Privacy Policy Clause: Notice of the Right to Opt-Out of the Sale or Sharing of Personal Information
(CCPA/CPRA)

Summary

This clause discloses certain rights granted to consumers under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA) regarding the right to opt-out of the sale or sharing of their personal information. This clause includes practical guidance and drafting notes. Businesses have a statutory obligation to notify consumers that their personal information may be sold or shared and that they have the right to opt-out of the sale or sharing of their personal information, including a link to such notice in certain specified locations (discussed below). Cal. Civ. Code §§ 1798.120(b), 1798.135(a). This notice may stand alone, but the information should also be included in your California privacy policy (and notice at collection if you have two separate documents). When Must a Business Provide This Notice? First, it is important to know what the CCPA/CPRA considers "sale" or "sharing." "Sale" means disclosing the personal information to another business or a third party for monetary or other valuable consideration. Cal. Civ. Code § 1798.140(ad)(1). "Sharing" is defined as a disclosure of personal information "for cross-context behavioral advertising." Cal. Civ. Code § 1798.140(ah)(1). "Cross-context behavioral advertising" means advertising that is targeted to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly branded internet websites, applications, or services. Cal. Civ. Code § 1798.140(k). You do not need to provide a Notice of Right to Opt-out of Sale/Sharing or the "Do Not Sell or Share My Personal Information" link if: • You do not sell or share personal information –and– • You state in your privacy policy that you do not sell or share personal information. 11 CCR 2026(g). "Do Not Sell or Share My Personal Information" Link There must be a conspicuous link to this notice located at either the header or footer of the business's internet homepage that states "Do Not Sell or Share My Personal Information." 11 CCR 7013(c). The link should be a similar font size and color to other links posted on the business's homepage. 11 CCR 7003(c) and 7013(c). For a mobile application, you must include the link in the business's privacy policy, which must be accessible through the mobile application's platform page or download page. 11 CCR 7003(d). You also have the option of providing an alternative opt-out link titled "Your California Privacy Rights" that allows consumers to easily exercise both their right to opt-out of sale/sharing and right to limit the use of their sensitive personal information. See 11 CCR 7015. What Must the Notice Include? The Notice of Right to Opt-out of Sale/Sharing, like all other disclosures and communications to consumers, must be designed and presented in a way that is easy to read and understandable. It must be: • In plain, straightforward language avoiding technical or legal jargon • In a format that draws the consumer's attention to the notice and makes the notice readable, including on smaller screens, if applicable • In languages that the business uses in the ordinary course -–and– • Reasonably accessible to those with disabilities 11 CCR 7003(a) and (b) and 7013(b). The Notice of Right to Opt-out of Sale/Sharing must include: • A description of the consumer's right to opt-out of the sale or sharing of their personal information by the business –and– • Instructions on how the consumer can submit a request to opt-out of sale/sharing, e.g., by including an interactive form if the notice is provided online or through an offline method if the business does not operate a website 11 CCR 7013(f). Methods of Submitting Opt-Out Requests Note that you must provide two or more methods for submitting opt-out requests considering: • The ways the business interacts with consumers • The way the business collects the personal information that it sells or shares • Available technology –and– • Ease of use by the consumer. 11 CCR 2026(a). At least one method must reflect the way the business primarily interacts with the consumer. CCPA/CPRA regulations provide the following examples: • If the business interacts with consumers online, provide, at a minimum, the follow opt-out request methods: o Opt-out preference signal and an interactive form accessible through: ▪ The "Do Not Sell or Share My Personal Information" link ▪ Alternative opt-out link –or– ▪ Privacy policy • If the business interacts with consumers online and in person, provide, at a minimum, the follow opt-out request methods: o Opt-out preference signal –and– o In-person method 11 CCR 2026(a)(1) and (2). Other possible methods for submitting requests include a toll-free phone number, a designated email address, a form submitted in person, and a form submitted through the mail. 11 CCR 2026(a)(3). Where Should the Notice Be Given? The Notice of Right to Opt-out of Sale/Sharing must be posted on the internet web page to which the consumer is directed after clicking on the "Do Not Sell or Share My Personal Information" link. The notice must include the information specified above or be a link that takes the consumer directly to the specific section of the business's privacy policy that contains the same information. 11 CCR 7013(a), (e)(1). If clicking on the "Do Not Sell or Share My Personal Information" link immediately effectuates the consumer's right to opt-out of sale/sharing or if the business processes opt-out preference signals in a frictionless manner and chooses not to post a link, the business must provide the notice in its privacy policy. 11 CCR 7013(e)(1). Provide the notice to opt-out of sale/sharing in the same way that you collect the personal information that is sold or shared. 11 CCR 7013(e)(3). CCPA/CPRA regulations provide the following examples: • If you collect the personal information in a brick–and–mortar store, then you should provide the notice through the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the notice can be found online. • If you collect the personal information over the phone, you should provide notice orally during the call when the information is collected. 11 CCR 7013(e)(3). For additional content related to the CCPA and CPRA, see California Consumer Privacy Resource Kit (CCPA and CPRA). For a full listing of related California consumer privacy content, see Data Privacy and Cybersecurity State Law Compliance Resource Kit (CA). For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For a sample privacy policy and notice at collection, see Privacy Policy (CCPA and CPRA Compliant) and Privacy Notice at Collection (CCPA and CPRA).