The “Do Not Sell or Share My Personal Information” requirement under the CCPA and CPRA has become a critical aspect of consumer privacy rights, but it’s also a significant challenge for many businesses. This provision empowers California residents to opt out of the sale or sharing of their personal data, placing a spotlight on how businesses handle consumer information.
In this article, we’ll explain exactly what “Do Not Sell or Share My Personal Information” means, why it matters for compliance, and how businesses can navigate these complex requirements effectively—saving time and avoiding costly mistakes.
This involves significant effort in updating websites, training staff, and ensuring all personal data handling practices are in line with CCPA regulations.
Clym offers a solution to this by providing a compliance management tool (CMP) that simplifies the management of consumer data requests and ensures that businesses can easily adhere to the regulations.
The California Consumer Privacy Act (CCPA), one of the strictest privacy laws in existence, requires businesses who operate in or work with customers in California to become compliant with a series of data privacy requirements. With the coming into effect of the California Privacy Rights Act, or CPRA, these requirements have suffered further development in the form of extra consumer privacy rights. We have discussed the changes to California’s data privacy landscape that the CPRA brought in a related blog post.
Among these, there is one CCPA requirement that can turn out to be particularly challenging to businesses that sell personal information. This requirement revolves around the way businesses have to process Do Not Sell or Share My Personal Information requests (or opt-out requests).
In this article we take a look at what these requests are and what they mean for your organization, as well as how Clym helps businesses with their CCPA/CPRA compliance.
The phrase "Do Not Sell or Share My Personal Information" allows California residents to opt-out of having their personal data sold or shared by a business. This right is a fundamental part of the CCPA and CPRA, emphasizing consumer control over personal information.
The CCPA provides several rights to California residents, including the right to opt-out of the sale and sharing of personal information collected by a business. In essence, California residents have the right to tell companies to stop selling their personal information.
In order to achieve CCPA compliance, if your company sells and shares personal information and does not qualify for an exemption for the opt-out right, it must implement certain protocols, such as:
Simple, right?
Maybe not.
In order to comply with the regulation, your company must know exactly what personal information it collects, sells, and shares, knowing what information belongs to which consumer, navigating and targeting information that may be housed in multiple systems, and having a system in place to process opt-out requests.
Originally, the CCPA included the "Do Not Sell My Personal Information" provision. The CPRA expanded this to "Do Not Sell or Share My Personal Information," broadening the scope to include the sharing of personal information for cross-context behavioral advertising, not just its sale.
So in the context of the California Consumer Privacy Act (CCPA), both "Do Not Sell My Personal Information" and "Do Not Sell or Share My Personal Information" are expressions used to convey a consumer's choice regarding the use of their personal information. When it went into effect back in 2020, the CCPA required businesses to allow consumers to opt-out of the sale of their personal information by following the steps outlined above. With the expansion brought on by the CPRA, which went into effect on January 1, 2023, this opt-out consumer right now extends also to the sharing of personal information.
Prior to 2023 businesses already using Clym’s compliance solution were able to display the “Do Not Sell My Personal Information” link in the footer of their website. This link has been automatically updated in line with the development of the CCPA to now display as "Do Not Sell or Share My Personal Information," facilitating businesses’ compliance with California’s consumer privacy law.
Under the CCPA, personal information encompasses data that identifies, relates to, describes, or could be linked with a specific consumer or household. This broad definition includes identifiers like IP addresses, browsing history, and geolocation data, among others.
The CCPA’s definition of ‘personal information’ is as follows:
“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(L) Sensitive personal information.
(2) “Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
(3) “Personal information” does not include consumer information that is deidentified or aggregate consumer information.
Businesses must provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” on their website's homepage, allowing consumers to opt-out of the sale or sharing of their personal information.
By using Clym your customers are able to submit their “Do Not Sell or Share My Personal Information” requests with ease. This process is fully automated meaning that our system will send customers a verification email and can recognize if they're in the scope of submitting such a request. What this means for your company is that once such a request has been submitted and verified, you can then easily manage the opt-out requests in one place. Moreover, our system will ensure that you don’t miss any deadlines for handling these requests by sending you a series of email notifications ahead of time to facilitate your compliance with the CCPA.
Here is a checklist to facilitate compliance for your business with the California Consumer Privacy Act:
Handling a “Do Not Sell or Share My Personal Information” request under the CCPA/CPRA requires a systematic approach to meet compliance requirements and maintain consumer trust. The process involves the following steps:
A typical implementation of the “Do Not Sell or Share My Personal Information” requirement includes a clearly visible, user-friendly link on your company’s website. This link, often placed in the footer, header, or privacy-related pages, directs users to an opt-out page where they can easily request that their personal data not be sold or shared.
Key Features of a Proper Implementation:
- What “selling” or “sharing” personal data means.
- The types of data collected and how it is used or shared.
- The impact of opting out.
Best Practices:
Clym supports your compliance needs by helping your business implement a “Do Not Sell or Share My Personal Information” link in key locations, such as the footer of your website. This link allows California residents to submit opt-out requests quickly and easily, helping your business meet CCPA/CPRA requirements and demonstrate your commitment to consumer privacy.
If your business operates in California and meets specific criteria, compliance with the CCPA’s “Do Not Sell My Personal Information” requirements is mandatory. Even if your company is not physically located in California, you must comply if you collect and sell the personal information of California residents.
Your company is subject to the CCPA if it meets any of the following criteria:
If your company qualifies, you must implement processes to comply with the “Do Not Sell My Personal Information” rule, including offering consumers a clear opt-out option.
Need Help?
Clym’s privacy experts can guide you through CCPA compliance and create tailored solutions to meet your business’s unique needs. If you’re unsure whether your business falls under the scope of the CCPA, contact us today to get started.
In order to determine whether you qualify as a business that sells or shares personal data, you should first understand how the CCPA defines the sale and the sharing of personal data. That being said, the CCPA does not define “selling” in a traditional sense. According to the CCPA, selling is:
“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Moving on to “sharing,” the CCPA defines this as:
“sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
Most likely your next question will be: What does valuable consideration mean?
That is a great question!
This concept is a bit vague and likely will be subject to debate as enforcement of the CCPA expands. The International Association of Privacy Professionals has a good summary on the topic of valuable consideration under the CCPA.
In the context of the California Consumer Privacy Act (CCPA), "valuable consideration" refers to the exchange of something of value between a business and a consumer. Specifically, under the CCPA, the term is associated with the "sale" or of “sharing” of personal information.
Valuable consideration in this context then refers not only to monetary transactions but also to any exchange of goods, services, discounts, or other benefits that have value. Therefore, if your business receives any form of compensation or benefit in exchange for sharing or disclosing a consumer's personal information, this is considered a sale or a sharing of personal information under the CCPA, and the consumer has the right to opt-out of such transactions.
Complying with the CCPA’s “Do Not Sell My Personal Information” rule involves several key steps to ensure legal adherence and build trust with your consumers:
Complying with the “Do Not Sell My Personal Information” rule not only fulfills regulatory requirements but also showcases your commitment to protecting consumer privacy.
The goal is to ensure consumers can quickly and effortlessly exercise their rights without any barriers.
If your business relies on selling personal information—for instance, through ad-supported revenue models—it’s crucial to comply with the CCPA while maintaining consumer trust. To do this effectively:
By demonstrating openness and respecting consumer choices, you can balance legal compliance with sustaining your revenue streams.