The CCPA Do Not Sell Requirement
Under the CCPA and CPRA, there’s a stipulation called the ‘Do not sell rule’ or ‘Do not sell requirement’. This stipulation gives people the right to opt out of the sale of their data and information.
This stipulation requires every website under CCPA or CPRA to have a location for people to opt out. If you’re not sure exactly what this requirement means or needs to include, we’re here to help. We’ll go over the details, including what the provision states, what ‘sell’ means in this context, who needs to comply, and what it means to comply.
What is the ‘Do Not Sell’ rule?
The ‘do not sell rule’ or the ‘do not sell requirement’ is a stipulation of the CCPA that gives people the right to opt out of the sale of personal data. Any organization conducting business in California, in particular, must provide a page for people to opt out of their information being sold.
This page is known as the ‘Do not sell my information' page. If a business sells consumer data in any way, this page must be easily accessible on the website. Usually, the link is set at the bottom of the page, where all the other links for the website can be found.
There are specific requirements made to meet the Do not sell rule.
Some of these requirements include the following:
- The company must notify people if their data is being sold and that they can opt-out
- The Do Not Sell My Information link should be visible on the website
- People should be able to opt-out without having to make an account on the website
- The company must opt out the individual for at least 12 months.
- If they want to opt-in the consumer to sell their information, they must request permission again
- Websites must have a privacy policy on their page that informs users of their data rights
What are the requirements for a compliant "Do Not Sell" page?
A Do Not Sell page isn’t enough to comply with the Do Not Sell rule. A company needs to follow the guidelines set out by the CCPA for what counts as a compliant Do Not Sell page.
Some of the guidelines required on the page include the following:
- An explanation of the right to opt-out: The CCPA requires a Do Not Sell page to clearly explain to the individual that they have the right to opt out of selling their information. This explanation should be located at the top of the page. It should explain why they can opt out if they’d like and the steps they need to follow. In this explanation, you can include the types of personal information they can choose to opt-out from. This gives consumers a clearer understanding of what types of data can be sold if they decide not to opt out.
- An opt-out form: This form is found on a Do Not Sell Page and allows people to have a better understanding of what information is needed for people to opt out of their data being sold. The form must request enough information to identify the person and remove them from a company’s data-selling databases. This form shouldn’t request any new data on the individual.
- Multiple opt-out methods: The CCPA requires a Do Not Sell page to provide at least two ways for a consumer to opt-out. The page with the form can count as one of your opt-out methods. Other opt-out methods include calling the company’s phone number, sending an email to the business, or filing a physical form that’s submitted via mail or in person.
What Does "Sell" Mean?
It’s essential to properly understand what the CCPA means by selling consumer data. Under the CCPA, the terms ‘sell, sale, or sold’ mean selling, releasing, disseminating, transferring, and communicating orally or in writing pertaining to a customer’s personal information.
Notably, it relates to providing an individual's personal information to another company or third party for ‘monetary or other valuable consideration’. This can apply to any act of sharing personal information with a third party for any exchange of value.
However, there are some exceptions to selling customer data. These exceptions include, under the individual’s instructions, for business purposes with a different provider or to tell a third party that the individual has opted out or during a merger or acquisition.
What are the requirements for the “do not sell my personal information” link?
The law specifies several requirements concerning what a business’s ‘Do Not Sell My Personal Information’ link should look like.
This link should be ‘clear and conspicuous.’ It must be clearly visible on a company’s homepage.
The CCPA doesn’t define exactly what ‘clear and conspicuous’ means, but companies should usually consider the following when adding a ‘Do Not Sell My Personal Information’ link to their website:
- The link should be clearly and immediately visible on the first page that a website browser lands on. It shouldn’t be hidden or buried under sub-pages.
- The link should appear different from other links on the page. For example, it could use a larger font or a different color.
The key to proper and effective compliance with the CCPA’s ‘Do Not Sell My Personal Information’ requirement is the level of clarity provided by the company.
Websites are often full and cluttered with information about various topics. This is particularly true with homepages which typically include some type of ‘directory’ including links allowing the consumer to access various pages, including product information and information about the business.
However, companies must ensure that they provide clear notice of the ‘Do Not Sell My Personal Information’ link. The more evident and apparent the link is, the better protection you give your business to avoid hefty fines and lawsuits under the CCPA.