

The "Do Not Sell" page upholds a key CCPA consumer right. It also minimizes a company's risk of violations, lawsuits, and reputational damage. Most importantly, it shows a commitment to transparent data practices and user privacy. Building trust through ethical data handling is smart business.

The CCPA has real consequences for non-compliance, including fines and penalties. But more broadly, failing to honor your users' privacy erodes their trust. By fully meeting the CCPA's requirements, you demonstrate that you take your duty of care seriously.

 

You Might Also Be Interested In