Navigating the CPRA’s “Do Not Sell or Share” requirement

On January 1, 2023, California's "Do Not Sell" opt-out requirement will be amended to include the sharing of personal information. Here's what you need to know

Param Gopalasamy
Content Marketing Specialist | CIPP/E, CIPM
October 28, 2022

photo of two coworkers having a conversation on bleachers inside of an office presentation room.

The California Consumer Privacy Act (CCPA) has impacted how businesses handle consumers’ personal information since it entered into effect at the start of 2020. On January 1, 2023, the California Privacy Rights Act (CPRA) will expand and amend several aspects of the CCPA including consumer rights.

One such update is the “Do Not Sell My Personal Information” requirement, which gives consumers control over whom, how, and when businesses can sell their personal information. The CPRA amends this right to include the sharing of personal information.

With the CPRA’s entry coming into effect soon, businesses must take note of the changes that 2023 will bring to their privacy compliance programs. Let’s unpack the implications of the new CPRA opt-out requirements and what steps you can take today to streamline your team’s response.

What is the new CPRA “Do Not Sell or Share” requirement?

The CCPA mandates businesses transacting personal information post a “Do Not Sell My Personal Information” link on homepages and other web pages collecting data. The opt-out page must inform consumers of their rights and facilitate opt-out requests.

The CCPA also calls on businesses to offer a minimum of two opt-out request methods, including:

  • User-enabled privacy controls (such as a preference center)
  • Dedicated email address
  • Toll-free phone line
  • Form submitted in person or by mail

The CPRA builds on this foundation by enabling consumers to limit the sale and sharing of their personal information. It also allows consumers to exercise greater control over the use of their sensitive personal information by covered entities.

Starting on January 1, 2023, covered businesses must follow these instructions:

  1. Notify consumers that it sells personal information to third parties and that consumers have the right to opt out
  2. Post a “Do Not Sell or Share My Personal Information” link and a “Limit the Use of Sensitive Personal Information” link (or a clearly labeled link that combines both) on the homepage and any other page that collects personal information
  3. Allow consumers to exercise their right to opt out of the sale or sharing of their personal information and limit the use of their sensitive personal information without creating an account
  4. Inform consumers of their right to opt out and provide the do not sell link in an online privacy policy or CPRA-specific description of rights
  5. Respect opt-out decisions for a minimum of 12 months before asking the consumer again to authorize the sale/sharing of personal information or use of sensitive personal information
  6. Provide adequate training to individuals responsible for handling consumer privacy rights inquiries and processing opt-out requests

Sensitive personal information and the CPRA

The CPRA defines sensitive personal information as personal information that reveals:

  • Social Security number, driver’s license, state identification card, or passport number
  • Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
  • Precise geolocation
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership
  • Mail, email, and text message content, unless the business is the intended recipient of the communication
  • Genetic data
  • Biometric information processed for the purpose of identifying a consumer
  • Personal information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation

Sensitive personal information under the CPRA doesn’t include any publicly and lawfully available information through federal, state, or local records.

How must businesses manage opt-out requests?

The CPRA ‘do not sell or share’ requirement introduces new complexities to businesses already managing opt-out requests. To start, organizations must pursue efficient intake methods that receive consent requests – and ideally activate those choices downstream through automation.

Detailed consent and opt-out records are a must, as well as processes that honor consumer choices wherever personal information is sold or shared. This includes understanding your data and working with third parties to ensure your data-related activities are operating on a consent basis.

Creating opt-out pages

To comply with the CPRA, businesses must set up web pages that help consumers exercise their rights to opt out of the sale/sharing of personal information and limit sensitive personal information use.

The most straightforward way to do this is to place links titled “Do Not Sell or Share My Personal Information” and “Limit the Use of my Sensitive Personal Information” in a footer. But there’s also an option to rename these pages – and streamline them into one webpage where consumers can indicate their preferences and opt out.

What if my company sells personal information?

Publishers, businesses in the data industry, or blogs that rely on ad support must comply with the CPRA if they meet the application threshold of the law. If your company sells personal information, be clear with consumers about what information you sell and why you sell it. Being transparent about your selling practices could lead to fewer consumers exercising their opt-out rights.

Streamline your CPRA compliance program with OneTrust

The CPRA comes into effect on January 1, 2023. Is your compliance strategy ready to adapt to these changing consumer opt-out requirements?

OneTrust makes it easy to achieve CPRA compliance by helping you understand the data you hold, how you use it, and what third parties have access to it.

Our suite of privacy management and data governance tools automate consumer request intake and fulfillment. Use pre-configured Consent and Preferences templates and settings to get your opt-out pages up and running quickly across web, mobile, and CMP channels.

With Privacy Rights Automation, you can automate opt-out compliance beyond targeted advertising and into other types of data sharing.

OneTrust CPRA also helps you maintain the necessary recordkeeping and accountability required of covered organizations and keeps you up-to-date with the latest guidance. Find out how to accelerate your time to CPRA compliance – request a demo today.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more