If the California Privacy Rights Act (CPRA) applies to you, you may have heard of the requirement to have a website page titled “Do Not Sell My Personal Information.” This is a page that allows residents of California to exercise their right to say “no” to sales of their personal information. Unfortunately, at this time, the California Attorney General’s Office and the California Privacy Protection Agency have provided very little guidance regarding what this page should look like. However, while being simple, the guidance is pretty clear. In this article, we will discuss the CPRA’s “Do Not Sell My Personal Information” page requirement, including:
- Who the CPRA applies to;
- Who needs a “Do Not Sell My Personal Information” page;
- What this page should contain;
- The Privacy Policy requirements of the CPRA.
If your business also needs to have a “Do Not Share My Personal Information” page or a “Limit The Use Of My Sensitive Personal Information” page, make sure to read our articles (coming soon) on these page requirements as well.
Table of Contents
Who needs to comply with the California Privacy Rights Act
The requirement of having a “Do Not Sell My Personal Information” page applies to businesses that need to comply with the CPRA. While many businesses assume that they will need to comply with the CPRA if they are located in California, do business there, or collect the personal information of residents of California, this is simply not the case as additional conditions need to be met for the law to apply.
CPRA applies to businesses that collect the personal information of residents of California, do business in California, and that meet at least one of the following criteria:
- Have annual gross revenue of more than $25,000,000;
- Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers or households; or
- Annually buy, sell or share the personal information of 100,000 or more California consumers or households.
As you can see from the above, the CPRA mainly applies to large businesses. However, small businesses may be subject to the CPRA through contracts if they process personal information for a client that meets the criteria above.
Who needs a “Do Not Sell My Personal Information” page
Your business will need to have a “Do Not Sell My Personal Information” page if you:
- Need to comply with the CPRA; and
- Sell the personal information that you collect.
The CPRA defines “selling” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.” As you can see from this definition, “sale” is a broad term, which means that the use of analytics or advertising on websites may be considered a “sale” under the CPRA.
What a “Do Not Sell My Personal Information” page should look like
The purpose of this page is to inform residents of California that their personal information may be sold, that they have the right to opt out of such sales, and to provide them with an opportunity to exercise this right. Businesses need to provide a link to this page on their website. Clicking on that link must either:
- Immediately opt the individual out of sales of their personal information; or
- Take them to a page where they can exercise their right to out of sales of their personal information.
If the link takes the individual to a page where the individual can opt out of sales of their personal information, that page must include the following:
- A description of the right to opt out of sale of their personal information;
- Instructions on how the consumer can submit a request to opt out of the sale. If the notice is provided on a website, that notice must include a form by which a consumer can submit their request.
An example of a “Do Not Sell My Personal Information” page would look something like this:
“Please note that we may sell your personal information to third parties. To learn more about such sales, please read our Privacy Policy. Residents of California have the right to opt out of such sales. You may opt out of sales of your personal information by submitting the form below.” This message would then be followed by a simple form where an individual can input their personal information and opt out of sales of such personal information.
It is important to note that the “Do Not Sell My Personal Information” link must be easily accessible and visible to the users of the website. The form on that page must require minimal steps and be easy to use. Lastly, businesses cannot require an individual to create an account in order to exercise their privacy rights.
The Privacy Policy requirement
In addition to the other Privacy Policy disclosure requirements of the CPRA, your Privacy Policy must disclose:
- Whether or not you sell personal information;
- If you do sell personal information, your Privacy Policy must disclose:
- The categories of personal information that are sold;
- The categories of third parties to whom the personal information is sold;
- Why the personal information is sold;
- The privacy rights provided to residents of California, including the right to opt out of the sale of personal information;
- How to exercise those privacy rights; and
- A link to your “Do Not Sell My Personal Information” page.
If you are using the Termageddon Privacy Policy generator and select that the CPRA applies to you, then your Privacy Policy will include the disclosures discussed above.
As you can see from the above, the “Do Not Sell My Personal Information” page is not required for all businesses and can be relatively simple in terms of the contents and functionality of that page. If the CPRA applies to you, make sure to read our articles on the “Do Not Share My Personal Information” and “Limit The Use of My Sensitive Personal Information” pages.
