Website Privacy Validation (2/6): Is my “Do Not Sell/Share” link present on all pages?

September 30, 2022 Cameron Cowan

The California Consumer Privacy Act (CCPA) requires that consumers can opt-out of having their personal information sold or shared by businesses that collect it on their websites. That means that if your site can be visited by California residents, then it is a best practice to have a “Do Not Sell/Share” link accessible from every entry point.

To demonstrate that this is easier said than done, let’s once again look at the website of the global leader in consent management, OneTrust. If there's anyone that should be doing this right, it’s our friends over at OneTrust, so we’ll use them as our example. 

If we scroll to the bottom of their site, we can see “Do Not Sell My Personal Information” in the bottom right corner of their footer, illustrating that they're obviously making efforts to be in compliance with certain CCPA guidelines.

Using the ObservePoint platform, we set up a high-level Discovery Audit to scan 1000 pages of OneTrust’s public website. (Because they’re great at privacy compliance, a shallower audit of their site resulted in no issues, so we had to dig a little deeper to find anything we could discuss!) 

An ObservePoint custom tag can be configured to look for specific words or links on any webpage. This can be done through employing "On-Page Actions" within the configuration settings of any ObservePoint Audit. We set it up here to look for the words “Do Not Sell My Personal Information" on all scanned OneTrust pages.

The results of this specific check can then be seen in the Variable Inventory report, under the tag name "ObservePoint Data." 

If you dive in and look at the results therein, you will see the breakdown of what we found. In this Audit of OneTrust.com, we see that 923 pages have the “Do Not Sell My Personal Information” link (using that specific syntax). Awesome! However, that means that over 7% of the pages we audited do not have that specific string present and therefore may be falling short of the desired standard.