All-in-one Risk Management Platform

The CCPA Do Not Sell Requirement

One piece of CCPA and CPRA Compliance that is key is fulfilling the "do not sell" requirement. In this piece we'll outline all the details you need to ensure your compliance with this key piece.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

The CCPA Do Not Sell Requirement

Under the CCPA and CPRA, there’s a stipulation called the ‘Do not sell rule’ or ‘Do not sell requirement’. This stipulation gives people the right to opt out of the sale of their data and information.

This stipulation requires every website under CCPA or CPRA to have a location for people to opt out. If you’re not sure exactly what this requirement means or needs to include, we’re here to help. We’ll go over the details, including what the provision states, what ‘sell’ means in this context, who needs to comply, and what it means to comply.

What is the ‘Do Not Sell’ rule?

The ‘do not sell rule’ or the ‘do not sell requirement’ is a stipulation of the CCPA that gives people the right to opt out of the sale of personal data. Any organization conducting business in California, in particular, must provide a page for people to opt out of their information being sold.

This page is known as the ‘Do not sell my information' page. If a business sells consumer data in any way, this page must be easily accessible on the website. Usually, the link is set at the bottom of the page, where all the other links for the website can be found.

There are specific requirements made to meet the Do not sell rule. 

Some of these requirements include the following:

  • The company must notify people if their data is being sold and that they can opt-out
  • The Do Not Sell My Information link should be visible on the website
  • People should be able to opt-out without having to make an account on the website
  • The company must opt out the individual for at least 12 months.
  • If they want to opt-in the consumer to sell their information, they must request permission again
  • Websites must have a privacy policy on their page that informs users of their data rights

What are the requirements for a compliant "Do Not Sell" page? 

A Do Not Sell page isn’t enough to comply with the Do Not Sell rule. A company needs to follow the guidelines set out by the CCPA for what counts as a compliant Do Not Sell page.

Some of the guidelines required on the page include the following:

  • An explanation of the right to opt-out: The CCPA requires a Do Not Sell page to clearly explain to the individual that they have the right to opt out of selling their information. This explanation should be located at the top of the page. It should explain why they can opt out if they’d like and the steps they need to follow. In this explanation, you can include the types of personal information they can choose to opt-out from. This gives consumers a clearer understanding of what types of data can be sold if they decide not to opt out.
  • An opt-out form: This form is found on a Do Not Sell Page and allows people to have a better understanding of what information is needed for people to opt out of their data being sold. The form must request enough information to identify the person and remove them from a company’s data-selling databases. This form shouldn’t request any new data on the individual.
  • Multiple opt-out methods: The CCPA requires a Do Not Sell page to provide at least two ways for a consumer to opt-out. The page with the form can count as one of your opt-out methods. Other opt-out methods include calling the company’s phone number, sending an email to the business, or filing a physical form that’s submitted via mail or in person.
“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

What Does "Sell" Mean?

It’s essential to properly understand what the CCPA means by selling consumer data. Under the CCPA, the terms ‘sell, sale, or sold’ mean selling, releasing, disseminating, transferring, and communicating orally or in writing pertaining to a customer’s personal information.

Notably, it relates to providing an individual's personal information to another company or third party for ‘monetary or other valuable consideration’. This can apply to any act of sharing personal information with a third party for any exchange of value.

However, there are some exceptions to selling customer data. These exceptions include, under the individual’s instructions, for business purposes with a different provider or to tell a third party that the individual has opted out or during a merger or acquisition.

What are the requirements for the “do not sell my personal information” link?

The law specifies several requirements concerning what a business’s ‘Do Not Sell My Personal Information’ link should look like.

This link should be ‘clear and conspicuous.’ It must be clearly visible on a company’s homepage.

The CCPA doesn’t define exactly what ‘clear and conspicuous’ means, but companies should usually consider the following when adding a ‘Do Not Sell My Personal Information’ link to their website:

  • The link should be clearly and immediately visible on the first page that a website browser lands on. It shouldn’t be hidden or buried under sub-pages.
  • The link should appear different from other links on the page. For example, it could use a larger font or a different color. 

The key to proper and effective compliance with the CCPA’s ‘Do Not Sell My Personal Information’ requirement is the level of clarity provided by the company.

Websites are often full and cluttered with information about various topics. This is particularly true with homepages which typically include some type of ‘directory’ including links allowing the consumer to access various pages, including product information and information about the business.

However, companies must ensure that they provide clear notice of the ‘Do Not Sell My Personal Information’ link. The more evident and apparent the link is, the better protection you give your business to avoid hefty fines and lawsuits under the CCPA.

Like what you see?  Learn more below

One piece of CCPA and CPRA Compliance that is key is fulfilling the "do not sell" requirement. In this piece we'll outline all the details you need to ensure your compliance with this key piece.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
CCPA vs CPRA vs GDPR
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
HIPAA vs. GLBA
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
GDPR vs. HIPAA
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)