If a company sells personal information of California consumers, then the California Legislature has claimed real estate on its homepage. This article summarizes this new requirement of a “Do Not Sell My Personal Information” link and provides some practical guidance.

The California Consumer Privacy Act of 2018 (CCPA) in certain instances requires a business to “[p]rovide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.” Sec. 1798.135(a)(1).

This requirement applies only to businesses that “sell” personal information about California consumers to third parties. Sec. 1798.120(a). “Sell” in the world of the CCPA does not really mean “sell” — it means share for any benefit at all. Sec. 1798.140(t). What this homepage requirement does is make operational the CCPA’s much-discussed “right to opt out,” that is, a consumer’s right to demand that a company stop transferring his or her personal data for value to others. Sec. 1790.120(a).

Compliance requires more than a cosmetic website tweak. By January 1, 2020, the effective date of the CCPA, the company must also:

• Construct a back-end system that takes opt-out requests from the webpage and turns it into a reality. Sec. 1798.135(a)(4).
• Train individuals responsible for “handling consumer inquiries” on how to direct consumers to exercise the right to opt out. Sec. 1798.135(a)(3).
• Figure out a system so that the company refrains from soliciting the sale data of an opting-out customer for 12 months from the date of opting out. Sec. 1798.135(a)(5).

A website’s landing page is not the only place where this “Do Not Sell My Personal Information” link must appear. A company must also install it in the company’s (i) online privacy policy or policies if the business has one; and (ii) any California-specific description of consumers’ privacy rights. Sec. 1798.135(a)(2). The CCPA also defines “homepage” to include “any Internet Web page where personal information is collected,” suggesting that some may interpret the statute to require that the link be included on other parts of the website where the user inputs data or user data is tracked or collected. Sec. 1798.140(l).

We have already observed a number of websites adopting a separate “California privacy rights” link from its general “privacy rights” link for residents of every other state, accessible from the homepage. Such a strategy does not deploy the actual language that the statute requires for the “do not sell” link and may face compliance challenges.

A more certain way to avoid having this “do not sell” link on the common homepage, other than not selling California residents’ data, is both an engineering and advertising challenge. That is, the law allows an entirely separate homepage for California residents (with the link) and one for everyone else (without the link). Sec. 1798.135(b). If a company takes California up on that challenge, it must further “take[] reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.” Id. We look forward to seeing enterprising web engineers experiment with what “reasonable steps” might work here.