The CCPA Regulations require that businesses that buy, receive, sell, or share personal information about more than 10 million Californians disclose metrics within their privacy notices regarding the quantity of data subject requests that they received in the previous calendar year. Among other things, if a business offers a do not sell my personal information link, the businesses must report the number of do not sell requests it received in the year.1
It is important to note that 66% of health care companies do not post a “do not sell” link on their websites, indicating that they have taken the position that they do not sell personal information of California residents. That said, the one health care company that posted its data subject request metrics did post a do not sell link. That company received 306 do not sell requests.2
1 Cal. Code Regs. tit. 11, § 999.317(g) (2021).
2 Review was conducted in August of 2021.