The California Consumer Privacy Act (CCPA) requires that consumers can opt-out of having their personal information sold or shared by businesses that collect it on their websites. That means that if your site can be visited by California residents, then it is a best practice to have a “Do Not Sell/Share” link accessible from every entry point.
To demonstrate that this is easier said than done, let’s once again look at the website of the global leader in consent management, OneTrust. If there’s anyone that should be doing this right, it’s our friends over at OneTrust, so we’ll use them as our example. We previously looked at their website to check for a privacy policy in the first blog post of our Website Privacy Validation series.
If we scroll to the bottom of their site, we can see “Do Not Sell My Personal Information” in the bottom right corner of their footer, illustrating that they’re obviously making efforts to be in compliance with certain CCPA guidelines.
Using the ObservePoint platform, we set up a high-level Discovery Audit to scan 1000 pages of OneTrust’s public website. (Because they’re great at privacy compliance, a shallower audit of their site resulted in no issues, so we had to dig a little deeper to find anything we could discuss!)
An ObservePoint custom tag can be configured to look for specific words or links on any webpage. This can be done through employing “On-Page Actions” within the configuration settings of any ObservePoint Audit. We set it up here to look for the words “Do Not Sell My Personal Information” on all scanned OneTrust pages.
The results of this specific check can then be seen in the Variable Inventory report, under the tag name “ObservePoint Data.”
If you dive in and look at the results therein, you will see the breakdown of what we found. In this Audit of OneTrust.com, we see that 923 pages have the “Do Not Sell My Personal Information” link (using that specific syntax). Awesome! However, that means that over 7% of the pages we audited do not have that specific string present and therefore may be falling short of the desired standard.
Now this link should probably be included in a global footer and thus available on every page on which the footer is present. So either that global footer isn’t on every page, or it’s been dynamically changed on certain pages for some reason. In this specific Audit, we found instances of a couple different (older?) footers on some pages that do not include a “Do Not Sell/Share” link, as well as a number of links to pages without any footer at all.
Ultimately, if even a leader in consent management and data privacy like OneTrust has a small percentage of pages missing the “Do Not Sell/Share” link, how do you think most other brands and websites are doing? This is why auditing your “Do Not Sell/Share” link presence is the second on our list of things to regularly do – after checking for the privacy policy – to ensure your website is complying with privacy regulations.
If you’d like to see how your own website fares in delivering consistent coverage of your “Do Not Sell/Share” links, reach out about getting started.
Read the next post in our Website Validation Series: Is my cookie consent banner tag present on all pages?