If you are a business that needs to comply with the California Privacy Rights Act (CPRA), you may be aware of the requirement to have a page on your website titled “Do Not Share My Personal Information.” This is a page that allows residents of California to exercise their rights to opt out of the sharing of their personal information with third parties for the purpose of targeted advertising. At this time, the California Attorney General’s Office and the California Privacy Protection Agency have provided very short guidance to businesses on what this page should look like and what its functionality should be. However, while the guidance is simple, it is relatively clear. In this article, we will discuss the CPRA’s “Do Not Share My Personal Information” page requirement, including:
- Who the CPRA applies to;
- Who needs a “Do Not Share My Personal Information” page;
- What this page should contain;
- The Privacy Policy requirements of the CPRA.
If your business also needs to have a “Do Not Sell My Personal Information” page or a “Limit The Use Of My Sensitive Personal Information” page, make sure to read our articles on the requirements of these pages as well.
Table of Contents
Who needs to comply with the California Privacy Rights Act
The requirement of having a “Do Not Share My Personal Information” page applies to businesses that need to comply with the CPRA. While many businesses assume that they will need to comply with the CPRA if they are located in California, do business there, or collect the personal information of residents of California, this is simply not the case as additional conditions need to be met for the law to apply.
CPRA applies to businesses that collect the personal information of residents of California, do business in California, and that meet at least one of the following criteria:
- Have annual gross revenue of more than $25,000,000;
- Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers or households; or
- Annually buy, sell or share the personal information of 100,000 or more California consumers or households.
As you can see from the above, the CPRA mainly applies to large businesses. However, small businesses may be subject to the CPRA through contracts if they process personal information for a client that meets the criteria above.
Who needs a “Do Not Share My Personal Information” page
Your business will need to have a “Do Not Share My Personal Information” page if you:
- Need to comply with the CPRA; and
- Share the personal information that you collect for targeted advertising.
The CPRA defines “sharing” as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising.” While many businesses (and consumers) assume “sharing” to mean providing personal information to a third party for any purpose (e.g. using a vendor such as MailChimp or Constant Contact to send email marketing), the CPRA’s definition relates only to the sharing of personal information for targeted advertising. For example, using the Meta Pixel to track individuals to show them advertisements would be considered “sharing” under the CPRA.
What a “Do Not Share My Personal Information” page should look like
The purpose of this page is to inform residents of California that their personal information may be shared with third parties for targeted advertising, that they have the right to opt out of such sharing, and to provide them with an opportunity to exercise this right. Businesses need to provide a link to this page on their website. Clicking on that link must either:
- Immediately opt the individual out of the sharing of their personal information for targeted ads; or
- Take them to a page where they can exercise their right to out of the sharing of their personal information.
For the first option, businesses may have a cookie consent banner that allows individuals to opt out of targeted advertising cookies. For example, the Termageddon <> Usercentrics cookie consent solution may be used to achieve this goal as it allows individuals to select which cookies they would like to be tracked by (including targeted advertising cookies).
If the link takes the individual to a page where the individual can opt out of sales of their personal information, that page must include the following:
- A description of the right to opt out of the sharing of their personal information;
- Instructions on how the consumer can submit a request to opt out of the sharing. If the notice is provided on a website, that notice must include a form by which a consumer can submit their request.
An example of a “Do Not Share My Personal Information” page would look something like this:
“Please note that we may share your personal information with third parties for the purpose of targeted advertising. To learn more about such sharing, please read our Cookie Policy. Residents of California have the right to opt out of such sharing. You may opt out of the sharing of your personal information by changing your settings on our cookie consent banner on our website or by submitting the form below.” This message would then be followed by a simple form where an individual can input their personal information and opt out of sales of such personal information.
It is important to note that the “Do Not Share My Personal Information” link must be easily accessible and visible to the users of the website. The form on that page must require minimal steps and be easy to use. Lastly, businesses cannot require an individual to create an account in order to exercise their privacy rights.
The Privacy Policy requirement
In addition to the other Privacy Policy disclosure requirements of the CPRA, your Privacy Policy must disclose:
- Whether or not you share personal information for the purpose of targeted advertising;
- If you do share personal information for targeted advertising, your Privacy Policy must disclose:
- The fact that such sharing is taking place;
- The privacy rights provided to residents of California, including the right to opt out of the sharing of personal information;
- How to exercise those privacy rights; and
- A link to your “Do Not Share My Personal Information” page.
If you are using the Termageddon Privacy Policy generator and select that the CPRA applies to you, then your Privacy Policy will include the disclosures discussed above.
As you can see from the above, the “Do Not Share My Personal Information” page is not required for all businesses and can be relatively simple in terms of the contents and functionality of that page. If the CPRA applies to you, make sure to read our articles on the “Do Not Sell My Personal Information” and “Limit The Use of My Sensitive Personal Information” pages.
