With the CCPA effective date just around the corner, the compliance deadline is coming in hot. Businesses with customers in California need to start creating procedures to become compliant.

One CCPA requirement that will present a challenge to businesses that sell personal information is processing do not sell my personal information requests (or opt-out requests). In this post, we’ll discuss what do not sell requests are and how your business can comply with them.

Get started today with the OneTrust CCPA Same Day Fast Track Implementation Program.

What is the CCPA Do Not Sell Requirement?

The CCPA provides several rights to California residents, including the right to opt-out of the sale of personal information. Specifically, California residents have the right to direct businesses to stop selling their personal information.

Businesses that sell personal information and do not qualify for an exemption for the opt-out right must take several different actions to comply with the CCPA.

More specific instructions are as follows:

  1. A business must provide notice to consumers that it sells consumers’ personal information to third parties and that consumers have the right to opt-out of such sales.
  2. The business’s website must post a “Do Not Sell My Personal Information” link that takes consumers to a web page where they can exercise the right to opt-out of the sale of their personal information.
  3. The business must provide this link on its homepage and any page that collects personal information, or on its application’s platform or download page.
  4. Users must be able to submit opt-out requests without having to create an account.
  5. The business must inform consumers of their right to opt-out and provide the do not sell link in its online privacy policy or any other California-specific description of rights.
  6. The business must respect the consumer’s decision for at least 12 months. After this time the business can ask the consumer to authorize the sale of personal information.
  7. The business must train individuals responsible for handling customer rights inquiries and processing consumer rights requests.

Like many rules with the CCPA, this individual rule may seem easy to comprehend, but it poses a lot of challenges for businesses and consumers alike. These challenges include knowing exactly what personal information your business collects and sells, knowing what information belongs to which consumer, navigating and targeting information that lives in decentralized systems, and having a system in place to process opt-out requests.

Check out OneTrust Cookie Auto-Blocking for CCPA today.

Does My Business Need to Comply with CCPA Do Not Sell?

Not every business is impacted by the CCPA, but any business that collects and sells the personal information of California residents (including those without a physical presence in the state) needs to have process to comply with the do not sell my personal information right.

If your business generates over $25 million in revenue, collects information of more than 50,000 Californian residents a year, or derives 50% or more of their annual revenue from selling the personal information of California residents, then the CCPA will impact your business.

What Does “Sell” Mean?

According to the CCPA, selling is:

“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

Because the CCPA does not clearly define “valuable consideration,” this leaves some gray area for businesses to interpret. For greater insight, read the International Association of Privacy Professionals (IAPP) blog analyzing what “sale” means and the IAPP’s blog evaluating what “valuable consideration” means.

How Can Your Business Comply with the CCPA Do Not Sell Rule?

New and evolving digital marketing properties and practices pose unique compliance challenges to businesses with respect to the do not sell requirements. In particular, businesses need to do the following:

  • Determine exactly what personal information they are collecting about each of their consumers and whether they are sharing or selling that personal information, or a part thereof, to third parties.
  • Clearly notify consumers of their right to direct businesses to stop selling their personal information and inform them how to do so.
  • Provide ways for consumers to direct businesses to not sell their personal information, including posting a “Do Not Sell My Personal Information” link on their websites. For example, the proposed CCPA regulations issued by the California Attorney General (AG) require, at a minimum, an interactive webform for submitting requests. Other acceptable methods include, among others, an email address and a toll-free phone number.
  • Establish procedures for responding to and fulfilling opt-out requests, as well as training personnel who handle such requests. For instance, businesses may consider automating the opt-out request process.
  • Maintain records of opt-out processes and details on the fulfillment or rejection of opt-out requests to demonstrate CCPA compliance and accountability.

How to manage consumer opt-out requests?

When dealing with consumer opt-out requests, organizations need to consider efficient and compliant intake methods for receiving consent preferences from the consumer. For CCPA this comes in the form of embedding a “Do Not Sell My Personal Information Link” on company websites.  

When a consumer exercises their right to opt-out organizations must ensure that they are maintaining detailed and ongoing records of these preferences in order to avoid the accidental or unauthorized sale of consumer data. This includes understanding your data and communicating the appropriate consent preferences with relevant third parties.  

By leveraging the OneTrust Consumer Rights Management tools, your organization can automate the intake and fulfillment of consumer requests as well as pinpointing what data you hold, how it is used, and what third parties have access to it.   

How to create and display a “Do not sell personal information” page and/or button?

To comply with opt-out requirements under the CCPA organizations will need to embed a “Do Not Sell My Personal Information” link to their websites.  

Through OneTrust Consumer Rights Management, organizations can utilize customizable web forms that allow consumers to opt-out of the sale of their personal information when they click the “Do Not Sell My Personal Information” link.  

Organizations will also need to implement processes to verify that they are respecting consumers’ “Do Not Sell” requests, as well as documenting the details in the process. 

What if I Need to Sell Personal Information?

If you’re a publisher or a blog that relies on ad support, this section of the law applies to you. If you need to sell personal information, make sure you are perfectly clear about what information you sell and why you sell it. Being more transparent about your selling practices may lead to fewer consumers who exercise their opt-out rights.

CCPA Compliance Made Easy

For many businesses subject to the CCPA, OneTrust’s all in-one-solution can be the easiest way to ensure compliance. Get started today with the OneTrust CCPA Same Day Fast Track Implementation Program.


Check out our CCPA blog series: