Do Not Sell My Data

You may have seen this link before tucked away in the footer of a website that you are visiting. If you are a privacy-conscious person, then you know exactly what this link is for. In theory, the inclusion of a "do not sell my data" option demonstrates a commitment by the website to respect users' privacy choices and comply with applicable data privacy regulations.

When a website includes a "do not sell my data" link or button, it typically leads to a page or form where users can indicate their preference to opt-out of having their personal information sold. This option allows individuals to assert their rights and exercise control over the use and dissemination of their data by the website or any affiliated third parties. Unfortunately, the link is usually targeted at California residents since the CCPA and the CPRA are two of the strongest data laws in the country. Colorado, Connecticut, Utah, and Virginia also have strong data privacy laws, but the link usually does not have provisions for any of those states. Nevada, my current state of residence, has a data privacy law, even if it is somewhat weaker. No luck for me with an opt out for Nevada residents. Most websites do not even acknowledge data privacy requirements from other states.

It's important to note that the concept of "selling" data varies from state to state, encompassing various forms of sharing or transfer of personal information, such as sharing with advertisers or data brokers. The "do not sell my data" feature provides individuals with the ability to limit or prohibit such practices, typically in compliance with data privacy regulations like the California Consumer Privacy Act (CCPA) or similar laws in other jurisdictions. As each state enacts laws, the privacy protections and compliance actions get more confusing. For example, Utah's UCPA only privacy provisions only kick in for companies that have a revenue over $25M and derive 50% of their revenue from selling consumer data. In Connecticut, the consumers gain privacy protections from companies with 100K consumers or a combination of 25K consumers and 25% of revenue from selling customer data.

The lack of uniformity and consistency in data privacy laws has led to concerns about compliance complexity, particularly for organizations that operate on a national scale. States enacting privacy laws is a good thing; however, these state laws can create compliance challenges for businesses operating across different jurisdictions within the US. In an ideal situation, we would have something like the GDPR. The GDPR is a data privacy regulation implemented by the European Union in 2018. It strengthens individuals' privacy rights, sets rules for handling personal data, and applies to organizations that process EU residents' data. Non-compliance can result in substantial fines.