Do Not Sell My Information

INTRODUCTION

The CCPA (CPRA) applies to “businesses,” meaning any company doing business in California that does one or more of the following things:

• Raises annual gross revenues of $25 million or more
• Buys, sells, receives for commercial purposes, or shares for commercial purposes, personal information from at least 100,000 California consumers, households, and/or their devices
• Raises at least half of its annual gross revenues from the sale or sharing of consumers’ personal information

A business does not need to be based in California. Businesses all over the world must comply with the CCPA (CPRA).

What are the CCPA/CPRA’s Requirements?

The CCPA (CPRA) has a number of requirements, including:

• Updating your Privacy Policy every 12 months to explain how you collect, use, share, and sell personal information
• Allowing consumers to access and delete the personal information you have collected about them
• Allowing consumers to opt out of the sale of their personal information

That last point is our focus in this article and is the purpose of a “Do Not Sell” page.

For more information about your obligations under the CCPA (CPRA), see our article on CCPA (CPRA) Compliance Requirements.

WHAT INFORMATION WE COLLECT ABOUT YOU AND HOW WE USE YOUR PERSONAL INFORMATION?

The type of personal information we collect on or through our platforms, why we collect and how we use the personal information are explained in the following:
The CCPA (CPRA) provides some exceptions. “Selling” personal information does not include sharing personal information:

• Under the consumer’s instructions
• For business purposes with a service provider
• To inform a third party that the consumer has opted out
• As part of a merger or acquisition

The full scope of this definition is not yet clear. But bear in mind that “personal information” can include data such as cookies, IP addresses, and device IDs.
Therefore, many businesses are interpreting “selling personal information” as including relatively common business activities, such as running personalized ad campaigns that involve third-party cookies. This would require many businesses to create a “Do Not Sell” page.

If your business does not sell personal information, the CCPA (CPRA) does not require you to create a “Do Not Sell” page as long as you disclose that you do not sell personal information in your Privacy Policy. Your Privacy Policy relates to your past 12 months of business activity, so you must disclose whether you sold personal information in the past 12 months. If you sold personal information more than 12 months ago, you do not need to disclose this in your Privacy Policy.
Here’s an example from the Privacy Policy of healthcare company

If you don’t sell personal information or haven’t in the preceding 12 month period, disclose this in your Privacy Policy and your requirements for the “Do Not Sell” page are over. However, if you do sell personal information or have done so in the preceding 12 month period, your obligations continue and you must create a “Do Not Sell” page.