Consumer Privacy Interactive Tool

The California Attorney General is creating a tool to help consumers draft a notice of noncompliance to send to businesses that may have violated the California Consumer Privacy Act (CCPA). Right now, this tool is limited to drafting notices to businesses that do not post an easy-to-find “Do Not Sell My Personal Information” link on their website. This tool may be updated over time to include other potential CCPA violations. This tool was last updated on July 17, 2021 (v1.0).

If a business sells personal information, then it must post a clear and conspicuous “Do Not Sell My Personal Information” link on its website so that consumers may request to opt out of the sale of their personal information. This interactive tool helps you draft a notice of noncompliance to send to businesses that may have violated the CCPA by not posting this link.

Answer the following questions as best as you can. Based on your answers, this tool will provide you with information about the CCPA and a draft notice that you can copy into an email or print and mail to the business that you believe has violated the CCPA.

While consumers cannot sue businesses for most CCPA violations, sending a notice of noncompliance is useful. The Attorney General may sue businesses that violate the CCPA if they do not cure any CCPA violation within 30 days of being notified of noncompliance. The notice you send may satisfy that prerequisite. Learn more about the CCPA here.

This tool is not legal advice. The Office of the Attorney General provides this tool as a resource but takes no position on the truthfulness of the information submitted or on whether a business has violated the CCPA. Please note that the OAG collects the information you provide in the tool to assist us in investigating and enforcing the law. This information may be also be subject to a public records act request.

1Is the business a for-profit business that does business in California?

Your answer indicates that the CCPA does not apply to this business. The CCPA applies only to for-profit businesses that do business in California. (Civil Code § 1798.140(c).)

The CCPA applies only to for-profit businesses that do business in California. (Civil Code § 1798.140(c).)

A for-profit business is a business that has the goal of earning profits. It does not include nonprofit organizations or government agencies.

It may be hard to know if a business does business in California. For the purposes of a consumer’s notice of noncompliance, consider if the business:

  • Has physical locations or employees in California
  • Engages in business transactions (e.g., selling its goods or services) in California or engages in online business transactions with California residents
  • Is incorporated or registered to do business in California

If you believe the business is a for-profit business that does business in California

2Does the business meet at least one of the following:
  • It has a gross annual revenue of over $25 million;
  • It buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
  • 50% or more of its annual revenue comes from selling California residents’ personal information

Your answer indicates that the CCPA does not apply to this business. The CCPA applies only to a business that meets at least one of the following:

  • It has a gross annual revenue of over $25 million;
  • It buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
  • 50% or more of its annual revenue comes from selling California residents’ personal information

(Civil Code § 1798.140(c).)

The CCPA applies only to a business that meets at least one of the following:

  • It has a gross annual revenue of over $25 million;
  • It buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
  • 50% or more of its annual revenue comes from selling California residents’ personal information.

(Civil Code § 1798.140(c).)

It may be hard to know if a business meets any of these descriptions. For the purposes of a consumer’s notice of noncompliance, consider if the business is large in size or likely collects a lot of consumers’ personal information. Personal information is information that identifies, relates to, or could reasonably be linked with you or your household—for example, your name, email address, records of products purchased, internet browsing history, geolocation data, and inferences from other personal information that could create a profile about your preferences and characteristics. (Civil Code § 1798.140(o).)

If you believe the business meets any of the three descriptions

3Is the business acting as a service provider to another business? (If a business is providing services for another business instead of for its own purposes, it may be a service provider. Check “I don’t know” to learn more.)

Your answer indicates that this business is not required to post a clear and conspicuous “Do Not Sell My Personal Information” link on its website. Under the CCPA, a “service provider” is a business that provides services to other businesses and meets certain other requirements. (Civil Code § 1798.140(v).) For example, a shipping company that delivers orders for a retailer may be a service provider. A business may act as a service provider in one context (when it is providing services to another business) and as a business in another context (for example, when it is selling products to you).

The CCPA treats service providers differently than businesses. It is the business, not the service provider that serves it, that is responsible for posting a “Do Not Sell My Personal Information” link and responding to consumer requests under the CCPA. You cannot submit your request to a service provider. Instead, you must submit your request to the business itself.

Many businesses use other businesses to provide services for them. For example, a retailer may have a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These other entities may be “service providers” under the CCPA. (Civil Code § 1798.140(v).)

A business may be acting as a service provider in one context (when it is providing services to another business) and as a business in another context (for example, when it is selling products to you).

The CCPA treats service providers differently than the businesses they serve. It is the business, not the service provider, that must post a “Do Not Sell My Personal Information” link and respond to CCPA requests. You cannot submit your request to a service provider. Instead, you must submit your request to the business itself.

It may be hard to know if a business is acting as a business or as a service provider for another business. For the purposes of this notice, a business may be acting as a business if it:

  • Is selling goods or services to consumers
  • Has a website for consumers and that likely makes money for the business
  • Likely shares consumers’ personal information for its own commercial purposes
  • Likely determines what happens with consumers’ personal information it collects

In contrast, it may be acting as a service provider if it collects or processes consumers’ personal information on behalf of another business based on what that business instructs it to do. For example, when you purchase something from an online retailer, the retailer may use the services of a payment card processor when running your credit card information to complete the transaction. In this case, the online retailer—not its card-processing service provider—may have to comply with the requirement to post a “Do Not Sell My Personal Information” link.

If you believe the business is acting as a business, not as a service provider for another business

4Does the business sell consumers’ personal information to third parties?

Your answer indicates that this business is not required to post a “Do Not Sell My Personal Information” link on its website. Only businesses that sell consumers’ personal information to third parties are required to post this link. (Civil Code §§ 1798.135(a), 1798.120.)

Only businesses that sell consumers’ personal information to third parties must post a “Do Not Sell My Personal Information” link on their website.

Personal information is information that identifies, relates to, or could reasonably be linked with you or your household—for example, your name, email address, records of products purchased, internet browsing history, geolocation data, and inferences from other personal information that could create a profile about your preferences and characteristics. (Civil Code § 1798.140(o).)

A business “sells” personal information if it transfers, discloses, or otherwise communicates a consumer’s personal information to another business or to a third party for monetary or other valuable consideration. (Civil Code § 1798.140(t).)

One way to find out if a business sells personal information is to read its privacy policy. Every business that must comply with the CCPA must have a privacy policy. (Cal. Code Regs tit. 11, § 999.304(a).)

A link to a business’s privacy policy should be on the business’s website. The link is often near the bottom of the webpage or in the webpage menu. If the business does not sell personal information, it must say so in its privacy policy. (Cal. Code Regs tit. 11, § 999.306(d).)

Make sure to read the privacy policy carefully. Some businesses use words other than “sell” or say they don’t sell personal information but describe ways they share information that may constitute “selling” under the CCPA. For the purposes of a consumer’s notice of noncompliance, look for language that indicates the business may provide personal information to third parties for its commercial purposes—for example, phrases like:

  • We may share your information with third-party companies
  • Our advertising partners may collect information about you
  • We provide information to other companies, sites, or platforms to develop services to offer you

A business’s sharing of information with its own “service providers” is not “selling” under the CCPA.

If you believe the business sells consumers’ personal information

5Does the business have a “Do Not Sell My Personal Information” link on its website or its mobile app?

Businesses that sell consumers’ personal information to third parties must provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website. For a mobile app, the link must be on the platform (e.g., iTunes, Google Play) or download page. (Civil Code §§ 1798.135(a), 1798.140(l).)

The link must use the words “Do Not Sell My Personal Information.” Most businesses put the link near the bottom of the webpage or in the webpage menu.

Look to see if the business has this “Do Not Sell My Personal Information” link on its website or mobile app

Businesses that sell consumers’ personal information to third parties must provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website. For a mobile app, the link must be on the platform (e.g., iTunes, Google Play) or download page. (Civil Code §§ 1798.135(a), 798.140(l).)

The link must use the words “Do Not Sell My Personal Information.” Most businesses put the link near the bottom of the webpage or in the webpage menu.

Look to see if the business has this “Do Not Sell My Personal Information” link on its website or mobile app

6Does the business’s “Do Not Sell My Personal Information” link go to information about opting out of the sale of your personal information? (Please read all options before answering)

The “Do Not Sell My Personal Information” link should go to:

  • A description of your right to opt out of the business’s sale of your personal information,
  • An interactive form you can submit online to ask the business to stop selling your personal information, and
  • Instructions for any other way the business has for you to opt out of the sale of your personal information

(Civil Code § 1798.135(a), Cal. Code Regs tit. 11, §§ 999.306(b)-(c), 999.315(a).)

The link is often near the bottom of the webpage or in the webpage menu.

Look to see if the “Do Not Sell” link leads to this information

7Does the business require you to create an account to in order to ask that it stop selling your personal information?

Your answer does not indicate that the business is in violation of the CCPA’s requirement that businesses provide a clear and conspicuous “Do Not Sell My Personal Information” link on their Internet homepage that enables consumers to opt out of the sale of their personal information.

Statute: Civil Code §§ 1798.135(a)

This does not mean that the business is in compliance with the CCPA, and the business may have other violations. However, at this time, this interactive tool cannot generate a draft notice of noncompliance based on your answers. Learn more about the CCPA

A business cannot require consumers to create a new account in order to ask that the business stop selling their personal information. (Civil Code §§ 1798.135(a).)

Look to see if the form linked from the “Do Not Sell My Personal Information” link requires you to create an account

8Does the business require you to submit a lot of personal information to prove who you are (more than necessary to make sure it stops selling the right consumer’s personal information)?

Your answer does not indicate that the business is in violation of the CCPA’s requirement that businesses provide a “Do Not Sell My Personal Information” link on their website that enables consumers to opt out of the sale of their personal information. (Civil Code §§ 1798.135(a).)

This does not mean that the business is in compliance with the CCPA, and the business may have other violations. However, at this time, this interactive tool cannot generate a draft notice of noncompliance based on your answers. Learn more about the CCPA

The CCPA does not require you to make a “verifiable consumer request” to ask a business to stop selling your personal information. This means the business should not make you provide a lot of personal information to prove that your request really came from you. But the business may ask for information necessary to make sure it stops selling the right consumer’s personal information—for example, if it has more than one customer with your name, it may need to confirm which customer you are. A business may also deny your request if it has a good-faith, reasonable, and documented belief that your request is fraudulent, but it must explain why it believes your request is fraudulent.

Look to see if the business requires you to provide more information than is necessary to make sure it’s deleting the right consumer’s personal information. For example, see if it requires you to provide a copy of your driver’s license or a bill sent to your physical address.

Information for Draft Notice

Please note that the OAG collects the information you provide in the tool to assist us in investigating and enforcing the law. This information may be also be subject to a public records act request. If you do not wish to have your first or last name collected, please leave those fields blank.

* Indicates a Required Field

Your Information
Business Information

The CCPA went into effect on January 1, 2020. The business may have updated its website since then. Please re-check the business’s website.

Date cannot be in the future.

Notice DNS