Skip to content

The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the quantity of data subject requests that they received in the previous calendar year. Among other things, if a business offers a do not sell my personal information link, the businesses must report the number of do not sell requests it received in the year.[1]

It is important to note that 31% percentage of retailers do not post a “do not sell” link on their websites, indicating that they have taken the position that they do not sell personal information of California residents. Based upon a review of the websites of the Fortune 500, those retailers that offered a do not sell option received on average 106,134 do not sell requests.[2] It is worth noting that do not sell requests were not evenly distributed. Some retailers reported receiving as few as 125 do not sell requests, whereas other retailers reported receiving 668,000 such requests. While it is difficult to determine the reason for the disparity, it is possible that some retailers may not have been counting opt-outs from behavioral advertising (e.g., opt-outs from a cookie banner) as requests that information not be sold.

[1] Cal. Code Regs. tit. 11, § 999.317(g) (2021).

[2] Review was conducted in August of 2021.