Processing Do Not Sell Requests

Have more questions? Submit a request

The CCPA gives data subjects the Right to Opt-Out of the Sale of their Personal Information to third parties. DataGrail customers have the ability to handle Do Not Sell requests through an intake form, verify those requests, and maintain a record log for compliance. 


Here’s how it works


Compliance Teams can host a DataGrail-powered Do Not Sell form at their privacy domain. This is separate from the privacy intake form. 


Note: The text and fields in this form are customizable.

Additional Offerings:

  1. Form CAPTCHA: An additional measure to prevent against spam and fraud in the privacy request process.

Once a data subject makes a request, they will be asked to confirm their email address. This is not explicitly required under CCPA, but it is a safeguard against spam and requests illegitimately made on behalf of others.



Viewing Do Not Sell Requests

Once the request is submitted, the request details will be logged to DataGrail. Compliance team members can go to Requests > Do Not Sell to see the current list of opt-outs. Standard columns:

  • Name - name captured in the intake form

  • Email - email address captured in the intake form

  • Date - date that the request was created

  • Verification - whether the requester has verified their email address

  • Status - compliance team can mark a request as complete or incomplete at any time

  • Additional - if customer requests additional fields during intake process, these will be grouped in the additional column in the app (each additional field will appear as its own column in the export 



Sort and Filter on verification and completion status

Compliance teams can sort the list of do not sell requests by column. Compliance teams can also filter by verification and completion status to see which requests need to be addressed.



Marking Requests as Complete

Compliance teams may honor this opt-out request in a number of ways outside of DataGrail. How a business opts a user out depends on that business' definition of a “sale” and where that information is saved. Regardless of how the opt-out is processed, DataGrail provides the ability to record the completion status of the request within the app so that there’s a compliance record for each request.

Compliance teams can select one or more requests and click Mark complete / Incomplete to update the status of the requests.

Compliance Teams can mark a request as complete at any time – verification status will not block the completion of the request.



Downloading Requests

Compliance Teams can download a copy of all requests at any time by clicking the Download button. DataGrail will download a .tsv file directly to the browser upon request.


Tag Managers

Tag managers -- most commonly, Google Tag Manager (GTM) -- are a tool that allow you to manage and deploy tags (snippets of code or tracking pixels) on your website without changing the code. Common uses include inserting javascript for analytics tools like Google Analytics or Amplitude, retargeting solutions like AdRoll, and trackers like Marketo or Hubspot. Moz has a more in-depth explanation.

GTM consists of three components: tags, triggers, and variables. Briefly, a tag is the javascript or tracking code that is inserted; a trigger is a rule for when to insert a tag; and a variable can hold values. For example, if you want to log all pageviews to Google Analytics, you would use a Google Analytics tag and tell it to trigger on all page views.

To learn more about setting up GTM for Do Not Sell, check out the article here.


Please reach out to with any questions!


Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful