Businesses that sell or share personal information under the CCPA must offer opt-outs, update privacy notices, and configure their systems to reflect 2026 requirements. This includes providing a clear "Do Not Sell or Share My Personal Information" link, honoring Global Privacy Control (GPC) signals, and designing interfaces that avoid dark patterns by giving users clear and balanced choices. Privacy policies must describe the categories of data collected, which third parties receive information, and how consumers can exercise their rights. Service provider and contractor agreements must include limitations that prevent data reuse. Businesses also benefit from reviewing advertising tools, analytics configurations, and vendor integrations to avoid unintended selling or sharing. This guide outlines these operational steps and connects to deeper resources across the CCPA selling and sharing cluster.
How to Handle Selling and Sharing Personal Information Under the CCPA: Opt-outs, Notices, GPC, Contracts, and Interfaces
Introduction
Many businesses discover that selling or sharing personal information can occur through everyday tools such as advertising pixels, analytics platforms, or customer data integrations. Once this becomes clear, the next step is understanding how to support user rights and adjust systems so they reflect California’s 2026 expectations. This article introduces the operational areas most businesses review, opt-outs, GPC handling, privacy notices, contracts, interface design, and tracking behavior, before taking deeper action.
The following sections explore these practical steps in more detail, with references throughout the article to related articles that explain what counts as selling or sharing and how these concepts appear in real-world environments.
Displaying a "Do not sell or share my personal information" link
When a business engages in selling or sharing, the law requires a clear and accessible opt-out pathway. This link should appear at the moment personal information is collected, as well as on the homepage or in app settings.
A well-designed link directs users to a simple page explaining. For deeper guidance on how selling and sharing are defined, you can explore our guide on what counts as data selling or sharing under the CCPA
A well-designed link directs users to a simple page explaining:
- What selling and sharing mean in the context of the business
- How users can opt out immediately
- How universal signals like GPC apply
A clear link also reduces confusion and promotes transparency, which regulators increasingly expect.
Honoring Global Privacy Control (GPC) signals
GPC is a browser or extension-based signal indicating a user’s choice to opt-out of selling and sharing. Beginning in 2026, businesses are expected to detect and apply this signal without requiring additional steps from the user.
To honor GPC properly, businesses typically:
- Detect the signal through their consent platform
- Shift the visitor into an opt-out state immediately
- Adjust tracking technologies so they no longer contribute to selling or sharing
- Keep internal records of when opt-outs occur
A solution like Clym’s Consent Management Platform helps businesses interpret GPC signals and apply opt-outs automatically through its dynamic script-handling engine. For a deeper breakdown of how GPC affects marketing and analytics behavior, you can review our related resource on what GPC means for marketing and analytics.
Updating privacy policy disclosures
Privacy policies need clear explanations, not legal jargon, about how a business handles data. A CCPA-aligned policy generally:
- States whether selling or sharing occurs
- Lists categories of personal information involved
- Identifies third parties receiving data
- Provides opt-out instructions and describes GPC support
- Outlines available consumer rights in simple language
These disclosures help consumers understand what happens behind the scenes, and they help businesses articulate their data practices accurately. If you are reviewing disclosures to determine whether your activities classify as selling or sharing, you can check what counts as selling personal information and what counts as sharing personal information under the CCPA.
Reviewing and updating vendor contracts
Vendor classification determines whether data flows count as selling, sharing, or neither. Service provider and contractor agreements should:
- Limit data use strictly to the services provided
- Prevent vendors from building profiles or reusing data
- Require deletion on request
- Restrict subcontractor disclosures
If a vendor contract lacks these restrictions, the disclosure may count as selling or sharing. Reviewing contract language helps clarify roles and reduce ambiguity.
Clym’s Control Center gives businesses a way to organize vendor information and maintain consistent internal documentation. Many businesses also compare their contracts to real-world patterns, some of which you can see in our article on real-world examples of CCPA selling and sharing.
Configuring analytics, advertising, and tracking tools
Many businesses discover that their marketing or analytics stack triggers selling or sharing unintentionally. Pixels, SDKs, customer data platforms (CDPs), and enrichment tools often collect identifiers that flow into advertising or modeling systems.
Evaluating each tool involves understanding how it uses personal information and whether it reuses or enriches identifiers. These assessments often benefit from reviewing real examples of selling and sharing across websites. This step is especially important in 2026, when enforcement trends emphasize the transparency of data flows.
Clym’s RealtimeCompliance™ can help businesses adapt script behavior based on jurisdiction, consent choices, and universal opt-out signals.
Designing opt-out and consent flows without dark patterns
Interface design plays a central role in how users experience privacy choices. The 2026 interpretation of the CCPA emphasizes fairness and balance across acceptance and rejection options.
Effective privacy interfaces:
- Use clear language instead of persuasive nudges
- Give equal visual weight to acceptance and opt-out
- Display options in a straightforward sequence
- Include accessible controls for all users
If the user experience subtly pushes acceptance over rejection, regulators may view it as a dark pattern. For a more detailed look at how California evaluates symmetry and equal visibility between acceptance and opt-out choices, you can review the CCPA symmetry rule in our associated resource.
Handling opt-out requests
When a user opts out, businesses are expected to:
- Stop selling or sharing their personal information
- Inform relevant third parties so they adjust their own data use
- Apply the choice to future interactions
- Confirm the opt-out upon request
- Recognize GPC signals as valid opt-outs
These actions demonstrate attention to user preferences and help create consistent experiences.
Recordkeeping and internal documentation
Recordkeeping isn’t explicitly glamorous, but it helps teams track changes, updates, and obligations. Documentation typically includes logs of:
- Opt-out requests
- GPC detection events
- Contract updates
- Vendor assessments
- Any internal reviews related to data transfers
These records can support internal accountability and show due diligence. If you need a broader overview of CCPA responsibilities beyond selling and sharing, read our comprehensive CCPA compliance guide for businesses.
How Clym supports personal information selling and sharing management
Clym provides a set of tools that help businesses manage consent interactions, detect website scripts, and organize privacy-related configurations. These tools focus on identifying services running on a website, applying consent models based on user location and preferences, and giving businesses a centralized place to manage their settings.
Clym's Cookie Scanner identifies cookies, pixels, and services present on a website, including those that may contribute to data sharing or transmission. The scanner reports on these elements so businesses can understand how their website behaves.
The Consent Management solution helps businesses display consent options to visitors and applies region-based consent models. It supports the detection of Global Privacy Control (GPC) signals and adjusts script behavior in response to user choices or browser signals.
RealtimeCompliance™ evaluates services in real time and adjusts their behavior based on consent or opt-out preferences. This includes controlling when scripts load or limiting their functionality.
Through the Control Center, businesses can view their configuration settings, manage service classifications, and maintain internal documentation related to data practices.
FAQs about managing selling and sharing obligations under the CCPA
Businesses generally begin by offering a clear opt-out method. This includes adding a visible "Do Not Sell or Share My Personal Information" link, updating privacy policies, and adjusting tracking tools so they stop sending identifiers used for selling or sharing.
The link must direct users to a page or interface where they can submit an opt-out request. It should describe what selling and sharing mean for the business and offer a friction-free way to stop these activities.
GPC is an automated browser signal that communicates a user’s desire to opt out. When businesses detect this signal, they should apply the opt-out immediately and update tracking technologies accordingly.
Yes. In 2026, businesses are expected to show visible confirmation, such as a message, toggle, or banner, indicating that the request was honored.
Updated policies explain whether selling or sharing occurs, list data categories, describe third-party sharing, include opt-out instructions, and clarify how automated signals are handled.
Contracts should limit how vendors use personal information. This includes prohibiting data reuse, profile-building, and unauthorized disclosures.
Pixels involved in behavioral advertising should stop transmitting personal information once an opt-out is applied. A consent platform can help manage this process automatically.
A dark pattern is a design choice that makes it harder for users to exercise privacy rights. Examples include hiding opt-out links, emphasizing acceptance visually, or using misleading labels. Interfaces should present balanced choices so users can opt out without unnecessary friction.
A preference center typically provides options to opt out of selling and sharing, manage sensitive data use, review privacy status, and see whether GPC signals were detected. It should also link to additional rights such as access or deletion.
An opt-out remains active unless the consumer provides new consent. Systems should avoid overriding the user’s preference and maintain consistency across future visits.
A risk assessment evaluates the nature of disclosures, potential impacts on consumers, and safeguards in place. It can help teams understand where selling or sharing may occur and document mitigation steps.
Mobile apps should include the opt-out link in settings and ensure SDKs react properly to opt-out choices. Apps may also need to detect GPC-like signals from in-app browsers.
Yes. Widgets and embedded tools may collect identifiers for their own ecosystems. If the data supports cross-context advertising or creates value exchanges, selling or sharing may apply.
Businesses typically use system signals or contractual processes to inform vendors of opt-outs. Some tools provide automated methods to communicate these changes.
Frequent issues include adding an opt-out link without adjusting tracking behavior, overlooking GPC detection, using outdated vendor contracts, separating web and mobile opt-out mechanisms, and failing to document decisions.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex