Whether as a consumer or as a stakeholder in a business, you’ve likely seen links reading “Do Not Sell My Personal Information” or “Do Not Sell or Share My Personal Information.”
On the surface, these links seem straightforward—you click them, and a business no longer has permission to share or sell your personal information. But if you’re a stakeholder in that business, have been charged with implementing these links, or otherwise need to wrap your head around their requirements, you probably have more questions. In this post, we’ll answer those questions.
“Do Not Sell My Personal Information” links enable website users to exercise their legal right to opt out of having their personal information sold to (or shared with—more on that later) third parties.
When you see a "Do Not Sell My Personal Information" link (or DNS link) on a website, it means that the website or business is providing users with the choice to prevent the sale of their personal data to third parties.
By selecting this option, users can exercise greater control over how their personal information is used and shared, helping to protect their privacy in an online context. It's important for businesses to comply with such requests to respect individuals' privacy rights and adhere to applicable data protection laws.
Again, this all seems straightforward enough. But what constitutes a third party? What is personal information? How do you actually operationalize a DNS link?
There are several approaches and associated challenges to operationalizing a DNS link, which we’ll discuss further down. As for the specific definitions involved (and, by association, your specific legal requirements), we’ll have to look at the primary laws that require DNS links: The California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA).
The CCPA and CPRA are the primary drivers behind the new requirement for DNS links. If you’re unfamiliar with the specifics of these laws, we recommend checking out The Expert's Guide to California Data Privacy Law | CCPA & CPRA. For now, however, there are four important things to know:
The CPRA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. That includes names, IP addresses, biometric information, and more. Check out PII vs. PI vs. Sensitive Information: Know Your Data Definitions to learn more.
The CPRA belongs to what is known as “opt-out” data privacy laws—that is, you are free to collect and process consumer personal information so long as you inform them of the processing.
Under the older CCPA, businesses only need a “Do Not Sell My Personal Information” link. However, businesses were also transferring consumer’s personal information without explicitly receiving money in return. Instead, they might receive advertising services, for example. The CPRA expanded and improved upon the CCPA and covered these additional transfers of personal information. Now, these links must read “Do Not Sell or Share My Personal Information.”
The CPRA has three categories for external parties with whom your organization can share personal information—contractors, service providers, and third parties. When a consumer clicks your DNS link, you only have to stop sharing consumer personal information with third parties.
These four points are the most important things to know when it comes to meeting the CCPA/CPRA’s “Do Not Sell My Personal Information” requirements. If you’re subject to the law, then so long as you inform consumers and give them a means of opting out of the sale or sharing of their personal information, you can collect and process their personal information freely. If they opt out, then you only need to stop certain data transfers.
Let’s dive into the definition of a “third party” a bit more. As we mentioned, third parties are one of three groups defined under the CPRA, including service providers and contractors. The CPRA defines these groups based on how they receive personal information, as follows:
The reason why third parties are subject to DNS requests but not contractors or service providers is that the CPRA requires you to have special contractual agreements in place with the latter two groups. These agreements are known as data processing addenda, and they essentially require contractors and service providers to treat your consumers’ data in a compliant manner, just as your own organization would. That means limiting consumer data to a specific purpose, deleting the data once that purpose has been met, and so on.
The idea here is that service providers and contractors are likely to provide critical services to your operation; if they can keep your consumers’ data and privacy rights protected, then there’s no reason to interrupt those services.
Third parties, however, are more likely to be involved in activities that are not necessary and may put consumer privacy rights at risk. Most of the time, this refers to targeted advertising. An ad tech network that tracks consumers across the web, for instance, and targets advertising based on their browsing behavior would be considered a third party.
When a user clicks on a DNS link on your website, you must stop sharing any of their personal information with these third parties.
According to the California Privacy Protection Agency (CPPA), which is responsible for CPRA enforcement and rulemaking, businesses have 15 days to stop all instances of selling or sharing a data subject’s personal information upon receiving a DNS request. Not a lot of time!
The CPRA requires businesses to include a DNS link on their homepage, but it’s also a good idea to include one in your privacy policy.
For example, The Atlantic magazine does not sell the personal information it collects, but "may disclose certain details to our business partners and underwriters,” as described in their privacy policy. That transfer of personal information may very well count as “sharing” in the context of the CPRA. So, they have a link on their homepage footer reading “Do Not Sell or Share My Personal Information.”
Clicking on that link takes you to a dedicated “Data Privacy Opt-Out" page, where visitors can submit their request via a form:
A link to this page can also be found in The Atlantic’s privacy policy.
In-N-Out Burger, a quintessential California business, also has a DNS link. Rather than put it in their footer, however, In-N-Out Burger has the link displayed on the first slide of an image carousel on their homepage.
Similarly, clicking on the DNS link leads to a form where a consumer can submit their request:
As of this writing, In-N-Out's privacy policy does not include a direct link to this form, but it does provide a method for consumer data privacy requests, including DNS requests, and calls out the presence of the DNS link on their homepage.
While businesses subject to the CPRA that sell or share personal information must include a DNS link on their homepage, there is another way that consumers might opt out of the transfer of their personal information to third parties.
Universal opt-out mechanisms give consumers a means of indicating their data privacy preferences just once, rather than each time they visit a different website. Often, they come in the form of browser extensions, such as the Global Privacy Control.
Businesses need to treat signals from universal opt-out mechanisms in the same manner as though the consumer indicated their data privacy preferences on their website. Thus, if a universal opt-out mechanism signals that the consumer has indicated they do not want their personal information sold or shared, you may not share or sell that information.
Much like “Do Not Sell My Personal Information” links, “Limit the Use of My Sensitive Personal Information” links are another CPRA requirement that must appear on businesses’ homepages if they engage in certain data processing activities. The topic of sensitive personal information and how businesses can meet this CPRA requirement is outside the scope of this blog, but you can learn more in our post, How to Navigate the CPRA’s ‘Limit the Use of My Sensitive Personal Information’ Mandate.
Obviously, the whole point of a “Do Not Sell or Share My Personal Information” link is that it actually does something when you click on it. Considering how broad the definition of selling and sharing is under the CPRA and how convoluted the relationship between service providers, contractors, and third parties seems, businesses may wonder how to sift through all of the data transfers in their organization and put a stop to the right ones.
In order to manage this process effectively, businesses need to consider three major methods of third-party data transfers.
You only have 15 days to honor a consumer’s request to opt out of the sale or sharing of their personal information. Because many data transfer mechanisms occur automatically (like third-party cookies and scripts), you’ll need a method to shut down these mechanisms for the relevant user automatically.
That’s where cookie consent platforms (CMPs) come in. CMPs classify and identify cookies and scripts running on your website that transfer data to third parties, so when a user submits a DNS request, your CMP can automatically shut down those cookies and scripts for the relevant user.
Cookies and scripts aren’t the only ways that data can be sent to third parties. You may send data collected from phone calls, forms, emails, and more to third parties. The class of data privacy solutions that deal with managing consent on these channels is known as universal consent solutions.
These solutions integrate with the given channel, provide a means for the user to provide consent (e.g., when they’re interacting with a form) or a member of your team to record the user’s consent (e.g., when speaking over the phone), and send a signal to your tag manager to block third-party data transfers upon receiving a DNS request.
The definition of selling or sharing under the CPRA is so broad that many activities could fall under its umbrella. Not all of these activities will be through digital channels or can be automated. You'll need to discover these data transfer mechanisms. When a user makes a DNS request, you’ll have to manually inform the relevant stakeholders that they cannot sell or share the given users’ data anymore.
Because this aspect of compliance can be time-consuming, it’s essential that you automate the aspects of the process that can be automated. Osano can help! Schedule a demo with one of our experts to learn how we can simplify your organization’s compliance with the CPRA’s “Do Not Sell or Share My Personal Information” requirements.