For eCommerce businesses, California Consumer Privacy Right (CCPA) compliance should be high on your radar from 2020. Like the General Data Protection Regulation (GDPR) in Europe, CCPA focuses on protecting California customer data and giving them a right to control their personal information (read more about CCPA rights). It came into effect on January 1st, 2020, and only applies to California residents and merchants who sell to Californians.
Although both regulations have a number of similarities, there are some key differences between them. Specifically, the CCPA requires a clear “Do Not Sell My Personal Information” page. It should provide the website visitors with an opportunity to opt out of the sale of their personal data to third parties.
In addition to the existing CCPA regulations, it’s important to note that the California Privacy Rights Act (CPRA) has introduced significant changes to data privacy compliance in California. The CPRA, which amends and expands upon CCPA, came into effect in 2023 and further strengthens the protection of California customer data. It goes beyond CCPA by introducing new requirements, such as additional consumer rights, enhanced data breach notification obligations, and stricter regulations for businesses handling sensitive personal information. Businesses operating in California must now navigate both CCPA and CPRA to ensure comprehensive compliance with the evolving landscape of data privacy regulations in the state.
One crucial point to highlight is that the “Do Not Sell My Personal Information” requirement, initially mandated by CCPA, remains a fundamental aspect of CPRA compliance as well.
Where to Display “Do Not Sell My Personal Information” Page
Since there are no strict boundaries on implementing the ”Do Not Sell” page on your website, you can find a wide range of its examples in eCommerce. However, we are provided with precise requirements for where to display the “Do Not Sell” link.
Methods of Opting Out
Another CCPA rule states that merchants need to provide “two or more designated methods for submitting requests”. Therefore, we have reviewed 20 popular retailers’ websites to provide you with ideas on implementing the “Do Not Sell My Personal Information” page.
We have grouped the examples according to how you submit opt-out requests. Let’s take a look at each of the methods:
- Opt-out form
- Opt-out email & toll-free phone number
- Blocking cookies in a browser
- Advertising industry opt-out tools
- Opt-out button
- Restricting access for non-Californians
- Submitting all privacy requests on page
- Providing various opt-out options
20 Examples of “Do Not Sell” Page in eCommerce
Examples of “Do Not Sell” page: an opt-out form
Most websites provide a web form that allows customers to opt out of the sale of their personal information. This form requires customers to provide personal information to complete the opt-out request. Note that you should not ask visitors to provide unnecessary information. Please review three examples of the opt-out form below.
As one of the largest retailers in the United States, Target Corporation includes the “Do Not Sell” page to become compliant with CCPA requirements. Consumers can find the “Do Not Sell My Personal Information” – CA Resident Only” link in the footer of the online store.
When you click on the “Do Not Sell” page, it takes you to the landing page with the form to fill out. It is necessary to provide personal information such as First and Last Name, Address, Zip Code, City, Email Address, and Phone Number. The State line has already been filled out since this form only applies to California residents.
An American home decor company Crate&Barrel also includes the “Do Not Sell My Info” link to the website footer in the Resources block.
It takes you to a separate page with the form to fill out. There, you need to provide the following information: your First and Last Name, Street Address, Zip Code, City, State, Email, and Phone Number.
Everyone seems to know how Mcdonald’s is eager to provide the best value to their customers. This American fast-food company also cares about customer data privacy and complies with major data privacy laws, including the CCPA. The “Do Not Sell” page in the footer takes you to a CCPA Rights Center landing page.
Authorized California residents’ agents should request the opt-out via email, and other visitors need to fill out the request form on this page. The form requires providing first and last name, email address, US state, and phone number (an optional field).
Examples of “Do Not Sell” page: an opt-out email
Another way to let customers submit the Do Not Sell My Personal Information request is to provide contact information for your business. According to our research, this is the second most popular opt-out method. Mainly, companies provide their email address and include a list of personal information to provide.
British luxury fashion house Burberry group have placed the “Do Not Sell” link in their footer’s Legal & Cookies block.
Although it is not essential, the company includes details about what personal data it sells and why.
To opt out, customers should email at firstname.lastname@example.org using the subject “California Opt Out from Sale.” Their responsibility is to provide the Burberry team at least the name and email address associated with their account.
Paul Smith, one of the foremost British clothing retailers, displays the “Do Not Sell My Personal Information” link in the website’s footer as well. Once you go there, you are informed of the brand’s compliance with the GDPR and CCPA requirements.
Similarly to Burberry, Paul Smith provides customers with an email address and a phone number to contact and submit the request. When submitting, you have to provide your name and email address used on the website.
Importantly, if you provide your business’s phone number, it must be toll-free. Under the CCPA, merchants have to offer free opt-out methods, such as toll-free phone numbers, emails, forms, etc.
Moreover, Paul Smith also claims they do not sell but use your personal information for digital network advertising purposes. Hence, “you can opt out of this by managing your browser settings”, that is, to restrict cookies. This is another additional opt-out method you may consider.
Examples of “Do Not Sell” page: blocking cookies in browser
Alternatively, some websites offer to block cookies as one of the additional methods to opt out of the sale of personal information. Mainly, they place an opt-out cookie on a customer browser and prevent information from being collected by advertising partners.
Although we do not recommend this opt-out method as the main one, it may be a good alternative to provide your customers with more security information and opt-out options.
An American membership warehouse club, Costco offers California clients to opt out of selling personal information by going to the landing page in the store’s footer.
When you get there, you can fill out the form by providing your membership number and last name.
Visitors can also restrict personal data collection and processing by opting out of third-party cookies in the cookie settings tool. To get there, customers can click the Cookie Setting Tool link on the “Do Not Sell” page. Additionally, Costco provided clear information about the consequences of the choice.
The next company on our list is Best Buy. Like the above-mentioned online stores, you can find the “Do Not Sell” link in the footer of the website.
However, the information regarding selling personal data is different from the already mentioned companies. Specifically, Best Buy states it doesn’t sell the personal information of its consumers, yet it can be used for advertising intentions and collected with the help of cookies.
Here, the company makes the website visitors and existing customers feel safe by offering to opt out of the information sale by blocking cookies. For this, you need to press the “Do Not Sell My Personal Information” button and confirm your request in a popup.
To wrap up, Best Buy doesn’t ask for your personal information because they do not need it to honor your request. Instead, the “opt-out cookie will be placed and stored on your browser, preventing personal information from being made available from this website to advertising partners for their own use”.
Additionally, the “Do Not Sell” page contains detailed information explaining how your personal information may be collected, as well as the fact that visitors need to opt out of internet-based advertising by visiting www.aboutads.info/choices.
Examples of “Do Not Sell” page: advertising industry opt-out tools
Some companies offer visitors additional choices regarding the collection and use of their personal information. For example, many third-party advertisers use tracking and targeting tools on the website either directly or as a program partner. More specifically, customers can visit each partner’s website and limit third parties’ collection and use of personal information.
Similarly to all large corporations, The Walt Disney Company provides the best customer service and security to remain on the top of its industry. Being international, this mass media & entertainment conglomerate complies with laws, including the requirements of CCPA.
In addition to filling out a request form (the main method), Disney offers some other alternatives to opt-out:
- Sending a request via email. However, it may take time for fulfilling the request.
- For a more immediate way, customers can follow the provided instructions to submit the opt-out request at each of Disney’s partners separately. All in all, visitors can opt out of internet-based advertising, social media site ad tracking and analytics, as well as digital measurement research on each partner site.
Another example we offer you to consider is Kohl’s – an American department store retail chain. The “CA – Do Not Sell My Information Page” can be accessed from the website’s footer.
By clicking there, customers are redirected to a landing page with comprehensive information about the California residents’ rights, as well as an opt-out form you are already familiar with.
Additionally, below the opt-out form, Kohl’s provides visitors with further instructions on how to opt-out of “all targeted advertising in desktop and mobile browsers on a particular device”. As their partners provide this targeted advertising, you need to go to the partner websites and opt out.
Examples of “Do Not Sell” page: an opt-out button
It takes some time to click on the “Do Not Sell My Personal Information” link and proceed with multiple steps to opt out. However, some websites have an opt-out button that allows customers to opt out with a single click. Let’s take a look at some of them.
Being an American worldwide-known eCommerce marketplace, Groupon is the company that stays up-to-date with CCPA requirements and introduces the “Do Not Sell My Personal Information” page in the footer of the website. Generally, it is a popup that informs Californian consumers that their data might be collected.
You can find more information about opting out by clicking the Privacy Statement link in the popup. However, you can notice that this company does not provide a clear “Do Not Sell” page as stated in CCPA requirements but displays the opt-out toggle in a popup.
On eBay, a well-known worldwide shopping and auction website, you can make a Do Not Sell My Personal Information request by clicking on the appropriate link in the footer of the website. All you need to do is simply switch the toggle to “Out”.
Additionally, the website informs you of how your opt-out is applied: for logged-in users, the choice will be associated with their account. Otherwise, the opt-out choice will be applied to a currently used browser and only until the browser’s cookies are erased.
Examples of “Do Not Sell” page: restricting access for non-Californians
Unlike previous website examples, some companies restrict access for non-California users prior to opt-out. In some cases, websites hide the “Do Not Sell” link from non-Californian visitors using geo-location. Others, however, ask about a residence in the first question of the opt-out form. Let’s take real examples.
Prior to filling out the opt-out form with personal information, you need to indicate whether you are submitting the request for yourself and confirm California residence.
If you set the latter option to No, you will see a message stating that this service is available to California residents only.
A worldwide-known video game developer and publisher, Blizzard Entertainment, Inc. displays the “CA Residents only: Do not sell my personal information” link in the footer but hides it from non-Californians using the geo-IP functionality.
After you click on the link, it takes you to the landing page with the following information:
“Blizzard takes your privacy very seriously. We do not sell your personal information.”
As you can see above, the company provides customers with an opportunity to opt out of any future sale of the consumer’s personal information. Blizzard states the following:
“If you would like to record that Blizzard will not sell your data in the future, please click here.”
By clicking Here, you will be redirected to the page that can let you prevent Blizzard from selling your personal info. To complete the opt-out process, you should provide your email address to receive the verification code.
However, non-California residents are not able to enter their email addresses and submit the request. Instead, they will see the following message:
In Rakuten, one of the largest Japanese eCommerce sites, the “Do Not Sell My Data” link is accessible in the website’s footer. When clicking it, you have to confirm the place of residence in a popup.
After confirming, you are to log in or specify that you are not a member, and you will be offered to opt out of the sale of your data or delete your data.
However, if your residence is other than California, you will receive a restriction message:
Examples of “Do Not Sell” page: submitting all privacy requests on page
In order to comply with CCPA, you should not forget about other rights. Besides the right to opt out of third-party data sales, your website visitors also have the right to have collected data disclosed and deleted. Therefore, many merchants combined these requests to be submitted from one page. Usually, this is an opt-out form, where visitors need to provide their personal data and specify the type of the request. Please check four examples of the privacy requests page below.
When clicking on the “Do Not Sell My Personal Information” page, customers are taken to the Exercise My Privacy Rights page. After a clear explanation of how the opt-out request works, they can find the Privacy request form.
Besides opt-out of sale, website visitors can also submit Get My Information and Delete My Information requests. In order to submit the request, it is required to select its type and fill in some personal information. Next, the verification email will be sent to the provided email address.
Otherwise, website visitors can call 1-800-394-1326 to speak to a representative if they don’t like to provide an email address during the form submission.
Samsung is one of the leading South Korean multinational electronics companies. When going to their official website, you are immediately captured with the innovative graphics and animation. Scroll down to the footer and click on the “Do Not Sell My Personal Information” page.
You are taken to the visually interactive landing page with the information about customers’ privacy rights.
Besides the ability to request not to sell personal data, customers can also access and delete their personal information collected by Samsung.
After clicking the Create Request, they need to declare residency, select the type of request and request options (including identity verification via the email address or phone number as well as the ability to add other requests before the next step), review requests, and submit them. Then the request summary will be generated.
One of the largest hardware chain businesses in the US and Canada, Lowe’s keeps pace with the latest CCPA rules and provides customers with the “Do Not Sell My Personal Information” link in the footer of the webpage.
You can find there the following information: “To ‘opt-out from sale’ under the CCPA, please first adjust your cookie preference for Lowe’s sites here, and also submit an opt-out request via Lowe’s Privacy Request Portal or the hotline above.”
So, unlike Groupon, Lowe’s has its own ports where you should click on the link “Lower’s Privacy Request Portal” and select the request type for the security of your personal data:
- Access My Personal Information;
- Delete My Personal Information;
- Restrict Certain Sharing of My Information (“Opt-out from the Sale”)
You have to follow three steps to submit a request: select the type of request, provide the requestor’s information, and submit.
When clicking Make a Request, customers fill out a request form specifying the request type (opt-out of sales and sharing, delete personal information, or request personal information). Then, it is necessary to provide name, email, and other data, including the phone number, to get a confirmation message.
Examples of “Do Not Sell” page: providing various opt-out options
In this section, we are going to introduce you to the most comprehensive opt-out implementation according to our research, as the reviewed companies provide clear information about how to submit requests in different ways suitable for all visitors.
Besides already familiar options (by phone and direct link), we recommend you consider a privacy portal implementation. Customers can either log in to the privacy portal and make a request associated with their account or create requests providing their personal data and email for confirmation.
At Macy’s, they also care about customers’ privacy. By clicking on the “Do Not Sell My Personal Information” link in the footer, you are taken to the Notice of Privacy Practices landing page, particularly to the section for California residents.
There, you are provided with three possible ways to submit the request:
- Via Data Privacy Portal, where you can also submit personal data access and deletion requests
- Directly from the opt-out of sale of Personal Information link
- By phone at 800-920-3588
An American luxury department store chain does not stand aside from customer privacy as well. You can easily access the “Do Not Sell My Personal Information” page in the website’s footer.
Just as Macy’s does, Bloomingdale’s redirects you to the Notice of Privacy Practices page and provides you with three options to submit the opt-out request.
- Submit the request by provided phone number
- Use their privacy portal, where you can also submit a personal information access request, as well as an account deletion request
- Use the direct link
Over a year after CCPA went into effect, we can observe the “Do Not Sell My Personal Information” page on almost all large corporations’ websites. Californians who are aware of their rights are very likely to opt out and secure their personal information.
Under the CCPA, the “Do Nor Sell” page must be “clear and conspicuous”. It should also explain what kind of personal information is gathered and why, and how to exercise the right to opt-out of the sale of personal information.
Commonly, companies include an opt-out form as the main method to opt out, which consumers can complete to make the request.
Additionally, you have to include at least one additional opt-out method according to the CCPA requirements. You can choose other designated methods from the following ones:
- Email submission form
- Toll-free phone number
As one of the additional opt-out methods, some companies place and store an opt-out cookie on your browser, preventing personal information from being available to advertising partners. Others, though, offer to submit a request on each of the partners’ websites. And finally, you may consider restricting access to the “Do Not Sell” page from non-Californian visitors.
On top of that, you must protect your consumers’ rights and accept all opt-out requests to avoid getting fines from the California state and losing consumers due to bad faith.