Blog

The CCPA Do Not Sell Requirement

HIPAA
February 2, 2023
Learn about the CCPA Do Not Sell requirement, what it means for businesses, how to create a compliant opt-out page, and key steps for data privacy compliance under California law.

The CCPA Do Not Sell Requirement

Under the CCPA and CPRA, there’s a stipulation called the ‘Do not sell rule’ or ‘Do not sell requirement’. This stipulation gives people the right to opt out of the sale of their data and information.

This stipulation requires every website under CCPA or CPRA to have a location for people to opt out. If you’re not sure exactly what this requirement means or needs to include, we’re here to help. We’ll go over the details, including what the provision states, what ‘sell’ means in this context, who needs to comply, and what it means to comply.

What is the ‘Do Not Sell’ rule?

The ‘do not sell rule’ or the ‘do not sell requirement’ is a stipulation of the CCPA that gives people the right to opt out of the sale of personal data. Any organization conducting business in California, in particular, must provide a page for people to opt out of their information being sold.

This page is known as the ‘Do not sell my information' page. If a business sells consumer data in any way, this page must be easily accessible on the website. Usually, the link is set at the bottom of the page, where all the other links for the website can be found.

There are specific requirements made to meet the Do not sell rule. 

Some of these requirements include the following:

  • The company must notify people if their data is being sold and that they can opt-out
  • The Do Not Sell My Information link should be visible on the website
  • People should be able to opt-out without having to make an account on the website
  • The company must opt out the individual for at least 12 months.
  • If they want to opt-in the consumer to sell their information, they must request permission again
  • Websites must have a privacy policy on their page that informs users of their data rights

What are the requirements for a compliant "Do Not Sell" page? 

A Do Not Sell page isn’t enough to comply with the Do Not Sell rule. A company needs to follow the guidelines set out by the CCPA for what counts as a compliant Do Not Sell page.

Some of the guidelines required on the page include the following:

  • An explanation of the right to opt-out: The CCPA requires a Do Not Sell page to clearly explain to the individual that they have the right to opt out of selling their information. This explanation should be located at the top of the page. It should explain why they can opt out if they’d like and the steps they need to follow. In this explanation, you can include the types of personal information they can choose to opt-out from. This gives consumers a clearer understanding of what types of data can be sold if they decide not to opt out.
  • An opt-out form: This form is found on a Do Not Sell Page and allows people to have a better understanding of what information is needed for people to opt out of their data being sold. The form must request enough information to identify the person and remove them from a company’s data-selling databases. This form shouldn’t request any new data on the individual.
  • Multiple opt-out methods: The CCPA requires a Do Not Sell page to provide at least two ways for a consumer to opt-out. The page with the form can count as one of your opt-out methods. Other opt-out methods include calling the company’s phone number, sending an email to the business, or filing a physical form that’s submitted via mail or in person.

What Does "Sell" Mean?

It’s essential to properly understand what the CCPA means by selling consumer data. Under the CCPA, the terms ‘sell, sale, or sold’ mean selling, releasing, disseminating, transferring, and communicating orally or in writing pertaining to a customer’s personal information.

Notably, it relates to providing an individual's personal information to another company or third party for ‘monetary or other valuable consideration’. This can apply to any act of sharing personal information with a third party for any exchange of value.

However, there are some exceptions to selling customer data. These exceptions include, under the individual’s instructions, for business purposes with a different provider or to tell a third party that the individual has opted out or during a merger or acquisition.

What are the requirements for the “do not sell my personal information” link?

The law specifies several requirements concerning what a business’s ‘Do Not Sell My Personal Information’ link should look like.

This link should be ‘clear and conspicuous.’ It must be clearly visible on a company’s homepage.

The CCPA doesn’t define exactly what ‘clear and conspicuous’ means, but companies should usually consider the following when adding a ‘Do Not Sell My Personal Information’ link to their website:

  • The link should be clearly and immediately visible on the first page that a website browser lands on. It shouldn’t be hidden or buried under sub-pages.
  • The link should appear different from other links on the page. For example, it could use a larger font or a different color. 

The key to proper and effective compliance with the CCPA’s ‘Do Not Sell My Personal Information’ requirement is the level of clarity provided by the company.

Websites are often full and cluttered with information about various topics. This is particularly true with homepages which typically include some type of ‘directory’ including links allowing the consumer to access various pages, including product information and information about the business.

However, companies must ensure that they provide clear notice of the ‘Do Not Sell My Personal Information’ link. The more evident and apparent the link is, the better protection you give your business to avoid hefty fines and lawsuits under the CCPA.

More from the Blog

Why was the CCPA Introduced?
Privacy Compliance

Why was the CCPA Introduced?

Why is Personal Data Valuable?
Privacy Compliance

Why is Personal Data Valuable?

What is Personal Information Under the CPRA?
Privacy Compliance

What is Personal Information Under the CPRA?

What is Personal Data under the GDPR?
HIPAA

What is Personal Data under the GDPR?

The Truth about Data Security
Data Security

The Truth about Data Security

What is a HIPAA Lawyer?
HIPAA

What is a HIPAA Lawyer?

What Is a Data Processor?
HIPAA

What Is a Data Processor?

What is a Data Controller?
HIPAA

What is a Data Controller?

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals
Get Started Free
Talk To An Expert
schedule accountable demo
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of Compliance
Solutions
HIPAA Compliance SolutionGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password
star iconstar iconstar iconstar iconstar icon

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
Terms of ServicePrivacy Policy