CPRA Do Not Sell/Share: What You Need to Know in 2024

At a glance

• Under CPRA, consumers may limit the sale and sharing of their personal data online—a departure from CCPA, which only covered the sale of personal data.
• With the CPPA able to actively enforce CPRA requirements (after a surprise reversal of the 2023 delay), businesses should work to make sure they're meeting CPRA's Do Not Sell or Share requirements.
• This guide covers what's required under CPRA Do Not Sell or Share, how to approach opt-out signals, the concept of "frictionless" opt-out, and more.

Table of contents

• What's required under CPRA Do Not Sell or Share?
• 9 step compliance checklist for CPRA Do Not Sell or Share
• Opt-out signals for Do Not Sell or Share
• “Alternative Opt-Out Links”
• Frictionless opt-out
• When do you not need to display an opt-out link?
• How to manage CPRA Do Not Sell or Share using Transcend

What’s required under CPRA ‘Do Not Sell or Share’?

The California Privacy Rights Act (CPRA) expanded the opt-out requirements set by the California Consumer Privacy Act (CCPA)—giving consumers the ability to limit both the sale and sharing of their personal or sensitive information online.

The CPRA states:

It goes on to cover a few additional guidelines, noting that businesses:

• Must disclose whether they sell or share personal data
• Notify consumers of their right to opt-out
• May not sell or share a consumer’s data if they’ve opted out, unless the consumer provides consent at a later date
• May not sell or share a consumer's personal data if they know them to be less than 16 years old, unless:
  • The consumer is between 13 and 16 years old and has given permission to sell or share the data
  • Or, if the consumer is under 13, their parent has consented to the sale or sharing of their personal data

Below we'll cover 9 steps that will help your organization become compliant with CPRA Do Not Sell or Share. 

9 step compliance checklist for CPRA Do Not Sell or Share

Though you should work to address all areas of CPRA compliance, Do Not Sell or Share is highly visible and easy to audit—meaning it’s worth spending the extra time to dot your I’s and cross your T’s. 

The good news is that CPRA does offer detailed guidance on how businesses can comply with these requirements, which we’ve outlined in a nine step compliance checklist below.

1. Disclose the sale or sharing of personal data and notify consumers that they have the right to opt out.
2. Provide two “clear and conspicuous link(s)” on your homepage—one that reads “Do Not Sell or Share My Personal Information” and one titled “Limit the Use of My Sensitive Personal Information.”
3. Or, instead of #2, businesses may provide one “Alternative Opt-Out Link” on their homepage, which allows consumers to opt out of sale or sharing and “limit the use or disclosure” of their sensitive personal information. We’ll provide more details about the requirements for this type of link below.
4. In your privacy policy, be sure to include information about: 
   1. A consumer's rights
   2. The opt-out links mentioned above, and 
   3. A statement confirming your business responds to opt-out signals
5. Do not force a consumer to create an account or solicit information beyond what’s needed to complete the opt-out request
6. Make sure the team fulfilling consumer requests has the appropriate training—meaning they understand CPRA requirements and can help consumers exercise their rights
7. Respect and abide by consumers’ opt-out requests and wait 12 months before requesting to use a consumer's personal information again
8. Do not sell or share personal data for people under 16 without consent
9. Only use data collected during the opt-out process to fulfill the request

Part of what makes the CPRA Do Not Sell or Share requirements confusing is the growing acceptance of opt-out signals. In fact, in Sephora’s $1.2M settlement with California in 2022, the attorney general specifically called out the cosmetics retailer for not honoring opt-outs received via the Global Privacy Control signal. 

We’ll provide more details about CPRA’s requirements regarding opt-out signals below. 

Opt-out signals for Do Not Sell or Share

Honoring opt-out signals, like the Global Privacy Control, is another option businesses may use for Do Not Sell or Share compliance. 

While the original draft of CPRA seemed to give businesses an either/or choice between a link-based protocol and honoring opt-out signals—the Draft Regulations finalized in early 2023 took a different tact. 

Section 7025 of the Draft Regulations define opt-out signals as: 

It goes on to note that:

In stark contrast to the original draft of the CPRA, the Draft Regulations require businesses to honor consumer preferences transmitted through an opt-out signal as long as that signal meets certain technical requirements, including:

• The signal uses a common format such as an “HTTP header field or JavaScript object”
• The signal provider clearly notifies the consumer that the signal will opt them out of the sale or sharing of their personal data

The Draft Regulations also outline several mandates for businesses who receive an opt-out preference signal from consumers, requiring that the business:

• Treats the signal as a valid request
• Doesn't require the consumer to give more information than what’s necessary—though they can request more information if it will facilitate fulfilling the request
• Doesn't use, keep, or disclose the information received as part of the request for any other purpose than fulfilling the request

One thing the Draft Regulations make imminently clear is that honoring opt-out preference signals is not optional. This stands in contrast to the original draft of the CPRA, where the language seemed to indicate a choice between providing a “Do Not Sell or Share” link or honoring opt-out preference signals. 

The Draft Regulations state very clearly that:

The proposed Draft Regulations go on to provide a few if/then scenarios that address potential opt-out signal conflicts i.e. the consumer is part of a financial incentives program, but has their opt-out signal on. They also provide several detailed examples of how a business might make it clear to a consumer that their preference signal is being honored. 

So, it’s well-worth your time to fully review Draft Regulations Section 7025.

“Alternative Opt-Out Links” for CPRA Do Not Sell or Share

According to the CPRA Draft Regulations:

This option is meant as an alternative to providing two different links—one for “Do Not Sell or Share My Personal Information” and one for “Limit the Use of My Sensitive Personal Information.”

For an Alternative Opt-out Link to be compliant, it must:

• Send consumers to a webpage with details about their right to opt-out and right to limit, as well as a way to exercise those rights
• Be titled “Your Privacy Choices” or “Your California Privacy Choices”
• Include a specific icon (shown below) next to the title—this icon must be similar in size to the other icons in the business's header or footer
• Be conspicuous
• Be located in the header or footer of the business's homepage

Frictionless opt-out for CPRA Do Not Sell or Share

“Frictionless” opt-out is a concept that appears only in the CPRA Draft Regulations, which offer several criteria for what defines a “frictionless” opt-out process. Specifically, the regs state that a business may not:

1. Charge consumers for using an opt-out signal
2. Change the user experience for consumers who use opt-out signals
3. “Display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal.”

For added context on #3, notifying the consumer that their opt-out signal is being honored does not count against the business. Also, the business may provide a link through which the consumer can instruct the business to ignore the opt-out signal. 

When do you NOT need to display an opt-out link?

Though businesses are always required to honor opt-out preference signals, the Draft Regulations do provide criteria for a scenario where they don't need to provide either type of opt-out link, including: 

• They are processing opt-out signals in a “frictionless” way
• Their privacy policy includes the following: 
  • Information about a consumer’s right to opt-out of the sale or sharing of their personal data
  • “A statement that the business processes opt-out preference signals in a frictionless manner”
  • Details on how consumers can implement an opt-out signal for their own use
  • “Instructions for any other method by which the consumer may submit a request to opt-out of sale/sharing”
• The business is able to “fully effectuate” a consumers opt-out request, meaning they can apply the opt-out to online and offline personal data processing

How to manage CPRA opt-out requests using Transcend

Transcend can help your business comply with CPRA Do Not Sell or Share requirements, including requests received via opt-out browser signals like Global Privacy Control. Below you’ll find an abridged version of our guide for implementing Transcend for Do Not Sell or Share compliance. 

If you’d like to take a deeper dive, you can find the complete guide here.

Step 1: Catalog all data sharing

Full compliance relies on having a comprehensive picture of where personal data is being collected and whether it’s being sold or shared to a third party. 

Using Transcend Data Mapping and Transcend Consent, you can automatically scan your entire tech stack for conversion pixels, ad networks, and other technologies that collect or share personal information. 

• Transcend Data Mapping completes an initial website scan using a headless Chromium browser—identifying backend tooling, such as systems connected to your Customer Data Platform (e.g. Segment) or SSO provider (e.g. Okta), that may not be visible on the client-side. You can use this tool to catalog your company’s full data inventory—helping you identify any missing data silos that might prevent your org from being fully compliant.
• Transcend Consent will allow you to identify and review client-side data flows. Using our airgap.js script, consent reports anonymous telemetry from your site—giving you more insight into your client-side data collection.

Step 2: Build and implement a plan for your opt-out experience

Under CCPA and CPRA, businesses must provide specific, foundational opt-out capabilities. Applied to the context of your own tech stack, data sharing practices, and ideal user experience, there’s a few other things you may want to consider.

At a minimum, your business must enable a consumer to: 

• Opt out via a link within the Privacy Policy
• Out opt via a browser signal like GPC
• Confirm the opt out has been completed

You can use Transcend Consent to achieve this “frictionless” opt out flow. But you may need or want to support other opt-out experiences. If any of the below scenarios apply to you then you probably aren’t a good candidate for the Frictionless workflow, but don’t worry—set up can still be simple.

Additional considerations

1) Does your business need to collect any additional information in order to fully effectuate the opt-out request?

If the only data sharing taking place is happening client-side, the request can be fully honored by Transcend Consent without needing to collect additional information.

However, if data sharing is happening in your backend or via offline channels and you need additional information to fully honor the request then you must collect that information. For example, this may include collecting the user’s email address or asking them to log in to their account. We’ll cover how to do this via a Data Subject Request in your Privacy Center in the complete implementation guide.

2) Does your website have user accounts?

If so, you must store an opt-out submitted by a logged-in user to ensure it’s honored on future site visits. This information can be stored within Transcend Consent or be piped out via our API and stored on your backend.

You may already have specific privacy settings for a logged-in user that conflict with their opt-out signal. While the regulation requires that you immediately honor the opt-out signal and process their request, it does permit you to ask them if they would like to re-consent and give permission for you to ignore their opt-out signal. We walk through enabling this flow in the complete implementation guide.

3) Does your business want to offer consumers the ability to narrow their opt-out request to only apply to certain types of data sale or sharing?

You have the option to present consumers with the choice to opt out of the sale or sharing of personal information for certain uses as long as a single option to opt-out for ALL personal information is more prominently presented.

Read the full California Do Not Sell or Share guide to learn how to implement Transcend Data Mapping and Transcend Consent for full compliance.

About Transcend

Has your organization has been impacted by the California Privacy Rights Act or other consumer privacy laws? Transcend, an all-in-one platform for modern privacy and data governance, can help you ensure compliance.

Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for state privacy laws coming online in 2024.

From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.