Skip to content
ccpa-cpra-logo

Do Not Sell/Share Personal Information

Implementation Guide For Product, UI/UX and Software Developers

Summary

The spirit of the regulation is to ensure that companies are not hiding or misleading customers about what they are doing with their Personal Information and provide an opportunity for the customer to Opt-out of sharing if they desire.  If you find yourself doing "tricky things" to minimize the prominence or likelihood that a customer will find your "Do Not Sell"links and information then you are probably on the wrong path.

Legal Requirements Overview

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), requires businesses that sell or share California consumers' personal information to provide a mechanism for consumers to opt out of such practices.

Key Definitions

Selling: Making a consumer's personal information available to a third party for monetary or other valuable consideration.

Sharing: Making a consumer's personal information available to a third party for tracking a person's activities across different websites, apps, or services to build a profile about them.

Implementation Requirements

1. Link Placement and Visibility

  • Add a "Do Not Sell or Share My Personal Information" link that is clear and conspicuous.
  • Place the link in your website footer so it appears on every page of your site.
  • The link should be visually equal to or more prominent than other links
  • Include the link in your Privacy Policy.

2. Opt-Out Page Requirements

Your opt-out page must include:

  • A clear explanation of the right to opt out at the top of the page.
  • A web form for users to submit opt-out requests.
  • At least one additional method for submitting opt-out requests (e.g., email address, toll-free number).
  • Instructions on how to exercise the opt-out right.
  • No requirement for users to create an account to opt out.

3. Technical Implementation

  • Ensure the opt-out mechanism is easily accessible and functions properly across all devices.
  • Implement a system to track and honor opt-out requests for at least 12 months.
  • Develop a process to receive, verify, and respond to opt-out requests.
  • Maintain records of opt-out requests for at least 24 months.
  • Consider implementing a Consent Management Platform (CMP) to manage opt-out preferences.

UX/UI Best Practices

  • Use clear, straightforward language that explains the opt-out right in simple terms.
  • Design a user-friendly form that collects only the information necessary to process the opt-out request.
  • Consider allowing granular opt-out choices (e.g., letting users choose which categories of information they don't want sold/shared).
  • Provide visual confirmation when an opt-out request has been successfully submitted.
  • Ensure the opt-out process requires minimal steps.

Implementation Process

  1. Assessment: Determine if your business sells or shares personal information as defined by the CCPA.
  2. Design: Create the opt-out link and dedicated webpage with required elements.
  3. Development: Implement the technical infrastructure to process and honor opt-out requests.
  4. Testing: Verify the opt-out mechanism works properly across all devices and browsers.
  5. Training: Ensure team members understand how to handle opt-out requests.
  6. Documentation: Maintain records of implementation and opt-out requests.
  7. Review:  Review the implementation and internal operations to update for changes in the business at least annually.

Compliance Checklist

"Do Not Sell or Share My Personal Information" link added to website footer
Link included in Privacy Policy
Dedicated opt-out page created with clear explanation of rights
Web form implemented for opt-out requests
Secondary method for submitting requests provided
System in place to track and honor opt-out requests
Process established for verification and response to requests
Staff trained on handling opt-out requests
Documentation system implemented


Additional Considerations

  1. Ensure non-discrimination against consumers who opt out.
  2. For businesses collecting data from minors under 16, implement opt-in consent mechanisms.
  3. Consider implementing Global Privacy Control (GPC) support as an additional opt-out method.
  4. Regularly review and update your opt-out mechanisms to ensure ongoing compliance.

This guidance reflects CCPA requirements as of March 2025. Consult with privacy counsel for updates or specific questions related to your implementation.  Make sure you're working with your own privacy counsel to verify the proper implementation for your business.