Published:

Updated:

Who needs a “do not sell my personal information” link under the CCPA?

Privacy Policy

CCPA, United States

Who needs a do not sell my personal information link under the CCPA

*Note: Since the writing of this blog, CCPA has been replaced with CPRA.

The CCPA: California Consumer Privacy Act provides a variety of privacy controls to consumers. These privacy controls include the right to request the deletion of collected personally identifiable information (“PII”), request access to a number of disclosures pertaining to what PII the business has collected and sold, and the ability to file lawsuits directly against businesses under certain circumstances. 

Pursuant to allowing consumers to opt-out of the sale of their PII, the CCPA requires businesses to provide a link entitled “Do Not Sell My Personal Information” on their website. Consumers may click this link to request that the business halt the sale of their PII to third-parties. 

This article will discuss the following two topics:

  • When a “Do Not Sell My Personal Information” link is required under the CCPA 
  • Why your business needs a “Do Not Sell My Personal Information” link to avoid fines and lawsuits 

When a “do not sell my personal information” link is required under the CCPA 

Generally, businesses that fall under one of the following three categories are required to comply with the CCPA

  • Have an annual gross revenue in excess of twenty-five million dollars ($25,000,000);
  • Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or 
  • Derives 50% or more of its annual revenues from selling consumers’ personal information. 

Covered businesses that must comply with Section 1798.120 of the CCPA must provide a “Do Not Sell My Personal Information” link. Under Section 1798.120, businesses that sell PII to third-parties must provide consumers with the ability to opt-out of those sales. The CCPA defines “sales” of PII as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.” 

Businesses that do not sell PII as defined by the CCPA are not required to provide a “Do Not Sell My Personal Information” link. Under the CCPA, businesses are not engaged in a sale of PII if any of the following apply: 

  • The consumer has instructed the business to sell the PII to third-parties 
  • The disclosure of PII is made to a service provider so long as:
    • The exchange of PII is necessary to fulfill a business purpose 
    • The service provider is performing a function on behalf of the business 
    • The service provider itself does not engage in the sale of the PII
  • The business has transferred the PII to a third party pursuant to a merger agreement, acquisition, or bankruptcy proceeding, provided that the third party uses the PII consistently with the business’s prior disclosures to the consumer 

Should any of these circumstances apply, businesses must nevertheless ensure that their Privacy Policy states that the business does not engage in the sale of PII. 

What about businesses that regularly communicate with consumers offline and/or do not operate a website but are nevertheless covered under the CCPA? The CCPA regulations, although not yet finalized, provide some guidance on that front. 

The regulations would require businesses that substantially interact with consumers offline to provide notice of the right to opt-out as well as how the consumer may access the business’s “Do Not Sell My Personal Information” link online. For example, businesses that direct consumers to disclose PII on a piece of paper would be required to include a notice of the right to opt-out and directions for accessing the “Do Not Sell My Personal Information” link online. With respect to what constitutes “substantially interacting” with the consumer, the regulations have yet to define the level of communication that qualifies. 

Per the regulations, businesses that do not operate a website would be required to implement, document, and comply with another method to inform consumers of their right to opt-out of the sale of collected PII. This method must comply with the methods employed by businesses that substantially interact with consumers offline, as discussed above. 

Why your business needs a “do not sell my personal information” link to avoid fines and lawsuits 

To comply with CCPA, your business needs to be able to determine whether or not it is required to provide a “Do Not Sell My Personal Information” link. If your business has a website and engages in the sale of PII to third parties, there is a significantly high chance that you must provide a “Do Not Sell My Personal Information” link for consumers to access. Pursuant to ensuring that your business remains compliant with the CCPA, use Termageddon’s Privacy Policy generator to create your CCPA ready Privacy Policy that can help avoid fines or even lawsuits. 

Photo of author
About the Author
Tyler Pewitt

Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates