Guide: “Do Not Sell Or Share My Personal Information” notices

Businesses run on data. Using customer information makes it possible to personalize content and increase the chance of conversions. But consumers are increasingly concerned about what companies do with their personal information (PI).

Data collection and sharing raises significant privacy concerns among consumers and regulators alike, so regulations have emerged to protect consumer privacy rights. One of these is the CCPA’s requirement for “Do Not Sell Or Share My Personal Information” notices. This notice, combined with an opt-out mechanism, enables consumers to control the use of their personal data by limiting its distribution to third parties.

Understanding and implementing data privacy requirements compliantly is about more than legal responsibilities and protecting your business from potential penalties. It’s also about building trust with your audience.

This article explores what these notices are, why they matter, and how to implement them on your website.

Understanding “Do Not Sell Or Share My Personal Information” notices

A “Do Not Sell Or Share My Personal Information” notice empowers consumers to decide how or if their PI is transferred to third parties. This requirement was introduced in the California Consumer Privacy Act (CCPA) and was later reinforced with the California Privacy Rights Act (CPRA).

When someone visits your website, they share their information in multiple ways. Some sharing is explicit, such as when they fill out a contact form or create an account. However, much more sharing happens behind the scenes through cookies, tracking pixels, and other technologies that monitor user behavior.

These actions present a complex web of data sharing that most consumers never see. Whether the data is shared through website tracking, collecting customer information, or sharing or selling data to third parties, there are myriad potential privacy and security risks that could compromise customer data.

It’s a concern that matters deeply to internet users. 2023 research from the Pew Research Center on attitudes towards data privacy revealed that the public are increasingly concerned about what companies are doing with their personal information. 81 percent of Americans said they’re concerned about how companies use the data collected about them, and 67 percent say they understand little to nothing about what companies are doing with their personal data.

A “Do Not Sell Or Share My Personal Information” notice serves as a transparent mechanism to help website visitors understand and control use of their data.

What are CCPA and CPRA consumer rights?

The CCPA and CPRA established a framework of consumer rights that impacts how businesses must handle personal information. These rights were first introduced by the CCPA and were later strengthened and expanded with the CPRA. They include the following rights.

• Right to correction: California residents can request to have their PI corrected if they find it to be incomplete or inaccurate.
• Right to know about automated decision-making: California residents can request access to and knowledge about how automated decision technologies in use work and what their probable outcomes are.
• Right to opt out of automated decision-making: California residents can say no to their PI and sensitive personal information being used to make automated inferences, such as in profiling for targeted, behavioral advertising.
• Right to limit use of sensitive personal information: California residents can make businesses restrict their use of this category of PI, particularly regarding third-party sharing.
• Right to delete: California residents can request the deletion of their PI, and businesses must notify third-party processors to delete it as well.
• Right to know: California residents can request access to PI collected beyond the original 12-month limit outlined in the CCPA.
• Right to opt out: California residents can opt out of businesses sharing and selling their PI specifically for behavioral advertising.
• Rights of minors: Businesses must obtain prior consent to collect and process the PI of minors, and this is extended to include the sharing of PI for behavioral advertising.
• Right to data portability: California residents can request a copy of their PI in a reasonably transportable format, which can then be used with other businesses or organizations.

The “right to know” about the personal information a business collects about consumers and how it is used and shared represents a fundamental shift in the power dynamic between businesses and their customers. In the past, companies could collect and use personal information with little transparency or consumer recourse.

Now, consumers can request a detailed report of exactly what information a business has collected about them, how it’s being used, and who all has access to it.

The “right to opt out” of the sale or sharing of personal information is directly connected to “Do Not Sell Or Share My Personal Information” notices, as this right specifically enables consumers to stop the transfer of their personal information to third parties.

What the CCPA and CPRA say about the sale of personal information

Section 1798.140 of the CCPA defines personal information as “information that identifies, relates to, or could reasonably be linked with you or your household.” The scope of this definition protects consumers in an era where sophisticated data analysis can often identify individuals from seemingly anonymous data points.

For example, browsing history on its own might seem innocuous, but when combined with other data points like device information, location data, and purchase history, a detailed profile of your interests, habits, and preferences can be created.

What constitutes a “sale” of personal information under the CCPA goes much farther than traditional business transactions. It encompasses “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.”

The key phrase here is “for monetary or other valuable consideration,” which means that a sale doesn’t have to entail the exchange of customer information for money. The CCPA definition of “sale” is intentionally broad to include various types of data sharing arrangements that businesses might use.

Consider a local market where vendors exchange information about customer preferences, shopping patterns, and contact details. While seemingly harmless at such a small scale, this type of behavior has serious implications when it happens on a large scale in the digital sphere.

Does your website need to comply with the CCPA/CPRA?

CCPA and CPRA requirements are based on specific thresholds and criteria. Your website must comply with these privacy laws if your business meets any of the following conditions.

• Annual revenue threshold: Your gross annual revenue exceeds USD 26,625,000 (calculated based on global revenue).
• Data volume threshold: You buy, sell, or share personal information of 100,000 or more California consumers or households annually.
• Revenue dependency: You derive 50 percent or more of your annual revenue from selling or sharing California consumers’ personal information.

Remember, your business doesn’t need to be based in California or even the United States for the CCPA/CPRA to apply to you. If yours is a for-profit organization that does business in California and falls under at least one of these three threshold criteria, you must comply with these regulations.

In doing so, consider how your website collects and uses personal information at every touchpoint. Each contact form, newsletter signup, or cookie placement represents a potential privacy touchpoint that needs to be properly managed.

How to create a compliant “Do Not Sell Or Share My Personal Information” notice

Below are some best practices and reference examples of effective “Do Not Sell Or Share My Personal Information” notices. These will help you create a notice and provide consumers with options that comply with California privacy law and protect your business from fines and penalties.

Best practices for creating a “Do Not Sell Or Share My Personal Information” notice

When creating your “Do Not Sell Or Share My Personal Information” notice, keep the following considerations in mind.

• Accessibility: The notice should be available with a conspicuous link on your homepage and anywhere you collect personal information. Including the link in the website footer means it will be displayed on all pages.
• Clear language: Use straightforward, jargon-free language in the required notifications that anyone could reasonably understand. Avoid technical terms unless absolutely necessary, and when you must use them, provide clear explanations. Be aware that the CCPA/CPRA legally require organizations to use the wording “Do Not Sell Or Share My Personal Information.”
• Verification process: Implement a reasonable method to verify that the person making the request is indeed the consumer or their authorized representative. Companies can refuse to act on consumer requests if a person’s identity cannot reasonably be verified.
• Response mechanism: Your system should be able to process and honor opt-out requests “as soon as feasibly possible,” but at most within 15 days.

“Do Not Sell Or Share My Personal Information” notice example

Take a look at what an effective notice looks like in practice. The notice should be visible, accessible, and easy to use. Here’s an example from the Usercentrics website, which was created following best practices.

This notice is visible on every page via the footer for visitors from California (or with an IP address set to there), making it accessible and easy to find.

Create a CCPA/CPRA-compliant website

Access to and use of customers’ PI is a valuable asset and a serious responsibility. Requirements for CCPA compliance and CPRA compliance represent a fundamental shift in how businesses must handle consumer data.

“Do Not Sell Or Share My Personal Information” notices serve as a tangible symbol of this change. These requirements reflect growing regulation of and consumer awareness about privacy rights and data protection.

At the same time, they provide an opportunity to build trust with your audience. When visitors see that you take their privacy seriously through required notices and straightforward opt-out mechanisms, they’re more likely to confidently engage with your business.

Conversely, failing to comply with these requirements not only presents the risk of substantial penalties and operational disruptions, but can also damage your reputation in an era where privacy awareness is at an all-time high.

As privacy regulations like the CCPA and CPRA continue to evolve, staying compliant requires ongoing attention and expertise, along with a holistic approach to privacy protection. It’s not enough to simply add a “Do Not Sell Or Share My Personal Information” link to your homepage. You need a comprehensive privacy framework that addresses all aspects of data collection, use, and sharing as your business grows and the technologies in use change.

Usercentrics offers a powerful solution for managing privacy compliance across your domains. When a visitor lands on your website, the Usercentrics Consent Management Platform (CMP) automatically detects their location and can display the relevant consent banner with information and options, whether they’re from California, Europe, or elsewhere in the world.

As regulations evolve, the CMP automatically updates to support your website’s ongoing privacy compliance. This proactive approach helps protect your business from potential penalties and provides you with peace of mind, while building trust with your users through transparent and responsible privacy practices.