Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), consumers have the right to opt-out of the sale or sharing of their personal information. Unlike access, deletion, or correction rights, opt‑out rights are typically exercised through website links or recognized preference signals rather than formal requests. This article explains what the CCPA right to opt-out means in practice, how businesses must handle opt‑out signals and links, how sale and sharing differ, how quickly opt‑outs must be applied, and how opt‑out handling fits into broader consumer rights workflows and enforcement expectations.
Handling Opt-Out Requests Under the CCPA: Scope, Triggers, and Operational Impact
The California Consumer Privacy Act (CCPA) right to opt-out plays a central role in California’s privacy framework. It is one of the most visible consumer rights and one of the most closely scrutinized by regulators. While often described as a single obligation, opt‑out handling combines front‑end website design, backend data controls, advertising technology decisions, and internal documentation.
Opt-out rights are a type of consumer request under the CCPA/CPRA, but unlike traditional data subject requests (DSRs) such as access, correction, or deletion, they do not follow the standard 45-day response period. Instead, they must be honored promptly and continuously whenever a valid opt-out mechanism or preference signal is received. For businesses, this distinction has major operational consequences.
For a broader overview of all consumer rights and how they fit together, and how businesses can manage compliance, see our guides on consumer rights under the CCPA and CPRA and our CCPA 2026 compliance guide.
What is the CCPA right to opt-out?
The CCPA grants California residents the right to direct a business to stop selling or sharing their personal information, as those concepts are defined under California's privacy law. This right applies when a business engages in activities that qualify as a “sale” or “sharing” of personal information under the law.
In practical terms, the right to opt-out means:
- Consumers can signal that their personal information should no longer be sold or shared
- Businesses must respect that choice and adjust data flows accordingly
- The opt‑out must be available through designated mechanisms, not hidden behind request forms
The opt‑out right is distinct from other CCPA rights because it is designed to operate immediately and continuously, rather than on a case‑by‑case request basis.
Sale vs sharing: why the distinction matters
Handling opt‑out requests requires understanding the difference between selling and sharing personal information under the CCPA and CPRA, as well as how these concepts relate to broader ideas such as personal information and cross‑context behavioral advertising.
- Sale generally involves disclosing personal information to a third party for monetary or other valuable consideration
- Sharing refers to disclosures for cross‑context behavioral advertising, even when no money changes hands
Both activities trigger opt‑out obligations, but they may involve different vendors, technologies, and internal teams.
For a deeper explanation of how selling and sharing are defined, our articles on what counts as selling personal information under the CCPA or what counts as sharing personal information under the CCPA
Understanding which activities qualify as sale or sharing is a prerequisite to building an effective opt‑out process.
How consumers exercise the right to opt-out
Unlike access, deletion, or correction, opt‑out rights are usually exercised without submitting a formal request. They differ from a traditional data subject request and are designed to operate continuously through website controls and signals.
Website opt‑out links
Businesses that sell or share personal information must provide a clear and conspicuous link such as ‘Do Not Sell or Share My Personal Information’ OR an Alternative Opt-Out Link that allows consumers to exercise their opt-out rights. The regulations also require businesses to provide confirmation that an opt-out request has been processed, such as an ‘Opt-Out Request Honored’ message or dashboard indicator.
This link must be clear, conspicuous, and readily available on the homepage or other high-visibility location. It must lead to a consumer interface that allows the consumer to submit and have processed an opt-out request. Businesses are also permitted to provide a compliant Alternative Opt-Out Link with appropriate labeling and functionality that enables consumers to exercise their opt-out rights.
Opt‑out links are closely tied to how consumer rights are surfaced and exercised. In practice, opt‑out mechanisms should be consistent with the way other CCPA consumer rights are presented and handled across the website.
Opt‑out preference signals
The CPRA framework recognizes browser‑ or device‑based opt‑out preference signals, such as the Global Privacy Control (GPC).
When a valid opt‑out preference signal is detected and applicable, businesses are expected to treat it as a request to opt-out of sale or sharing, without requiring additional action by the consumer.
Preference signals:
- Do not typically require identity verification (businesses should not require additional information unless reasonably necessary to effectuate the opt-out)
- Operate automatically at the browser or device level and must be treated as a valid request to opt out of sale/sharing for that browser/device (and any associated consumer profile where applicable)
- Must be honored for applicable sale/sharing activities without additional steps and the signal data should not be used for unrelated purposes
Opt-out preference signals that meet statutory criteria must be treated as valid requests to opt out of sale or sharing of personal information. Businesses should honor these signals without additional burdens, and ensure the technical implementation aligns with regulatory requirements.
Third‑party opt‑out tools
Some consumers encounter opt‑out tools offered by industry groups, such as the Digital Advertising Alliance (DAA). These tools may facilitate opt‑outs within certain advertising ecosystems.
However, reliance on third‑party tools alone does not replace a business’s obligation to provide its own opt‑out mechanisms where required. Businesses should evaluate how these tools interact with their specific sale or sharing activities.
Do opt‑out requests require identity verification?
Opt-out rights typically do not require full identity verification, because they do not involve disclosure or deletion of personal information. However, businesses may implement proportionate and reasonable verification procedures where necessary to accurately effectuate the opt-out request, particularly when fulfilling it requires matching the signal to specific account data. Because opting out does not involve disclosing, deleting, or modifying personal information tied to an identified individual, the risk profile is different from request‑based rights.
This is one of the key differences between opt‑out handling and DSR workflows. Verification requirements are explained in more detail in our article on verifying identity under the CCPA.
How quickly must opt‑out requests be honored?
The standard 45-day response period that applies to other CCPA/CPRA rights does not apply to opt-out rights. Under the final 2026 regulations, once a business receives a valid opt-out request (including via opt-out preference signals), it must cease selling and sharing the consumer’s personal information as soon as feasibly possible, and no later than 15 business days from the date of receipt. This timeline provides a clear compliance threshold distinct from the 45-day timeframe that applies to other CCPA/CPRA rights
In practice, this means:
- Website‑based opt‑outs should take effect promptly
- Preference signals should be honored automatically where applicable
- Delays caused by internal routing or manual review increase enforcement risk
This immediate effect requirement distinguishes opt‑out handling from request‑based rights such as access, deletion, and correction, which follow defined response timelines. For those timelines, see our guide on the CCPA 45‑day response period.
What must change after an opt‑out is exercised
Honoring an opt‑out involves more than updating a preference flag. Businesses must evaluate what data flows need to stop or change once an opt‑out applies.
Typical downstream impacts
Area | Common adjustment |
|---|---|
Advertising technology | Disabling cross‑context behavioral advertising for the user |
Data disclosures | Stopping qualifying transfers to third parties |
Tracking | Adjusting trackers or tags associated with sale or sharing |
Vendor relationships | Notifying service providers where applicable |
Failure to align backend processing with front‑end opt‑outs is a common source of enforcement exposure.
Practical examples
Example 1: website opt‑out link
A California resident clicks the “Do Not Sell or Share My Personal Information” link on a retail website and submits an opt‑out choice. The business updates its advertising configuration to stop sharing personal information with third‑party ad networks used for cross‑context behavioral advertising. The opt‑out is recorded internally for audit and consistency purposes.
Example 2: opt‑out preference signal
A user visits a website with a browser that sends a recognized opt‑out preference signal. The website detects the signal and automatically applies an opt‑out of sale or sharing for that browser, without requiring the user to complete a form or log in.
Recordkeeping and documentation
Although opt‑out rights do not follow a traditional request workflow, businesses are still expected to maintain reasonable records demonstrating how opt‑outs are handled. This recordkeeping expectation aligns with general CCPA guidance on consumer rights and data minimization.
This may include:
- When and how opt‑out choices were received
- How preference signals were interpreted
- What internal systems or vendors were affected
- How consistency was maintained across channels
Clear documentation supports internal reviews and regulatory inquiries and aligns opt‑out handling with broader governance practices.
How opt‑out handling fits into broader CCPA obligations
Opt‑out rights are one part of the broader consumer rights framework under the CCPA and CPRA. They sit alongside access, deletion, and correction rights and should be handled through a coherent rights management approach rather than isolated technical fixes.
Opt‑out handling interacts closely with:
- Intake and presentation of consumer rights choices
- Internal classification of personal information
- Coordination with other request‑based rights
- Documentation of consumer rights activity
How Clym supports opt‑out handling
Handling opt‑out rights requires coordination between website interfaces, consent logic, internal workflows, and recordkeeping. Clym provides a set of tools that support these activities as part of a broader privacy operations program.
With Clym, businesses can:
- Provide multiple, consistent ways for consumers to express opt‑out choices by deploying the Clym widget across the website and publishing a clearly labeled “Do Not Sell or Share My Personal Information” footer link.
- Manage consent states, preference signals, and opt‑out logic through Clym’s Consent Management solution, helping businesses reflect consumer opt‑out choices across relevant data uses
- Organize opt‑out activity alongside access, deletion, and correction requests using Data Subject Request Management, keeping consumer rights activity visible in one operational view
- Maintain records of opt‑out handling, communications, and internal actions in the Clym Control Center, supporting internal reviews and regulatory inquiries
By connecting opt‑out handling with consent management and consumer rights workflows, Clym supports a structured approach to managing opt‑out obligations under the CCPA.
Key takeaway
The CCPA right to opt-out requires businesses to support immediate, accessible consumer choices and translate those choices into real operational changes. Clear mechanisms, prompt application, and consistent documentation are central to managing opt‑out obligations and reducing enforcement risk.
Frequently asked questions about the right to opt-out under the CCPA
The CCPA right to opt-out allows California residents to direct a business to stop selling or sharing their personal information. Businesses must provide accessible mechanisms to exercise this right and apply it to qualifying data activities.
No. Opt‑out rights are generally exercised through website links or preference signals, not through formal data subject requests.
Most opt-out requests do not require full identity verification because they do not involve access to or deletion of personal information. However, businesses may apply reasonable verification procedures where necessary to ensure the opt-out is correctly implemented for the appropriate consumer or identifier.
Opt‑outs must be applied as soon as practicable after they are exercised. The 45‑day response timeline does not apply.
The DAA opt‑out tool allows consumers to express advertising preferences within certain ad ecosystems. It does not replace a business’s obligation to provide opt‑out mechanisms where required.
Opt‑out preference signals, such as browser‑based signals, communicate a consumer’s choice automatically. When applicable, businesses are expected to honor these signals without additional steps by the consumer.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex