Under the CCPA and CPRA, there’s a stipulation called the ‘Do not sell rule’ or ‘Do not sell requirement’. This stipulation gives people the right to opt out of the sale of their data and information.
This stipulation requires every website under CCPA or CPRA to have a location for people to opt out. If you’re not sure exactly what this requirement means or needs to include, we’re here to help. We’ll go over the details, including what the provision states, what ‘sell’ means in this context, who needs to comply, and what it means to comply.
The ‘do not sell rule’ or the ‘do not sell requirement’ is a stipulation of the CCPA that gives people the right to opt out of the sale of personal data. Any organization conducting business in California, in particular, must provide a page for people to opt out of their information being sold.
This page is known as the ‘Do not sell my information' page. If a business sells consumer data in any way, this page must be easily accessible on the website. Usually, the link is set at the bottom of the page, where all the other links for the website can be found.
There are specific requirements made to meet the Do not sell rule.
Some of these requirements include the following:
A Do Not Sell page isn’t enough to comply with the Do Not Sell rule. A company needs to follow the guidelines set out by the CCPA for what counts as a compliant Do Not Sell page.
Some of the guidelines required on the page include the following:
It’s essential to properly understand what the CCPA means by selling consumer data. Under the CCPA, the terms ‘sell, sale, or sold’ mean selling, releasing, disseminating, transferring, and communicating orally or in writing pertaining to a customer’s personal information.
Notably, it relates to providing an individual's personal information to another company or third party for ‘monetary or other valuable consideration’. This can apply to any act of sharing personal information with a third party for any exchange of value.
However, there are some exceptions to selling customer data. These exceptions include, under the individual’s instructions, for business purposes with a different provider or to tell a third party that the individual has opted out or during a merger or acquisition.
The law specifies several requirements concerning what a business’s ‘Do Not Sell My Personal Information’ link should look like.
This link should be ‘clear and conspicuous.’ It must be clearly visible on a company’s homepage.
The CCPA doesn’t define exactly what ‘clear and conspicuous’ means, but companies should usually consider the following when adding a ‘Do Not Sell My Personal Information’ link to their website:
The key to proper and effective compliance with the CCPA’s ‘Do Not Sell My Personal Information’ requirement is the level of clarity provided by the company.
Websites are often full and cluttered with information about various topics. This is particularly true with homepages which typically include some type of ‘directory’ including links allowing the consumer to access various pages, including product information and information about the business.
However, companies must ensure that they provide clear notice of the ‘Do Not Sell My Personal Information’ link. The more evident and apparent the link is, the better protection you give your business to avoid hefty fines and lawsuits under the CCPA.