How to Create a “Do Not Sell My Personal Information” Page

Home
Blog
by 5 min read

Having control over one’s personal data online should already be a given. Yet, many people find it hard to track where their data goes and how their personal information is used by companies who gather their data online. To respond to this issue involving California residents, its local government passed the CCPA, also known as the California Consumer Privacy Act.

The California Consumer Privacy Act (CCPA) covers a lot of ground regarding what companies can and cannot do regarding the personal information they collect from Californian residents. One of the most important and unique sections of this act is the “Do Not Sell My Personal Information” provision. Read along to find out more about this hidden gem in CCPA.

PRO TIP: Take the hassle of writing your own privacy policy away with our privacy policy generator trusted by over 200,000 businesses. It’ll save you hours of work and possible costly legal mistakes.

What is a “Do Not Sell My Personal Information” Page?

The “Do Not Sell My Personal Information” page is part of the provision in the California Consumer Privacy Act that requires companies and businesses meeting certain requirements to allow residents of California to opt-out of sales involving their personal data.

Note that the term “sale” is defined under this law. According to CCPA, the “sale” of personal data involves:

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

There are exceptions to this rule. It isn’t considered “selling” if the sharing of personal information is under the instructions of the consumer, for the purpose of dealing business with a service provider, informing a third party that a consumer has opted out of sharing information, or if it is part of a merger or an acquisition.

It’s vital to define the term “sale” as there are companies that may not necessarily directly gain monetarily from selling an individual’s private information but indirectly benefits from “sharing” private information to third-party businesses.

An example of this would be Facebook sharing personal information to third-party apps like Netflix and Spotify in the name of “personalization” and enhancing one’s online experience. Facebook was able to expand its data empire and operations because of its partnerships with these apps. However, the individuals involved in this “sharing” of private information is left in the dark regarding which exact parts of their information were shared and which were kept in private.

The “Do Not Sell My Personal Information”, however, does not further define what “other values involved” exactly means. If you manage or own a domain that people from California can access, it’s better to know if you are included in the type of companies required to comply with this CCPA provision.

Why do You Need a “Do Not Sell My Personal Information” Page?

The California Consumer Privacy Act details exactly which companies are required to comply with their terms. According to CCPA, companies doing business in California that meet one or more of these criteria should make sure that they comply with their regulations:

$25 million annual gross

If your company or business raises an annual revenue of at least $25 million, you would need to comply with CCPA.

Coverage of at least 50,000 Californian residents

If your business or company purchases, receives, sells, or shares for commercial purposes the personal information of at least 50,000 residents from California and/or devices, then you must abide by the regulations of CCPA.

50% of annual gross revenues are related to the sale of personal information

If your company raises at least half (or more) of your annual gross revenue from the sale of consumers’ personal information, you must comply with CCPA’s regulations.

Note that CCPA covers even businesses outside California. As long as your operation reaches Californian residents and meets any of the criteria mentioned above, you must follow the provisions in CCPA, including the “Do Not Sell My Personal Information” section.

Where Should You Display Your “Do Not Sell” Page?

Your “Do Not Sell My Personal Information” page should be accessible to your consumers in a way that is easy for them to see and reach on your website, without going through hoops or a bunch of “fine print”.

CCPA states that your “Do Not Sell My Personal Information” link must fulfill the following requirements:

  • It should appear on the landing page or download page of your application or homepage of your website.
  • It should read as either “Do Not Sell My Personal Information” or “Do Not Sell My Info”.
  • It should be clear, concise, and noticeable. That means that you must use your usual text font and the color that are in good contrast with your background.

In other words, companies should not try to hide the “Do Not Sell My Personal Information” page to prevent their consumers from easily accessing it.

Examples of “Do Not Sell My Personal Information” Pages

To give you an idea of how “Do Not Sell My Personal Information” pages usually look like, here are samples you can review:

The Atlantic

"Do Not Sell My Personal Information" clause in The Atlantic website on a white background

For their full “Do Not Sell My Personal Information” text, click here.

McDonald’s

"Do Not Sell My Personal Information" clause in McDonald's CCPA Rights page on a white background

Click here for their full CCPA Rights page.

How do I Create a “Do Not Sell My Personal Information” Page?

California’s Attorney General has proposed regulations to provide guidelines for creating and displaying the “Do Not Sell My Personal Information” page. Here are the important elements that every “Do Not Sell My Personal Information” page must contain:

The right to opt-out

Your “Do Not Sell My Personal Information” should have an explanation regarding one’s right to opt-out of the sale of their private information. Although the CCPA has not provided the exact line-by-line explanation that businesses must use to explain the right to opt-out, CCPA requires each explanation to be clear and concise.

Ideally, businesses should also list the types of information they’re gathering from their users such as their names, postal information, email address, and any other personally-identifying information for their consumers to have an idea on the types of private information they’re protecting.

An opt-out form

A “Do Not Sell My Personal Information” page should also have a web form where consumers can sign up in order to opt-out of the sale of their private information. In the opt-out form, the company must ask consumers for their basic information.

It might seem counter-productive since the consumer is providing more private details to the company to prevent their sale of such information. Still, it’s needed to verify that you are the one requesting for the opt-out clause and not other entities pretending to be you.

However, companies are still encouraged not to ask or request for new personal information other than the ones they’ve already collected from their consumers as a form of good faith.

Alternative opt-out methods

Apart from the opt-out form, the CCPA also requires most businesses to give at least one more method for submitting a request under CCPA rights, including an individual’s right to opt-out in the sale of their private information.

The form in the “Do Not Sell My Personal Information” page is already counted as one method. Other designated methods that you can look into are:

  • Form submitted via mail
  • Form submitted in person
  • Email address
  • Toll-free telephone number

You can choose which of these alternative options you can provide your consumers. It depends on how you usually communicate with them and what their usual (and preferred) method of communication is. It is important that you include these other opt-out methods in your “Do Not Sell My Personal Information” page.

Apart from these, you can also include an explanation of your business practices, such as how you conduct your business and how you use private information in your operations.

Some companies that do not sell private information also create their “Do Not Sell My Personal Information” page to let their users opt-out of the future sale of personal information if they ever change the way they operate their business.

If you own or manage a website or application that meets the criteria for complying with the rules of CCPA, you must make sure that you include a “Do Not Sell My Personal Information” page on your website or at least include it in your privacy policy page.

Above everything else, you must protect your consumers’ right to their own information and make sure to follow through with their requests if ever they opt-out on the sale of their private information. Otherwise, you might lose consumers due to bad faith and face hefty fines from the state of California.

Olivia Adams
Olivia Adams
CIPP/E, CIPM, CIPT
Olivia is an experienced data privacy compliance consultant with years of experience. Throughout her career, she helped hundreds of small to mid-size businesses with comprehensive advice on compliance with privacy laws.
PRODUCTS
RESOURCES
COMPANY
WebsitePolicies logo
Facebook
Twitter