CPRA’s ‘Do Not Sell/Share’ Provision: What You Need to Know [Updated 2023]
At a glance
Under CPRA, consumers may limit the sale and sharing of their personal data online—a departure from CCPA, which only covered the sale of personal data.
With the July 2023 CPRA enforcement date approaching fast, businesses should work to make sure they're meeting CPRA's Do Not Sell or Share requirements.
This guide covers what's required under CPRA Do Not Sell or Share, how to approach opt-out signals, the concept of "frictionless" opt-out, and more.
Table of contents
What’s required under CPRA ‘Do Not Sell or Share’?
The California Privacy Rights Act (CPRA) expanded the opt-out requirements set by the California Consumer Privacy Act (CCPA)—giving consumers the ability to limit both the sale and sharing of their personal or sensitive information online.
The CPRA states:
“A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information. This right may be referred to as the right to opt-out of sale or sharing.”
It goes on to cover a few additional guidelines, noting that businesses:
Must disclose whether they sell or share personal data
Notify consumers of their right to opt-out
May not sell or share a consumer’s data if they’ve opted out, unless the consumer provides consent at a later date
May not sell or share a consumer's personal data if they know them to be less than 16 years old, unless:
The consumer is between 13 and 16 years old and has given permission to sell or share the data
Or, if the consumer is under 13, their parent has consented to the sale or sharing of their personal data
Below we'll cover 9 steps that will help your organization become compliant with CPRA Do Not Sell or Share.
9 step compliance checklist for CPRA Do Not Sell or Share
Though you should work to address all areas of CPRA compliance, Do Not Sell or Share is highly visible and easy to audit—meaning it’s worth spending the extra time to dot your I’s and cross your T’s.
The good news is that CPRA does offer detailed guidance on how businesses can comply with these requirements, which we’ve outlined in a nine step compliance checklist below.
Disclose the sale or sharing of personal data and notify consumers that they have the right to opt out.
Provide two “clear and conspicuous link(s)” on your homepage—one that reads “Do Not Sell or Share My Personal Information” and one titled “Limit the Use of My Sensitive Personal Information.”
Or, instead of #2, businesses may provide one “Alternative Opt-Out Link” on their homepage, which allows consumers to opt out of sale or sharing and “limit the use or disclosure” of their sensitive personal information. We’ll provide more details about the requirements for this type of link below.
A consumer's rights
The opt-out links mentioned above, and
A statement confirming your business responds to opt-out signals
Do not force a consumer to create an account or solicit information beyond what’s needed to complete the opt-out request
Make sure the team fulfilling consumer requests has the appropriate training—meaning they understand CPRA requirements and can help consumers exercise their rights
Respect and abide by consumers’ opt-out requests and wait 12 months before requesting to use a consumer's personal information again
Do not sell or share personal data for people under 16 without consent
Only use data collected during the opt-out process to fulfill the request
Part of what makes the CPRA Do Not Sell or Share requirements confusing is the growing acceptance of opt-out signals. In fact, in Sephora’s $1.2M settlement with California in 2022, the attorney general specifically called out the cosmetics retailer for not honoring opt-outs received via the Global Privacy Control signal.
We’ll provide more details about CPRA’s requirements regarding opt-out signals below.
Opt-out signals for Do Not Sell or Share
Honoring opt-out signals, like the Global Privacy Control, is another option businesses may use for Do Not Sell or Share compliance.
While the original draft of CPRA seemed to give businesses an either/or choice between a link-based protocol and honoring opt-out signals—the Draft Regulations finalized in early 2023 took a different tact.
Section 7025 of the Draft Regulations define opt-out signals as:
“a signal that is sent by a platform, technology, or mechanism, on behalf of the consumer, that communicates the consumer choice to opt-out of the sale and sharing of personal information”
It goes on to note that:
“The purpose of an opt-out preference signal is to provide consumers with a simple and easy-to-use method by which consumers interacting with businesses online can automatically exercise their right to opt-out of sale/sharing.”
In stark contrast to the original draft of the CPRA, the Draft Regulations require businesses to honor consumer preferences transmitted through an opt-out signal as long as that signal meets certain technical requirements, including:
The signal provider clearly notifies the consumer that the signal will opt them out of the sale or sharing of their personal data
The Draft Regulations also outline several mandates for businesses who receive an opt-out preference signal from consumers, requiring that the business:
Treats the signal as a valid request
Doesn't require the consumer to give more information than what’s necessary—though they can request more information if it will facilitate fulfilling the request
Doesn't use, keep, or disclose the information received as part of the request for any other purpose than fulfilling the request
One thing the Draft Regulations make imminently clear is that honoring opt-out preference signals is not optional. This stands in contrast to the original draft of the CPRA, where the language seemed to indicate a choice between providing a “Do Not Sell or Share” link or honoring opt-out preference signals.
The Draft Regulations state very clearly that:
“[CPRA] section 1798.135 [...] does not give the business the choice between posting the above-referenced links or honoring opt-out preference signals. Even if the business posts the above-referenced links, the business must still process opt-out preference signals, though it may do so in a non-frictionless manner.”
The proposed Draft Regulations go on to provide a few if/then scenarios that address potential opt-out signal conflicts i.e. the consumer is part of a financial incentives program, but has their opt-out signal on. They also provide several detailed examples of how a business might make it clear to a consumer that their preference signal is being honored.
So, it’s well-worth your time to fully review Draft Regulations Section 7025.
According to the CPRA Draft Regulations:
“The purpose of the Alternative Opt-out Link is to provide businesses the option of providing consumers with a single, clearly-labeled link that allows consumers to easily exercise both their right to opt-out of sale/sharing and right to limit.”
This option is meant as an alternative to providing two different links—one for “Do Not Sell or Share My Personal Information” and one for “Limit the Use of My Sensitive Personal Information.”
For an Alternative Opt-out Link to be compliant, it must:
Send consumers to a webpage with details about their right to opt-out and right to limit, as well as a way to exercise those rights
Be titled “Your Privacy Choices” or “Your California Privacy Choices”
Include a specific icon (shown below) next to the title—this icon must be similar in size to the other icons in the business's header or footer
Be located in the header or footer of the business's homepage
Frictionless opt-out for CPRA Do Not Sell or Share
“Frictionless” opt-out is a concept that appears only in the CPRA Draft Regulations, which offer several criteria for what defines a “frictionless” opt-out process. Specifically, the regs state that a business may not:
Charge consumers for using an opt-out signal
Change the user experience for consumers who use opt-out signals
“Display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal.”
For added context on #3, notifying the consumer that their opt-out signal is being honored does not count against the business. Also, the business may provide a link through which the consumer can instruct the business to ignore the opt-out signal.
Though businesses are always required to honor opt-out preference signals, the Draft Regulations do provide criteria for a scenario where they don't need to provide either type of opt-out link, including:
They are processing opt-out signals in a “frictionless” way
Information about a consumer’s right to opt-out of the sale or sharing of their personal data
“A statement that the business processes opt-out preference signals in a frictionless manner”
Details on how consumers can implement an opt-out signal for their own use
“Instructions for any other method by which the consumer may submit a request to opt-out of sale/sharing”
The business is able to “fully effectuate” a consumers opt-out request, meaning they can apply the opt-out to online and offline personal data processing
How to manage CPRA opt-out requests using Transcend
Transcend can help your business comply with CPRA Do Not Sell or Share requirements, including requests received via opt-out browser signals like Global Privacy Control. Below you’ll find an abridged version of our guide for implementing Transcend for Do Not Sell or Share compliance.
If you’d like to take a deeper dive, you can find the complete guide here.
Step 1: Catalog all data sharing
Full compliance relies on having a comprehensive picture of where personal data is being collected and whether it’s being sold or shared to a third party.
Using Transcend Data Mapping and Transcend Consent, you can automatically scan your entire tech stack for conversion pixels, ad networks, and other technologies that collect or share personal information.
Transcend Data Mapping completes an initial website scan using a headless Chromium browser—identifying backend tooling, such as systems connected to your Customer Data Platform (e.g. Segment) or SSO provider (e.g. Okta), that may not be visible on the client-side. You can use this tool to catalog your company’s full data inventory—helping you identify any missing data silos that might prevent your org from being fully compliant.
Transcend Consent will allow you to identify and review client-side data flows. Using our airgap.js script, consent reports anonymous telemetry from your site—giving you more insight into your client-side data collection.
Step 2: Build and implement a plan for your opt-out experience
Under CCPA and CPRA, businesses must provide specific, foundational opt-out capabilities. Applied to the context of your own tech stack, data sharing practices, and ideal user experience, there’s a few other things you may want to consider.
At a minimum, your business must enable a consumer to:
Out opt via a browser signal like GPC
Confirm the opt out has been completed
You can use Transcend Consent to achieve this “frictionless” opt out flow. But you may need or want to support other opt-out experiences. If any of the below scenarios apply to you then you probably aren’t a good candidate for the Frictionless workflow, but don’t worry—set up can still be simple.
1) Does your business need to collect any additional information in order to fully effectuate the opt-out request?
If the only data sharing taking place is happening client-side, the request can be fully honored by Transcend Consent without needing to collect additional information.
However, if data sharing is happening in your backend or via offline channels and you need additional information to fully honor the request then you must collect that information. For example, this may include collecting the user’s email address or asking them to log in to their account. We’ll cover how to do this via a Data Subject Request in your Privacy Center in the complete implementation guide.
2) Does your website have user accounts?
If so, you must store an opt-out submitted by a logged-in user to ensure it’s honored on future site visits. This information can be stored within Transcend Consent or be piped out via our API and stored on your backend.
You may already have specific privacy settings for a logged-in user that conflict with their opt-out signal. While the regulation requires that you immediately honor the opt-out signal and process their request, it does permit you to ask them if they would like to re-consent and give permission for you to ignore their opt-out signal. We walk through enabling this flow in the complete implementation guide.
3) Does your business want to offer consumers the ability to narrow their opt-out request to only apply to certain types of data sale or sharing?
You have the option to present consumers with the choice to opt out of the sale or sharing of personal information for certain uses as long as a single option to opt-out for ALL personal information is more prominently presented.
Read the full California Do Not Sell or Share guide to learn how to implement Transcend Data Mapping and Transcend Consent for full compliance.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Discover more articles