What does 'Do Not Sell My Information' mean?

It refers to a consumer’s right—under laws like CCPA and CPRA—to opt out of having their personal data sold or shared for targeted advertising, data exchange, or other commercial purposes.

How can businesses make 'Do Not Sell My Information' compliance simple?

Automation is key. Platforms like DataGrail use tools such as Request Manager and Consent Management to process opt-out requests, maintain consent records, and update downstream systems.

What should a business do when a customer asks to opt out?

Businesses must verify the request, update internal and third-party systems, and ensure no additional selling or sharing occurs. Automated workflows like DataGrail’s reduce manual work and regulatory risk.

Glossary Contents

Article 30

CA CCPA

Consent

CPRA

Data Governance

Data Inventory Explained

Data Privacy

Data Security Management

Data Subject Access Request (DSAR Management) for GDPR Compliance

Delete Act

Do Not Sell My Information

Ethical AI

GDPR

LGPD – Brazil’s Privacy Law

Nevada’s SB 220

Personally Identifiable Information (PII)

Preference Management

Quebec Bill 64

Record of Processing Activities (RoPA)

Verifiable Consumer Request (VCR)

What is Data Mapping? (Defined & Explained)

What to include in a Privacy Policy

Do Not Sell My Information

Q: What happens when someone clicks 'Do Not Sell My Information'?

When a user clicks the link, the business must stop selling or sharing their personal data unless the user opts in again. Businesses may need to process a formal request, update internal systems, and notify third parties. Tools like DataGrail’s Request Manager automate these steps.

A consumer right under CCPA/CPRA allowing individuals to opt out of the sale of their personal information.

If you’ve noticed more websites asking if you want to opt out of having your personal information sold or shared, you’re not alone. “Do Not Sell My Information” isn’t just a button—it’s a requirement under modern privacy laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Whether you’re a consumer wanting more control or a business trying to stay compliant, this FAQ breaks down what you need to know—simply, clearly, and in one place.

Why it matters

Drives the need for robust preference and consent management systems.

What “Do Not Sell My Information” really means

“Do Not Sell My Information” is a legal phrase that often appears on websites as a required link under the California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA). These laws give people the right to tell a business not to sell or share their personal information, especially for targeted advertising or commercial exchange.

The term “sell” sounds simple, but privacy laws define it much more broadly. Under the CCPA/CPRA, a sale can occur even if no money is exchanged. If personal data is shared with a third party and they use it for an independent purpose—like profiling, advertising, or analytics—that may be considered a sale. The CPRA introduced the separate concept of sharing, which specifically covers data used for cross-context behavioral advertising.

This matters for consumers because it gives them more control over how their data is used online. And it matters for businesses because they are legally required to honor these requests and have clear processes to manage them.

Today, “Do Not Sell My Information” has become a widely recognized privacy signal across the U.S., and many businesses outside California adopt it proactively to build trust—even when they’re not legally required to.

What happens when someone clicks “Do Not Sell My Information”?

When a user clicks a “Do Not Sell or Share My Personal Information” link, several things happen behind the scenes—both for the consumer and the business.

From the consumer perspective

Most people will see one of the following:

A simple toggle that lets them opt out of data sales or sharing
A brief form asking for their email or device information
A confirmation that their request has been submitted
Some sites also respect automated browser signals like Global Privacy Control (GPC), meaning a consumer’s browser can automatically send an opt-out signal on their behalf.

From the business perspective

Once the user clicks the link:

The business must stop selling or sharing that person’s data going forward.
If the business uses multiple tools—advertising platforms, analytics tools, CRMs, etc.—each one must be updated.
Third parties that previously received the data may also need to be notified.
The business must log and retain proof that the request was fulfilled.
This can be simple for small companies but extremely complex for enterprises with hundreds of systems.

Back to Glossary

Related Terms

Data Privacy

Delete Act

Data Security Management