"Do Not Sell My Personal Information" Requirement: What Businesses Need to Know
One of the most visible CCPA requirements is the mandate to display a "Do Not Sell or Share My Personal Information" link on your website. This guide explains what the requirement entails, how to implement it correctly, and common mistakes to avoid.
What Is the "Do Not Sell" Requirement?
Under the CCPA (as amended by the CPRA), businesses that sell or share consumers' personal information must provide a clear and conspicuous link on their website homepage titled "Do Not Sell or Share My Personal Information."This link must lead to a page or mechanism where consumers can exercise their right to opt out.
The CPRA expanded this requirement to include "sharing" in addition to "selling," which means businesses that share data for cross-context behavioral advertising must also comply.
Who Needs a "Do Not Sell" Link?
Any business subject to the CCPA that sells or shares personal information must include this link. "Selling" is defined broadly under CCPA and includes:
- Sharing data with third-party advertisers
- Allowing ad networks to place tracking cookies on your site
- Exchanging personal information for monetary or other valuable consideration
- Sharing data with data brokers or analytics partners
If you use Google Analytics, Facebook Pixel, or any third-party advertising technology, you are likely "sharing" personal information and need this link.
Placement and Design Requirements
- Homepage Placement: The link must appear on your website's homepage. Best practice is to place it in the footer where it is consistently visible across all pages.
- Clear and Conspicuous: The link must be easy to find. It should not be hidden in dense text or require multiple clicks to reach.
- Exact Wording: Use the exact phrase "Do Not Sell or Share My Personal Information" as the link text. Variations may not meet the legal requirement.
- Functional Mechanism: The link must lead to a working opt-out mechanism—not just a page that describes the right without a way to exercise it.
Global Privacy Control (GPC)
The CCPA requires businesses to honor the Global Privacy Control (GPC) signal. GPC is a browser-level or extension-level setting that automatically sends an opt-out preference to every website a consumer visits. When a user has GPC enabled, your website must treat it as a valid opt-out request.
This was a key issue in the Sephora enforcement action, where the company was fined $1.2 million partly for failing to honor GPC signals.
Common Mistakes to Avoid
- Using non-standard link text (e.g., "Privacy Choices" instead of the required phrase)
- Placing the link on a subpage instead of the homepage
- Leading to an informational page without an actual opt-out mechanism
- Requiring consumers to create an account to opt out
- Not honoring GPC signals as valid opt-out requests
- Making the opt-out process unreasonably difficult
Alternative: "Limit the Use of My Sensitive Personal Information"
If your business uses sensitive personal information (as defined by CPRA), you must also provide a separate link titled "Limit the Use of My Sensitive Personal Information." Alternatively, you can combine both into a single link titled "Your Privacy Choices" with the required opt-out icon.
Implement with OptOutWidget
OptOutWidget provides a fully compliant "Do Not Sell or Share" opt-out mechanism that you can embed on your website with a single line of code. It handles consumer opt-out requests, records them in your dashboard, and supports GPC signal detection—all out of the box.