Do Not Sell My Personal Information: Your Rights Explained
Understand your right to say do not sell my personal information under CCPA/CPRA. Learn how it works, who must comply, and how to opt out.
"Do not sell my personal information" is a phrase that carries legal weight. It refers to a specific right granted to California residents under the California Consumer Privacy Act (CCPA), which allows individuals to tell businesses to stop selling their personal data to third parties. Since the CPRA amendment took effect in January 2024, this right also covers the sharing of personal information for cross-context behavioral advertising.
This guide explains what the right means, who it applies to, how businesses must comply, and how consumers can exercise it. The information here is for educational purposes and does not constitute legal advice. Consult an attorney for guidance specific to your situation.
What "Do Not Sell My Personal Information" Means Under the CCPA
The CCPA, codified in California Civil Code Sections 1798.100 through 1798.199.100, defines "sale" broadly. Under Section 1798.140(ad), selling personal information means disclosing it to a third party for monetary or other valuable consideration. This goes beyond what most people think of as a traditional sale.
The CPRA expanded this further by adding "sharing," defined in Section 1798.140(ah) as disclosing personal information to a third party for cross-context behavioral advertising. This means that even if no money changes hands, transferring user data to an advertising network for targeted ads counts as sharing and triggers the opt-out right.
Common activities that qualify as selling or sharing personal information include:
- Passing visitor data to ad networks through cookies or tracking pixels
- Sharing customer email lists with marketing partners
- Allowing data brokers to access user information from your platform
- Embedding third-party analytics tools that share data with their own clients
- Using retargeting pixels that send visitor behavior to advertising platforms
What Does Not Count as a Sale
Not every transfer of data qualifies. The CCPA provides exemptions in Section 1798.140(ad)(2) for:
- Transfers to service providers operating under a written contract that limits how they use the data
- Disclosures the consumer intentionally directs (such as sharing information with a social media platform by clicking a share button)
- Transfers to the government when required by law
- Transfers as part of a merger or acquisition where the acquiring entity assumes the same obligations
The distinction between a service provider relationship and a sale often comes down to the contractual terms. If a third party can use the data for its own purposes beyond what the business directed, the transfer likely qualifies as a sale.
Who Must Comply with the Do Not Sell Requirement
The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these thresholds:
- Annual gross revenue exceeding 25 million USD
- Buying, selling, or sharing the personal information of 100,000 or more California consumers, households, or devices per year
- Deriving 50% or more of annual revenue from selling or sharing personal information
Businesses that meet any single threshold must comply with the full CCPA, including the do not sell requirement. Nonprofit organizations and government agencies are generally exempt, though some affiliated entities may still fall under the law.
Does the CCPA Apply Outside California
The CCPA protects California residents regardless of where the business is located. If you run a website from New York, Texas, or even outside the United States, but you collect personal information from California consumers and meet the thresholds above, you must provide the do not sell option.
Other states have enacted similar opt-out rights. Virginia's Consumer Data Protection Act (VCDPA), Colorado's Privacy Act (CPA), Connecticut's Data Privacy Act (CTDPA), and several others include comparable provisions. The practical reality is that offering a do not sell option is becoming a baseline expectation for any business with a national or international audience.
How Consumers Can Exercise the Do Not Sell Right
If you are a California resident and want to opt out of the sale or sharing of your personal information, you have several options.
Finding the Opt-Out Link
Businesses that sell or share personal information are required under Section 1798.135(a) to provide a clear and conspicuous link on their website homepage labeled "Do Not Sell or Share My Personal Information." This link must be:
- Easy to find, typically placed in the website footer
- Labeled with those exact words or substantially similar language
- Functional, leading to a page where you can submit your opt-out request
Submitting an Opt-Out Request
The opt-out process varies by business but generally involves one of these methods:
- Clicking the do not sell link and toggling a setting to opt out
- Filling out a form with your name and email so the business can process your request
- Sending an email to the business's designated privacy contact
- Calling a toll-free number listed in the business's privacy policy
Businesses cannot require you to create an account to opt out. They must process your request within 15 business days and cannot charge a fee for exercising this right.
Using Global Privacy Control
Global Privacy Control (GPC) is a browser-level signal that automatically communicates your opt-out preference to every website you visit. When enabled, it sends a machine-readable header that tells websites you do not want your data sold or shared.
Under CCPA regulations (Section 999.315), businesses must treat a GPC signal as a valid opt-out request. The California Attorney General confirmed this in the Sephora enforcement action in 2022, where the company was fined 1.2 million USD in part for failing to honor GPC signals (source: California AG).
To enable GPC:
- In Firefox: install the Global Privacy Control extension or enable it in privacy settings
- In Brave: GPC is enabled by default
- In Chrome or Edge: install a GPC browser extension
- On mobile: use a browser that supports GPC natively, such as DuckDuckGo or Brave
How Businesses Must Implement the Do Not Sell Opt-Out
If your business meets the CCPA thresholds and sells or shares personal information, you have specific obligations. Non-compliance can result in penalties of 2,500 USD per unintentional violation and 7,500 USD per intentional violation under Section 1798.155.
Required Elements for Compliance
Your website must include:
- A "Do Not Sell or Share My Personal Information" link on the homepage, visible without scrolling in the footer
- A mechanism for processing opt-out requests, such as a toggle, form, or preference center
- Recognition and honoring of GPC signals as valid opt-out requests
- A privacy policy that discloses the categories of personal information you sell or share, the categories of third parties who receive it, and instructions for exercising the opt-out right
- A process to notify all third parties to whom you sold or shared the consumer's data within the preceding 12 months
Technical Implementation Steps
For website owners, implementing the do not sell requirement involves both legal documents and technical controls:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Audit your data flows: Identify every instance where personal information leaves your systems and goes to a third party. Pay particular attention to advertising pixels, analytics tools, and data partnerships.
- Classify your transfers: Determine which transfers qualify as sales or sharing under the CCPA definitions. Service provider arrangements with proper contracts are generally exempt.
- Add the opt-out link: Place it in your footer and link to a dedicated opt-out page or preference center.
- Build the opt-out mechanism: Create a way for visitors to submit their preference. This can be a simple toggle that suppresses advertising cookies and data-sharing scripts.
- Honor GPC signals: Configure your consent management platform or website code to detect GPC headers and treat them as opt-out requests automatically.
- Update your privacy policy: Disclose your selling and sharing practices, list the categories of data involved, and explain how consumers can opt out. A privacy policy generator can help you structure these disclosures correctly.
- Log and document: Keep records of all opt-out requests, when they were received, and when they were processed. This documentation is essential if the California Privacy Protection Agency audits your business.
Do Not Sell My Personal Information and Cookie Consent
Cookies are where the do not sell right intersects with everyday website operations. Many of the "sales" and "sharing" that trigger CCPA obligations happen through cookies and tracking technologies.
Advertising Cookies as Data Sharing
When a visitor loads your website and a Facebook Pixel or Google Ads tag fires, data about that visitor (including identifiers, browsing behavior, and device information) is sent to those platforms. Under the CPRA's expanded definition, this qualifies as sharing personal information for cross-context behavioral advertising.
This means your cookie consent banner and your do not sell mechanism are closely related. When a consumer opts out of the sale of their personal information, you must also stop loading advertising and tracking cookies that share data with third parties.
Connecting Your Cookie Banner to Opt-Out Controls
A well-configured consent management setup should:
- Present cookie categories (strictly necessary, analytics, marketing) clearly to visitors
- Include a "Do Not Sell or Share" toggle within the cookie preference center
- Suppress marketing and advertising cookies when a visitor opts out or sends a GPC signal
- Link to both your cookie policy and your do not sell page
- Log consent choices for compliance documentation
Your cookie policy should explain which cookies qualify as selling or sharing under the CCPA and how opting out affects those cookies.
Enforcement and Penalties for Non-Compliance
The CCPA is actively enforced. The California Attorney General and the California Privacy Protection Agency (CPPA) have the authority to investigate businesses and impose penalties.
Notable Enforcement Actions
- Sephora (2022): Fined 1.2 million USD for failing to disclose the sale of personal information, failing to process opt-out requests, and ignoring GPC signals. This case established that GPC signals must be honored as valid opt-out requests.
- DoorDash (2024): Fined 375,000 USD by the CPPA for selling consumer data to a marketing cooperative without providing opt-out rights. This was one of the first enforcement actions by the CPPA itself.
Penalty Structure
Under the current framework:
- 2,500 USD per violation for unintentional non-compliance
- 7,500 USD per violation for intentional violations or violations involving minors' data
- Private right of action for data breaches resulting from failure to implement reasonable security measures (Section 1798.150), with statutory damages of 100 to 750 USD per consumer per incident
Violations are calculated per consumer per incident, meaning a single data practice affecting thousands of consumers can generate substantial liability.
Do Not Sell Rights Beyond California
While the CCPA was the first comprehensive state privacy law in the United States, other states have adopted similar opt-out rights:
- Virginia (VCDPA): Right to opt out of targeted advertising, sale of personal data, and profiling
- Colorado (CPA): Opt-out rights for targeted advertising, sale, and certain profiling, plus a requirement to recognize universal opt-out signals by July 2024
- Connecticut (CTDPA): Similar opt-out rights for sale and targeted advertising
- Texas (TDPSA): Opt-out of sale, targeted advertising, and profiling effective July 2024
- Oregon (OCPA): Opt-out of sale and targeted advertising effective July 2024
The trend is clear: opt-out rights for data selling and sharing are becoming the standard across the United States. Businesses that implement CCPA-level controls now are better positioned as new state laws take effect.
Steps Businesses Should Take Today
Whether you are building a new website or updating an existing one, these actions will put you on solid ground:
- Conduct a data inventory to identify all personal information you collect and where it goes.
- Determine whether any of your data transfers qualify as selling or sharing under the CCPA.
- Add a "Do Not Sell or Share My Personal Information" link to your website footer.
- Build or configure an opt-out mechanism that is easy to use and does not require account creation.
- Configure your site to honor GPC signals automatically.
- Update your privacy policy with the required CCPA disclosures.
- Train your team on how to process opt-out requests within the 15 business day deadline.
- Document everything: requests received, actions taken, and third parties notified.
Frequently Asked Questions
What does do not sell my personal information mean?
It refers to your legal right under the California Consumer Privacy Act to tell a business to stop selling your personal information to third parties. Selling includes exchanging data for monetary value, but also sharing it for cross-context behavioral advertising under the CPRA amendment.
Which businesses must offer a do not sell option?
Any for-profit business that collects personal information from California residents and sells or shares it must provide this option if the business has annual gross revenue over 25 million USD, buys or sells data of 100,000 or more consumers, or earns 50% or more of revenue from selling personal information.
How do I opt out of the sale of my personal information?
Look for a link labeled Do Not Sell or Share My Personal Information in the website footer or privacy policy. Click it and follow the instructions, which typically involve toggling a setting or submitting a form. You can also enable Global Privacy Control in your browser to send an automatic opt-out signal to every site you visit.
Can a business deny my do not sell request?
Businesses cannot deny a valid opt-out request from a California consumer. Under Section 1798.120 of the California Civil Code, they must honor the request and stop selling or sharing your personal information within 15 business days. They also cannot retaliate by charging different prices or providing a degraded experience.