The “Do Not Sell My Personal Information” notice is a key requirement of the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). This notice empowers consumers to opt out of the sale of their personal information, providing them with greater control over their data.
This article will explore the meaning of this notice, how businesses can comply with the requirements, and the broader implications of data privacy laws in the United States.
“Do Not Sell My Personal Information” refers to a notice designed to inform consumers of their right to opt out of the sale of their personal data. Under the CCPA and CPRA, a “sale” is broadly defined and includes any exchange of personal information for valuable consideration, not just monetary transactions.
CCPA’s definition of sale is quite broad. It doesn’t refer only to the act of exchanging for money, but to every action that could benefit the business, if the user’s personal information is shared. The CCPA calls this valuable consideration.
The concept of sale is so important because it’s the base of the consumer’s right to opt-out: a consumer has the right, at any time, to tell a business which sells their personal information to third parties that they must stop.
The “Do Not Sell My Personal Information” notice is the practical application of the right to opt out.
Under CCPA/CPRA, you don’t need to ask consumers to opt-in to start collecting and selling their data (though there are some exceptions), but you do need to provide an easily accessible way to opt-out.
That is the “Do Not Sell My Personal Information” (“DNSMPI“) link.
If a business receives a “Do Not Sell” request from a consumer, it can no longer sell the consumer’s personal information, unless the consumer opts in again, providing an express authorization.
From their side, businesses may only ask for a consumer’s authorization one more time, and only 12 months after the consumer have opted-out.
If you qualify as a business*, to comply with CCPA’s DNSMPI and opt-out requirements, you need to, at a minimum:
Under the CCPA/CPRA, a business is a for-profit organization that meets at least one of the following criteria:
Let’s take a look at real-life examples of a DNSMPI notice.
Here is an example of our Do Not Sell My Personal Information linked at the footer of Litter.robot.com. It is a simple link that redirects users to the request.
On the other hand, the Walt Disney Company website has an entire page dedicated to the Do Not Sell My Personal Information link, where they explain the nature of the request and have a link to the opt-out form.
Businesses subject to the “Do Not Sell or Share My Personal Information” requirement must inform consumers about the sale or sharing of their personal data through their privacy policy and a specific notice of sale. They are also required to provide a visible “Do Not Sell My Personal Information” link on their website, typically on the homepage and within the privacy policy, which directs users to a page where they can easily opt out. Once a consumer opts out, the business must promptly honor that request and ensure the consumer’s personal information is no longer sold or shared.
Yes, you have the right to opt out of the sale of your personal information by using the “Do Not Sell My Personal Information” link that businesses are required to provide. This link is usually found on their website’s homepage or within their privacy policy, allowing you to easily exercise your choice to prevent your data from being sold.
The CPRA builds upon the CCPA by enhancing consumer protections and imposing stricter rules on how businesses handle personal data. It gives consumers the right not only to opt out of the sale of their personal information but also to limit the sharing of their personal data, providing stronger control over how their information is used and disclosed.
iubenda’s set of solutions can help you comply with CCPA in minutes!
✅ Display CCPA-related language, disclosures, and instructions as legally required;
✅ Indicate services active on your site which might constitute a sale; and
✅ Automatically update your embedded privacy policy with the CCPA text once activated within the generator.
More specifically, it allows you to:
✅ Display a CCPA notice of collection.
✅ Display a “Do Not Sell My Personal Information” link within the collection notice, and add the link to your site for easy user access.
✅ Align with the CCPA Compliance Framework by IAB (Interactive Advertising Bureau), which establishes a process for publishers and their partners to comply with new regulations regarding the sale of consumer data to technology companies;
✅ Block scripts that do not adhere to the IAB CCPA Compliance Framework.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.