CCPA Opt-Out Rights: Do Not Sell or Share My Personal Information (2026)
Under the California Consumer Privacy Act (CCPA), California residents have the right to tell businesses to stop selling or sharing their personal information. This opt-out right is one of the law's most powerful consumer protections, and the CPRA amendments (effective January 1, 2023) significantly expanded its scope. Businesses that sell or share personal information for cross-context behavioral advertising must honor opt-out requests and provide clear mechanisms for consumers to exercise this right.
The California Attorney General and the California Privacy Protection Agency (CPPA) actively enforce opt-out requirements, with settlements reaching into the millions of dollars for noncompliance.
The Right to Opt Out of Sale
The original CCPA (effective January 1, 2020) gave consumers the right to direct a business to stop selling their personal information. Under Cal. Civ. Code 1798.120, a business that sells personal information to third parties must stop doing so once it receives a valid opt-out request.
What Counts as a "Sale"
The CCPA defines "sale" broadly. It covers selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information to another business or third party for monetary or other valuable consideration.
"Other valuable consideration" is the key phrase. A business does not need to receive cash for a data transfer to qualify as a sale. If a business provides personal information to a third party and receives any benefit in return (discounts, services, analytics, enhanced functionality), that transfer may constitute a sale under the CCPA.
Exceptions to the Sale Definition
Not every data transfer is a sale. The CCPA excludes:
- Transfers to service providers or contractors under compliant written agreements
- Transfers at the consumer's direction (e.g., the consumer asks the business to share their data)
- Transfers to a third party as part of a merger, acquisition, or similar transaction
- Transfers of information the consumer intentionally made available to the general public via a mass media channel
The Right to Opt Out of Sharing
The CPRA expanded opt-out rights beyond "sale" to include "sharing." Under the amended statute, sharing means making a consumer's personal information available to a third party for cross-context behavioral advertising, whether or not money changes hands.
Why "Sharing" Was Added
Before the CPRA, many businesses argued that their data transfers to advertising technology companies were not "sales" because no direct monetary payment occurred. A business might provide user data to an ad network in exchange for targeted advertising services rather than cash. Under the original CCPA, this created a loophole: consumers could not opt out of data transfers that drove the very targeted ads they wanted to avoid.
The CPRA closed this gap. By defining "sharing" as a separate concept covering data transfers for cross-context behavioral advertising, the law captures virtually all common online advertising data flows, regardless of the form of consideration.
Cross-Context Behavioral Advertising
Cross-context behavioral advertising means targeting advertisements to a consumer based on personal information obtained from the consumer's activity across businesses, distinctly branded websites, applications, or services other than the one the consumer is currently interacting with.
In practical terms, this covers:
- Third-party tracking cookies that follow a consumer from site to site to build advertising profiles
- Data sharing with ad networks that use behavioral data to serve targeted ads across different platforms
- Retargeting based on a consumer's browsing history across multiple businesses' websites
- Data clean room arrangements where businesses pool consumer data for advertising purposes
How Consumers Can Opt Out
The CCPA provides multiple mechanisms for consumers to exercise their opt-out rights.
The "Do Not Sell or Share" Link
Every business that sells or shares personal information must post a clear, conspicuous link on its website homepage. The CPPA regulations specify that this link must be:
- Titled: "Do Not Sell or Share My Personal Information" (the CPRA updated the language from the original "Do Not Sell My Personal Information")
- Conspicuous: Easy to find without scrolling extensively or navigating through multiple pages
- Functional: Leads to a page or mechanism where the consumer can actually submit an opt-out request
- Account-free: The business cannot require consumers to create an account to opt out
The opt-out mechanism should be straightforward. The consumer submits the request, and the business must act on it. Unlike requests to know or delete, opt-out requests do not require identity verification, though the business may ask basic questions to identify which personal information is associated with the consumer.
Opt-Out Preference Signals
The CPRA codified the requirement that businesses must honor technology-based opt-out signals sent by consumers' browsers or devices. The CPPA regulations define an "opt-out preference signal" as a signal sent by a platform, technology, or mechanism on behalf of the consumer that communicates the consumer's choice to opt out of the sale and sharing of personal information.
Businesses must treat these signals as valid opt-out requests without requiring any additional action from the consumer.
Global Privacy Control (GPC)
Global Privacy Control is the most widely recognized opt-out preference signal. GPC is available as:
- A built-in browser feature in Mozilla Firefox, DuckDuckGo, and Brave
- A browser extension for Chrome, Edge, and other browsers
- A setting in certain privacy-focused mobile apps
When enabled, GPC sends a Sec-GPC: 1 HTTP header with every web request. Businesses that receive this signal must treat it as a request to opt out of the sale and sharing of personal information associated with that browser or device.
GPC Enforcement History
The California Attorney General has made GPC enforcement a priority:
- Sephora (2022): Settled for $1.2 million partly for failing to process GPC opt-out signals. This was the first major enforcement action specifically targeting GPC noncompliance.
- Disney (2024): Settled for $2.75 million, the largest CCPA settlement in California history, after investigators found the company's opt-out processes did not fully stop data sale and sharing even when consumers were logged into their accounts.
- Joint Investigative Sweep (2025): The CPPA, along with Colorado and Connecticut regulators, launched a coordinated investigation into businesses refusing to honor consumer opt-out requests, including GPC signals.
Alternative Opt-Out Link
Businesses that process opt-out preference signals may use an alternative single link (such as "Your Privacy Choices" or a toggle icon) instead of the full "Do Not Sell or Share My Personal Information" text. The alternative link must still lead to a mechanism where consumers can exercise their opt-out rights, and the business must provide a frictionless response to opt-out preference signals.
The Right to Limit Use of Sensitive Personal Information
The CPRA introduced a related but distinct right: the right to limit a business's use and disclosure of sensitive personal information. While the opt-out right covers sale and sharing, the limitation right restricts how a business uses certain highly sensitive data categories internally.
What Is Sensitive Personal Information?
Under the CCPA (as amended by the CPRA), sensitive personal information includes:
- Social Security, driver's license, state ID, or passport numbers
- Account login credentials combined with required security codes or passwords
- Precise geolocation data
- Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership
- Contents of mail, email, and text messages (when the business is not the intended recipient)
- Genetic data
- Biometric data used to uniquely identify a consumer
- Health information, sex life, or sexual orientation data
- Neural data (added by SB 1223, effective 2025)
How the Limitation Right Works
When a consumer exercises this right, the business must limit its use of sensitive personal information to what is "reasonably necessary and proportionate" to perform the services or provide the goods the consumer requested. Specifically, the business can only use the sensitive data for:
- Performing the service or providing the goods the consumer expects
- Detecting security incidents and protecting against threats
- Resisting malicious, deceptive, or illegal activity
- Ensuring physical safety
- Short-term, transient use (such as displaying content, where the data is not used to build a profile)
- Performing services on behalf of the business (internal research, debugging, quality control)
- Verifying or maintaining the quality of a service or device
"Limit the Use of My Sensitive Personal Information" Link
Businesses that use or disclose sensitive personal information beyond the permissible purposes listed above must post a "Limit the Use of My Sensitive Personal Information" link on their homepage. This link functions similarly to the "Do Not Sell or Share" link but specifically addresses sensitive data use rather than sale or sharing.
Service Providers vs. Third Parties: Why It Matters for Opt-Out
Understanding the distinction between service providers, contractors, and third parties is critical for opt-out compliance because the CCPA treats data transfers to each category differently.
Service Providers and Contractors
When a business transfers personal information to a service provider or contractor under a compliant written agreement, that transfer is not a "sale" or "sharing." The data recipient is bound by contract to:
- Process the data only for the specific business purposes identified in the agreement
- Not sell or share the personal information
- Not combine it with personal information from other sources (except for limited purposes)
- Assist the business with consumer requests
Because these transfers are not sales or sharing, consumers' opt-out requests do not apply to them.
Third Parties
A "third party" under the CCPA is any entity that is not the business itself, a service provider, or a contractor. When personal information goes to a third party, the transfer is likely a sale or sharing, and the consumer's opt-out right applies.
Common third-party recipients include:
- Advertising technology companies that receive consumer data for targeted advertising
- Data brokers that aggregate and resell consumer information
- Social media platforms that receive consumer data for ad targeting or analytics
- Marketing partners that receive consumer data for cross-promotion
Practical Impact
A business that wants to avoid the "Do Not Sell or Share" requirement and opt-out obligations can restructure its data relationships. By ensuring that all data-receiving partners qualify as service providers or contractors under compliant written agreements, the business can argue that no "sale" or "sharing" occurs. The contracts must be genuine, with real restrictions on how the recipient uses the data.
The DELETE Act and DROP Platform
California took opt-out rights a step further with the Delete Act (SB 362), which created the Delete Request and Opt-Out Platform (DROP). Launched January 1, 2026, DROP allows consumers to:
- Send a single deletion request to all registered data brokers in California
- Opt out of the sale of their personal information by all registered data brokers at once
- Request ongoing deletion, requiring data brokers to continuously delete the consumer's personal information every 45 days
Data brokers registered with the CPPA must participate in DROP. The platform simplifies what was previously a time-consuming process of submitting individual opt-out requests to potentially hundreds of data brokers.
The CPPA has already taken enforcement action against data brokers who fail to register, including fining a marketing firm in December 2025 for selling custom audiences without proper data broker registration.
What Happens After a Consumer Opts Out
Once a business receives a valid opt-out request (whether through the homepage link, a GPC signal, or the DROP platform):
- Stop selling or sharing the consumer's personal information within 15 business days
- Notify service providers and contractors to stop selling or sharing the consumer's data (if applicable)
- Do not ask the consumer to re-consent for at least 12 months
- Continue providing equal service (non-discrimination requirement)
After 12 months, a business may ask the consumer whether they would like to opt back in. The opt-in process must be affirmative and informed; the business cannot use dark patterns or misleading language to pressure the consumer.
Minors and Opt-In Requirements
For consumers under 16, the default is reversed. Businesses cannot sell or share their personal information unless the consumer (or, for children under 13, the consumer's parent or guardian) affirmatively opts in. This "opt-in" requirement means businesses must obtain explicit consent before selling or sharing a minor's data, even without an opt-out request.
Penalties for Opt-Out Violations
Violations of opt-out requirements carry the same administrative penalties as other CCPA violations. As of the 2025 CPI adjustment:
| Violation | Penalty |
|---|---|
| Unintentional violation | Up to $2,663 per violation |
| Intentional violation | Up to $7,988 per violation |
| Violation involving a minor | Up to $7,988 per violation |
Each individual whose opt-out right is violated can represent a separate violation. For businesses with millions of California consumers, penalties can accumulate rapidly.
The largest CCPA settlement to date, the $2.75 million Disney settlement, centered specifically on opt-out failures.
Related California Privacy Topics
- What Is CCPA? (comprehensive CCPA overview)
- CCPA vs CPRA: Key Differences Explained
- CCPA Compliance Checklist
- [California Data Privacy Laws](/us-laws/data-privacy-laws/california-data-privacy-laws) (parent hub)
- California Biometric Privacy Laws
- California Data Breach Notification Laws
This article provides general legal information, not legal advice. Opt-out requirements and enforcement interpretations continue to evolve. Consult an attorney for advice specific to your situation.
More California Laws
Sources and References
- CCPA Full Text (Cal. Civ. Code 1798.100-1798.199.100)(leginfo.legislature.ca.gov).gov
- CCPA Overview (California Attorney General)(oag.ca.gov).gov
- CPPA Regulations Portal(cppa.ca.gov).gov
- CPPA FAQ (Sensitive PI, Sharing Definition)(cppa.ca.gov).gov
- CPPA Consumer Privacy Act Regulations(cppa.ca.gov).gov
- Global Privacy Control (GPC)(oag.ca.gov).gov
- AG Sephora Settlement ($1.2M, GPC Enforcement)(oag.ca.gov).gov
- AG Disney Settlement ($2.75M, Opt-Out Failures)(oag.ca.gov).gov
- Joint Investigative Sweep: CA, CO, CT (Opt-Out Compliance)(cppa.ca.gov).gov
- CPI-Adjusted Penalty Amounts(cppa.ca.gov).gov
- DELETE Act: Drop Platform(cppa.ca.gov).gov
- CPPA Data Broker Enforcement (Dec 2025)(cppa.ca.gov).gov
- SB 1223 (Neural Data as Sensitive PI)(leginfo.legislature.ca.gov).gov
- AG DoorDash Settlement ($375K)(oag.ca.gov).gov