Do Not Sell My Information

A consumer right under the CCPA/CPRA allowing individuals to opt out of the sale or sharing of their personal information, now replicated in some form across 20 state privacy laws.

If you've noticed more websites asking whether you want to opt out of having your personal information sold or shared, you're not alone. "Do Not Sell or Share My Personal Information" isn't just a button. It's a legal requirement under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and similar opt-out rights now exist in 20 states with comprehensive privacy laws. Whether you're a consumer wanting more control or a business trying to stay compliant, this FAQ breaks down what you need to know.

Why it matters

Drives the need for robust preference and consent management systems that can honor opt-out requests across multiple jurisdictions, propagate signals through advertising and analytics systems, and recognize automated browser-level signals like Global Privacy Control (GPC).

What "Do Not Sell or Share My Personal Information" really means

"Do Not Sell or Share My Personal Information" is the statutory link text required under the CCPA/CPRA. These laws give California residents the right to direct a business not to sell or share their personal information.

The term "sell" is defined much more broadly than its everyday meaning. Under the CCPA, a "sale" includes "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating" a consumer's personal information to another business or third party for monetary or other valuable consideration. No money needs to change hands. If personal data is transferred to a third party and they receive something of value in return, that can constitute a sale under the statute.

The CPRA added a separate concept: "sharing." Sharing covers the transfer of personal information to a third party for cross-context behavioral advertising, whether or not valuable consideration is exchanged. This closed a gap where companies argued that passing data to advertising partners for targeting purposes wasn't a "sale" because no direct payment occurred. Under the CPRA, that transfer now triggers opt-out obligations regardless.

This distinction matters in practice. A company that sends customer email addresses to a social media platform for lookalike audience matching is likely "sharing" under the CPRA even if the platform doesn't pay for the data. A company that provides customer lists to a data broker in exchange for enriched profiles is likely "selling." Both activities require an opt-out mechanism.

Today, opt-out rights for sales and targeted advertising exist in some form across 20 U.S. states with comprehensive privacy laws, including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Jersey, Maryland, Minnesota, and others. Many of these laws also require businesses to honor universal opt-out mechanisms like GPC. Even businesses outside these jurisdictions increasingly adopt opt-out links to build trust and prepare for expanding regulation.

What happens when someone clicks "Do Not Sell or Share My Personal Information"?

When a user clicks the opt-out link, the business must initiate a process that stops the sale or sharing of that consumer's personal information going forward. Here's what that looks like from both sides.

From the consumer's perspective

Consumers will typically see one of the following: a toggle or switch that lets them opt out of data sales, sharing, or both; a brief form requesting enough information to identify them (such as an email address or device identifier); or a confirmation that their request has been submitted.

Some consumers won't need to click anything at all. Businesses that collect personal information online must also honor opt-out preference signals sent automatically by a consumer's browser, such as Global Privacy Control (GPC). GPC is built into browsers like Brave, DuckDuckGo, and Firefox, and available as an extension for others. Under California law, a GPC signal must be treated as a valid opt-out request. Colorado, Connecticut, and a growing number of other states impose similar requirements.

From the business's perspective

Once a consumer submits an opt-out request (or their browser sends a GPC signal), the business must:

• Stop selling or sharing that consumer's personal information going forward. This applies across all channels and systems, not just the website where the request was submitted.
• Propagate the opt-out across every system that processes the consumer's data for sale or sharing purposes, including advertising platforms, analytics tools, CRMs, data management platforms, and any other tools in the marketing and data stack.
• Notify third parties that previously received the consumer's data and direct them to comply with the opt-out, unless a legal exemption applies.
• Honor the consumer's opt-out for at least 12 months before asking whether the consumer wants to opt back in.
• Log and retain records demonstrating that the request was received and fulfilled.

Provide at least two methods for consumers to submit opt-out requests. For businesses that collect personal information online, one method must be an interactive web form accessible through the opt-out link. The business cannot require consumers to create an account to exercise their opt-out right.

For a company with a handful of tools, this can be straightforward. For enterprises operating hundreds of integrated systems across advertising, analytics, customer engagement, and data partnerships, propagating a single opt-out request through every relevant system is an operational challenge that typically requires automated privacy infrastructure.

The link requirements in practice

Under the CCPA/CPRA, businesses that sell or share personal information must provide a clear and conspicuous link on their homepage, their privacy policy, and any page that collects personal information. The regulations specify two options for how this link can appear:

The standard approach uses a link labeled "Do Not Sell or Share My Personal Information." Businesses that also collect sensitive personal information can add a separate "Limit the Use of My Sensitive Personal Information" link or combine both into a single link.

The alternative approach uses a single link titled "Your Privacy Choices" or "Your California Privacy Choices," accompanied by a specific toggle icon defined in the regulations. This link must lead to a page where consumers can exercise both their opt-out of sale/sharing rights and their right to limit the use of sensitive personal information.

Regardless of which link format a business chooses, it must also honor GPC signals. The CPRA regulations make clear that providing a link does not substitute for processing opt-out preference signals. Both are required.

GPC enforcement is accelerating

In September 2025, CalPrivacy (formerly the CPPA), the California Attorney General, and the attorneys general of Colorado and Connecticut announced a joint investigative sweep targeting businesses that fail to honor GPC signals. The sweep built on California's earlier $1.2 million settlement with Sephora for GPC violations and reflected the priorities of the Consortium of Privacy Regulators, a multi-state enforcement alliance that now includes California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.

The message from regulators is clear: honoring opt-out preference signals is not optional, and enforcement is coordinated across state lines.

Beyond California: the expanding opt-out landscape

As of early 2026, 20 states have comprehensive privacy laws in effect, with additional states considering similar legislation. While the details vary, virtually all of these laws include a consumer right to opt out of the sale of personal data and targeted advertising. Many also require businesses to honor universal opt-out mechanisms like GPC.

Key variations across states include:

• How "sale" is defined. California's definition is among the broadest, capturing any transfer for valuable consideration. Some states, like Tennessee, define "sale" more narrowly as primarily monetary exchanges. Maryland prohibits the sale of sensitive personal information entirely, without exception.
• Whether "sharing" is a separate trigger. California is distinctive in creating a separate "sharing" concept that covers cross-context behavioral advertising even without valuable consideration. Most other states address targeted advertising as a separate opt-out right rather than through a "sharing" definition.
• Whether GPC or other universal opt-out signals are mandatory. California, Colorado, Connecticut, Montana, Delaware, Oregon, and several other states require businesses to honor opt-out preference signals. The number of states requiring this is growing, and enforcement attention is increasing.
• Applicability thresholds. These range from California's broad scope to Florida's narrow application to companies with $1 billion or more in global revenue.

For businesses operating nationally, the practical effect is that opt-out mechanisms must be designed to handle requests from consumers in any state with an applicable privacy law, with jurisdiction-specific logic where the requirements diverge.