*Note: Since the writing of this blog, CCPA has been replaced with CPRA.
Under the California Consumer Privacy Act (“CCPA”), businesses that sell personally identifiable information (“PII”) must provide a “Do Not Sell My Personal Information” link on their website. The page within the link must contain a notice of the right to opt-out of the sale of PII to third parties as well as steps consumers may take to initiate the opt-out process.
Additionally, the CCPA includes a number of requirements regarding the formatting and location of the link itself, with the ultimate goal of ensuring that consumers may opt-out of the sale of their PII to third parties with minimal difficulty.
This article will provide an overview of these requirements so that your business may effectively comply with the CCPA and avoid large fines and lawsuits. To that end, the following three topics will be discussed:
- What should a “Do Not Sell My Personal Information” page include?
- CCPA requirements for the “Do Not Sell My Personal Information” link
- Where is the “Do Not Sell My Personal Information” link required to be placed?
What should a “do not sell my personal information” page include?
The CCPA requires that businesses include a notice of the right to opt-out of the sale of PII on its “Do Not Sell My Personal Information” page. The following must be included in the notice:
- A description that informs the consumer of the right to opt-out of the sale of PII to third parties;
- A form that a consumer may fill out to submit the opt-out request. If the business does not have a website, the consumer must be provided with the offline method to opt-out of the sale of their PII; and
- Instructions detailing any other available methods for exercising the right to opt-out.
Moreover, the CCPA regulations, while not yet finalized, offer additional guidance concerning the presentation of the notice. The regulations specify that the notice must:
- Use plain, straightforward language and avoid legal jargon;
- Be formatted to draw the consumer’s attention to the notice;
- Be made available in languages that the business normally communicates to consumers with; and
- Be reasonably accessible to people with disabilities.
CCPA requirements for the “do not sell my personal information” link
The CCPA specifies who needs a “Do Not Sell My Personal Information” link. Additionally, the law details a number of requirements with respect to what a business’s “Do Not Sell My Personal Information” link should look like.
The CCPA itself states that the “Do Not Sell My Personal Information” link must be “clear and conspicuous” and must be placed on the business’s homepage. This is similar to the California Online Privacy Protection Act, which requires Privacy Policies to be “conspicuously posted” on websites.
Although the CCPA does not define what constitutes “clear and conspicuous,” businesses should generally consider the following when providing a “Do Not Sell My Personal Information” link on their website:
- The link should be immediately visible on the first page that a website visitor lands on and should not otherwise be buried under sub-pages.
- The link should be differentiated from other links on the page. This may entail using a larger font and a different color font.
- The link can be supplemented with additional notices informing users of the link’s presence on the webpage.
As exemplified by these guidelines, the key to effective compliance with the CCPA’s “Do Not Sell My Personal Information” requirements is the degree of clarity provided by the business. Oftentimes, websites can be cluttered with detailed information on a variety of topics. This is especially true with respect to homepages which often contain a sort of “directory” containing links allowing the user to access career pages, product information, an “about the business” page, etc. Nevertheless, businesses are required to ensure that they provide clear and conspicuous notice of the “Do Not Sell My Personal Information” link. The clearer and more apparent the link is, the greater protection that you provide to your business in the face of large fines and lawsuits under the CCPA.
Where is the “do not sell my personal information” link required to be placed?
Businesses that are required to furnish a “Do Not Sell My Personal Information” link must make it available in a number of locations throughout the business’s website. Specifically, the link must be placed in the following locations:
- The website’s homepage
- The business’s online Privacy Policy
- Any California-specific description of consumers’ privacy rights
- If the business maintains a mobile application, in the application’s “Settings” menu, “About” page, or “Information” page
As evident by the preceding discussion, the CCPA not only requires that businesses provide a “Do Not Sell My Personal Information Link” in a clear and conspicuous form, but also that the link is made available in multiple locations on the business’s website and/or mobile application. The goal of both the formatting and location requirements is to provide consumers with ample opportunity to opt-out of the sale of their PII if they desire to do so. From the business’s perspective, effective compliance means ensuring that consumers are provided with a fair opportunity to exercise their privacy rights under the CCPA. This necessarily entails ensuring that the link may be easily found in multiple locations throughout the business’s webpage. With respect to the website’s Privacy Policy, businesses may obtain a CCPA ready Privacy Policy by using Termageddon’s Privacy Policy generator.