Do Not Sell or Share Requirements Under the CCPA: What Businesses Must Provide

Introduction: why the “Do Not Sell or Share” matters under the CCPA

The right to opt out of the sale or sharing of personal information is a core protection under the California Consumer Privacy Act (CCPA). It reflects California’s policy choice to give consumers meaningful control over how their personal information is monetized or used for advertising-related purposes.

In practice, opt-out obligations are one of the most scrutinized areas of CCPA enforcement, particularly for businesses assessing whether the CCPA applies to their business in the first place. See our CCPA applicability guide for a detailed breakdown of scope and thresholds. Issues frequently arise not because businesses intentionally hide data practices, but because opt-out links are missing, unclear, inconsistently implemented, or disconnected from how data is actually used.

This article explains what “Do Not Sell or Share” means, when businesses must provide an opt-out mechanism, how the requirement is implemented on websites, and how regulators evaluate opt-out disclosures in practice.

What does “Do Not Sell or Share My Personal Information” mean?

Under the CCPA, consumers have the right to opt out of the sale or sharing of their personal information.

“Selling” personal information broadly includes disclosing personal information to another business or third party for monetary or other valuable consideration. “Sharing” was added by the CPRA and specifically covers disclosures of personal information for cross-context behavioral advertising, even when no money changes hands.

This means that many common advertising and analytics arrangements can trigger opt-out obligations, even when businesses do not consider themselves to be selling data in the traditional sense.

The legal basis for this right appears in California Civil Code section 1798.120, which requires businesses to inform consumers of their right to opt out and to provide a clear method for exercising that right.

When is a Do Not Sell or Share mechanism required?

A business must provide a Do Not Sell or Share mechanism if it sells or shares personal information as defined under the CCPA and CPRA. You can find out more about what counts as data selling or data sharing under the CCPA in our related resource.

This commonly applies when a business:

• Uses third-party advertising or marketing technologies that involve cross-context behavioral advertising
• Discloses personal information to partners or vendors outside of narrowly defined service provider relationships
• Enables tracking technologies that transfer identifiers to third parties for advertising purposes

What counts as selling or sharing in practice

In practice, determining whether an activity counts as selling or sharing often requires looking beyond labels and contracts.

For example, transferring identifiers to third-party advertising platforms for cross-site targeting may be considered sharing, even if the business does not receive direct payment. By contrast, disclosures to service providers that process data solely on the business’s behalf and under appropriate contractual restrictions may fall outside the scope of selling or sharing. You can find out more real-world scenarios of CCPA selling and sharing in our associated article.

Many enforcement issues arise when businesses assume that the absence of monetary consideration means opt-out obligations do not apply. Regulators focus on how data is actually disclosed and used, not how arrangements are described internally.

Importantly, a business that does not sell or share personal information is not required to provide a Do Not Sell or Share link. However, regulators expect businesses to accurately assess and document their data flows. Misclassifying sharing activities is a frequent enforcement risk.

Where must the Do Not Sell or Share link appear on a website?

When required, the CCPA expects businesses to provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their internet homepages.

In practice, this usually means:

• A visible footer link labeled “Do Not Sell or Share My Personal Information”
• Access from the homepage without unnecessary steps
• Availability across desktop and mobile interfaces

For example, an ecommerce or SaaS website that uses third-party advertising cookies may include a clearly labeled Do Not Sell or Share link in the website footer. When selected, the link opens a preference interface where users can opt out of selling or sharing personal information for advertising purposes. Regulators assess not only whether the link exists, but whether it is easy to locate and functions consistently across pages and devices.

What happens after a consumer opts out

Opting out is not limited to displaying a link. Once a consumer exercises their right to opt out, the business must respect that choice across relevant data flows.

In practice, this means:

• Ceasing selling or sharing activities covered by the opt-out
• Communicating the opt-out to downstream partners where applicable
• Checking that that the opt-out is not reversed without consumer action

Enforcement actions often focus on situations where opt-out interfaces exist, but data continues to be shared in ways that contradict user choices.

What happens if a Do Not Sell or Share link is missing or not working?

Missing or non-functional opt-out mechanisms can lead to regulatory inquiries, corrective action requirements, and penalties, particularly when disclosures do not align with actual data practices.

How Global Privacy Control affects Do Not Sell or Share obligations

California regulations allow businesses to receive opt-out requests through opt-out preference signals such as Global Privacy Control (GPC).

When properly implemented, GPC can function as a valid opt-out mechanism for selling or sharing personal information. However, regulators assess whether preference signals are honored consistently across browsers, devices, and collection points.

Partial recognition of GPC signals, unclear disclosures about how signals are handled, or technical limitations that undermine opt-out effectiveness can increase enforcement risk.

Common misconceptions about Do Not Sell or Share

Businesses frequently misunderstand the scope of Do Not Sell or Share obligations. Common misconceptions include:

• Believing that opt-out rights apply only when personal information is sold for money
• Assuming that cookie banners alone satisfy opt-out requirements
• Relying on preference signals without fully honoring them
• Treating targeted advertising opt-outs as separate from selling or sharing disclosures

Regulators focus on how opt-out rights function in practice, not how they are described in policies or interfaces.

How Do Not Sell or Share requirements connect to other CCPA obligations

Do Not Sell or Share requirements do not exist in isolation. They connect directly to:

• The notice at collection
• Ongoing privacy policy disclosures
• Sensitive personal information limitation notices
• Consumer request handling and confirmation notices

For a broader overview of how these disclosures fit together, see our guide on CCPA notices and disclosures.

How Clym supports Do Not Sell or Share workflows

Once businesses determine that a Do Not Sell or Share mechanism is required, the operational challenge is keeping that opt-out experience clear, visible, and consistent across websites.

Clym supports this by allowing businesses to create and manage a Do Not Sell or Share My Personal Information footer link through the Control Center and apply it across the domains and subdomains they manage. This helps teams maintain consistent labeling and placement as website structures evolve.

The opt-out link connects to the preference management interface presented through the website widget, giving users a clear way to express their choices while keeping disclosures accessible.