What Does 'Do Not Sell or Share My Personal Information' Mean in CCPA?

The “Do Not Sell or Share My Personal Information” requirement under the CCPA and CPRA has become a critical aspect of consumer privacy rights, but it’s also a significant challenge for many businesses. This provision empowers California residents to opt out of the sale or sharing of their personal data, placing a spotlight on how businesses handle consumer information.

In this article, we’ll explain exactly what “Do Not Sell or Share My Personal Information” means, why it matters for compliance, and how businesses can navigate these complex requirements effectively—saving time and avoiding costly mistakes.

This involves significant effort in updating websites, training staff, and ensuring all personal data handling practices are in line with CCPA regulations.

Clym offers a solution to this by providing a compliance management tool (CMP) that simplifies the management of consumer data requests and ensures that businesses can easily adhere to the regulations. 

The California Consumer Privacy Act (CCPA), one of the strictest privacy laws in existence, requires businesses who operate in or work with customers in California to become compliant with a series of data privacy requirements. With the coming into effect of the California Privacy Rights Act, or CPRA, these requirements have suffered further development in the form of extra consumer privacy rights. We have discussed the changes to California’s data privacy landscape that the CPRA brought in a related blog post.  

Among these, there is one CCPA requirement that can turn out to be particularly challenging to businesses that sell personal information. This requirement revolves around the way businesses have to process Do Not Sell or Share My Personal Information requests (or opt-out requests). 

In this article we take a look at what these requests are and what they mean for your organization, as well as how Clym helps businesses with their CCPA/CPRA compliance.

What does "Do Not Sell or Share My Personal Information" mean?

The phrase "Do Not Sell or Share My Personal Information" allows California residents to opt-out of having their personal data sold or shared by a business. This right is a fundamental part of the CCPA and CPRA, emphasizing consumer control over personal information.

The CCPA provides several rights to California residents, including the right to opt-out of the sale and sharing of personal information collected by a business. In essence, California residents have the right to tell companies to stop selling their personal information.

‍In order to achieve CCPA compliance, if your company sells and shares personal information and does not qualify for an exemption for the opt-out right, it must implement certain protocols, such as:

• Providing notice to consumers that it sells and shares their personal information to third parties and that consumers can opt-out of such selling and/or sharing.
• Including a “Do Not Sell or Share My Personal Information” link on the homepage and every other page that collects personal information, which takes consumers to a web page where they can exercise the right to opt-out of the sale and sharing of their personal information. Companies cannot require that users create an account prior to submitting opt-out requests.
• Informing consumers of their opt-out rights and providing the Do Not Sell or Share link in the online privacy policy or any other California-specific description of rights.
• Once a Do Not Sell or Share request is obtained, the company must not sell or share that consumer’s information for at least 12 months. After this period of time the company can sell or share the information provided they first obtain consent from the consumer authorizing the sale or sharing of personal information.
• The company is responsible for training staff responsible for handling customer rights inquiries and processing consumer rights requests.

Simple, right?

Maybe not.

In order to comply with the regulation, your company must know exactly what personal information it collects, sells, and shares, knowing what information belongs to which consumer, navigating and targeting information that may be housed in multiple systems, and having a system in place to process opt-out requests.

What is the difference between "Do Not Sell My Personal Information" vs "Do Not Sell or Share My Personal Information" in CCPA?

Originally, the CCPA included the "Do Not Sell My Personal Information" provision. The CPRA expanded this to "Do Not Sell or Share My Personal Information," broadening the scope to include the sharing of personal information for cross-context behavioral advertising, not just its sale. 

So in the context of the California Consumer Privacy Act (CCPA), both "Do Not Sell My Personal Information" and "Do Not Sell or Share My Personal Information" are expressions used to convey a consumer's choice regarding the use of their personal information. When it went into effect back in 2020, the CCPA required businesses to allow consumers to opt-out of the sale of their personal information by following the steps outlined above. With the expansion brought on by the CPRA, which went into effect on January 1, 2023, this opt-out consumer right now extends also to the sharing of personal information. 

Prior to 2023 businesses already using Clym’s compliance solution were able to display the “Do Not Sell My Personal Information” link in the footer of their website. This link has been automatically updated in line with the development of the CCPA to now display as "Do Not Sell or Share My Personal Information," facilitating businesses’ compliance with California’s consumer privacy law.

What is Personal Information Under the CCPA?

Under the CCPA, personal information encompasses data that identifies, relates to, describes, or could be linked with a specific consumer or household. This broad definition includes identifiers like IP addresses, browsing history, and geolocation data, among others. 

The CCPA’s definition of ‘personal information’ is as follows: 

“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(L) Sensitive personal information.

(2) “Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

(3) “Personal information” does not include consumer information that is deidentified or aggregate consumer information.

What are the requirements of the “Do Not Sell or Share My Personal Information?

Businesses must provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” on their website's homepage, allowing consumers to opt-out of the sale or sharing of their personal information.

By using Clym your customers are able to submit their “Do Not Sell or Share My Personal Information” requests with ease. This process is fully automated meaning that our system will send customers a verification email and can recognize if they're in the scope of submitting such a request. What this means for your company is that once such a request has been submitted and verified, you can then easily manage the opt-out requests in one place. Moreover, our system will ensure that you don’t miss any deadlines for handling these requests by sending you a series of email notifications ahead of time to facilitate your compliance with the CCPA. 

CCPA Compliance Checklist

Here is a checklist to facilitate compliance for your business with the California Consumer Privacy Act: 

What is the process for handling a "Do Not Sell or Share My Personal Information" Request?

Handling a “Do Not Sell or Share My Personal Information” request under the CCPA/CPRA requires a systematic approach to meet compliance requirements and maintain consumer trust. The process involves the following steps:

• Verify the Request: Confirm the identity of the individual making the request to validate that they are the subject of the personal information in question.

• Acknowledge the Request: Promptly notify the consumer that their request has been received and is being processed.

• Evaluate the Request: Determine if the request falls within the scope of the CCPA/CPRA. Verify whether your business sells or shares the individual’s personal information.
• Implement the Request: If applicable, stop selling or sharing the consumer’s personal data immediately.
• Update internal systems and notify third parties to cease processing the data accordingly.
• Meet Compliance Deadlines: Respond to verified requests within 45 days of receipt. If more time is required, you may extend the period by another 45 days with proper notification to the consumer.
• Confirm Compliance: Communicate with the consumer once the request has been fulfilled to confirm that their personal information is no longer being sold or shared.
• Maintain Records: Retain detailed records of requests and responses for at least 24 months to support audits and demonstrate compliance.

What is a typical example for the implementation of the Do Not Sell or Share My Personal Information?

A typical implementation of the “Do Not Sell or Share My Personal Information” requirement includes a clearly visible, user-friendly link on your company’s website. This link, often placed in the footer, header, or privacy-related pages, directs users to an opt-out page where they can easily request that their personal data not be sold or shared.

Key Features of a Proper Implementation:

• Accessibility: The link, labeled as “Do Not Sell or Share My Personal Information,” must be easy for users to locate on relevant pages.
• Ease of Use: The opt-out page should offer a simple and intuitive process for users to submit their requests without requiring them to create an account.
• Transparency: Provide clear explanations of:

- What “selling” or “sharing” personal data means.

- The types of data collected and how it is used or shared.

- The impact of opting out.

Best Practices:

• Include an FAQ section to answer common questions about data privacy and opt-out rights.
• Use straightforward, accessible language to build trust and encourage consumer confidence.

Clym supports your compliance needs by helping your business implement a “Do Not Sell or Share My Personal Information” link in key locations, such as the footer of your website. This link allows California residents to submit opt-out requests quickly and easily, helping your business meet CCPA/CPRA requirements and demonstrate your commitment to consumer privacy.

Does My Company Need to Comply with the CCPA’s “Do Not Sell” Requirements?

If your business operates in California and meets specific criteria, compliance with the CCPA’s “Do Not Sell My Personal Information” requirements is mandatory. Even if your company is not physically located in California, you must comply if you collect and sell the personal information of California residents.

Your company is subject to the CCPA if it meets any of the following criteria:

• Annual Revenue: Generates over $25 million in gross revenue.
• Data Volume: Collects personal information from more than 50,000 California residents, households, or devices annually.
• Revenue Source: Derives 50% or more of its annual revenue from selling California residents’ personal data.

If your company qualifies, you must implement processes to comply with the “Do Not Sell My Personal Information” rule, including offering consumers a clear opt-out option.

Need Help?

Clym’s privacy experts can guide you through CCPA compliance and create tailored solutions to meet your business’s unique needs. If you’re unsure whether your business falls under the scope of the CCPA, contact us today to get started.

What does Selling or Sharing Personal Data mean according to CCPA / CPRA?

In order to determine whether you qualify as a business that sells or shares personal data, you should first understand how the CCPA defines the sale and the sharing of personal data. That being said, the CCPA does not define “selling” in a traditional sense. According to the CCPA, selling is:

“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

Moving on to “sharing,” the CCPA defines this as:

“sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”

Most likely your next question will be: What does valuable consideration mean? 

That is a great question! 

This concept is a bit vague and likely will be subject to debate as enforcement of the CCPA expands.  The International Association of Privacy Professionals has a good summary on the topic of valuable consideration under the CCPA.

In the context of the California Consumer Privacy Act (CCPA), "valuable consideration" refers to the exchange of something of value between a business and a consumer. Specifically, under the CCPA, the term is associated with the "sale" or of “sharing” of personal information.

Valuable consideration in this context then refers not only to monetary transactions but also to any exchange of goods, services, discounts, or other benefits that have value. Therefore, if your business receives any form of compensation or benefit in exchange for sharing or disclosing a consumer's personal information, this is considered a sale or a sharing of personal information under the CCPA, and the consumer has the right to opt-out of such transactions.

How can your company comply with the CCPA’s Do Not Sell or Share My Personal Information rule?

Complying with the CCPA’s “Do Not Sell My Personal Information” rule involves several key steps to ensure legal adherence and build trust with your consumers:

1. Understand Your Data: Identify what personal data your company collects and determine whether it is categorized as “selling” or “sharing” under the CCPA and CPRA.
2. Provide an Opt-Out Option: Add a clearly visible “Do Not Sell or Share My Personal Information” link on your website’s homepage and data collection pages, allowing users to easily opt out.
3. Simplify the Process: Ensure the opt-out process is user-friendly and does not require account creation.
4. Update Your Privacy Policy: Clearly explain opt-out rights and provide direct links in your privacy policy.
5. Train Your Staff: Equip your team with the knowledge to handle consumer opt-out requests efficiently and in compliance with the law.
6. Keep Accurate Records: Maintain detailed records of opt-out requests for compliance audits and reporting purposes.

Complying with the “Do Not Sell My Personal Information” rule not only fulfills regulatory requirements but also showcases your commitment to protecting consumer privacy.

Where Should You Place the “Do Not Sell My Personal Information” Link?

• Homepage: Prominently display the link so users can find it without searching.
• Website Footer: Include it in the footer of every page for consistent visibility.
• Privacy Policy: Provide the link within your privacy policy alongside an explanation of opt-out rights.

The goal is to ensure consumers can quickly and effortlessly exercise their rights without any barriers.

What If My Business Needs to Sell Personal Information?

If your business relies on selling personal information—for instance, through ad-supported revenue models—it’s crucial to comply with the CCPA while maintaining consumer trust. To do this effectively:

1. Be Transparent: Clearly explain what personal data you sell, who it is sold to, and why. Transparency builds consumer confidence and may reduce opt-out requests.
2. Inform Consumers: Include detailed disclosures in your privacy policy about your data-selling practices. Use plain language to make it accessible to all audiences.
3. Provide Opt-Out Options: Even if selling data is essential to your business, ensure consumers can easily opt-out by using a visible “Do Not Sell My Personal Information” link.
4. Respect Preferences: Honor opt-out requests promptly and avoid creating barriers that discourage consumers from exercising their rights.

By demonstrating openness and respecting consumer choices, you can balance legal compliance with sustaining your revenue streams.