CCPA opt-out implementation guide: a compliant Do Not Sell or Share flow

The two rights you are implementing

Right to opt out of sale or sharing — Cal. Civ. Code § 1798.120

Section 1798.120 gives every California consumer the right to direct a business that sells or shares their personal information to third parties to stop doing so. The CPRA amendment in 2023 explicitly extended this from "sale" to "sale or sharing." The right is unconditional — you do not get to refuse based on the consumer's relationship with you, their account status, or whether they purchased anything.

Right to limit use of sensitive personal information — § 1798.121

Separately, § 1798.121 gives consumers the right to limit the use and disclosure of sensitive personal information (SPI) to purposes that are necessary to perform the services or provide the goods reasonably expected. SPI is defined at § 1798.140(ae) and includes precise geolocation, race/ethnicity, religion, union membership, contents of mail/email/text messages not addressed to the business, genetic data, biometric identifiers, health data, and sexual orientation data.

If you process SPI for any purpose beyond the § 1798.121(a) "reasonably expected" carve-out (which is narrow), you must offer a "Limit the Use of My Sensitive Personal Information" link. If you only use SPI for the narrow service-provision purposes, you can claim the § 1798.121(d) exemption from the link — but you have to be able to defend that position.

What "sale" and "share" actually mean

"Sale" — § 1798.140(ad)

"Sale" is defined broadly as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to a third party for monetary or other valuable consideration. The "other valuable consideration" language is what catches most businesses by surprise — you do not need cash to change hands. Sharing user data with an ad-tech vendor in exchange for analytics insight, cross-context targeting, or attribution data is consideration.

"Share" — § 1798.140(ah)

CPRA added "share" specifically to capture cross-context behavioral advertising — the disclosure of personal information to a third party for cross-context behavioral advertising, whether or not for consideration. The definition was written to make sure the "we don't sell, we share" loophole that the original CCPA permitted was closed. If you fire a Meta Pixel that allows Meta to use the data for ads beyond your site, that is sharing.

Service-provider transfers are not sale or sharing — but only if structured correctly

Transfers to a properly contracted service provider or contractor are not sale or sharing. The key word is "properly." Under § 1798.140(ag) and the CCPA regulations, a service provider relationship requires a written contract that:

• Prohibits the recipient from selling or sharing the personal information.
• Prohibits the recipient from retaining, using, or disclosing the personal information for any purpose other than the specific business purpose specified in the contract.
• Prohibits the recipient from retaining, using, or disclosing the personal information outside the direct business relationship between the parties.
• Requires the recipient to provide the same level of privacy protection that the CCPA requires of the business.
• Permits the business to monitor compliance and require remediation.

If your contract with an ad-tech vendor doesn't include these terms, or if the vendor in fact uses the data for its own purposes (training models, building lookalike audiences across other customers, enriching its own data set), the transfer is a sale or share and the opt-out applies. This is exactly the issue that drove the Sephora enforcement — below.

The mechanisms you must offer

The link text and placement rules

The CPPA is unusually prescriptive about the link. § 1798.135(a)(1) mandates that the link say exactly "Do Not Sell or Share My Personal Information" — not "Do Not Sell," not "Manage Cookies," not "Privacy Preferences." Burying it inside a cookie banner does not count. Hiding it behind another link does not count. It has to be visible to a reasonable consumer on every page where personal information is collected.

GPC: the signal you must honour

Global Privacy Control is a browser-level signal published in the Sec-GPC: 1 HTTP header (and the corresponding navigator.globalPrivacyControl property). Under § 1798.135(b)(1) and the CPPA's regulations on opt-out preference signals, a business must treat a GPC signal as a valid opt-out request for the browser or device sending it.

What that means in practice:

• Detect Sec-GPC: 1 on every page load or request that would otherwise trigger sale/share processing.
• Suppress any sharing tag (pixels, conversion APIs, cross-context ad tags) that would fire on a sale/share basis for that session.
• If the visitor is identified (logged-in user), attach the opt-out to their account so it persists.
• If the visitor is anonymous, attach the opt-out to a first-party cookie so subsequent visits honour it.
• Surface the GPC state in your privacy preferences UI so the user can confirm it was received.

The CPPA's "Universal Opt-Out Mechanism" rulemaking finalised in 2025 makes the GPC obligation explicit and adds documentation requirements: businesses must keep records of how they detect and honour the signal, and must not "implement a method that requires the consumer to take additional steps." Putting up a modal that says "We detected GPC — do you want to opt out?" is non-compliant. You must honour the signal silently.

Authorized agents

§ 1798.135(c) requires you to accept opt-out requests from a person or business authorized in writing by the consumer to act on their behalf. In practice you receive these in three flavours: a privacy-tech intermediary that batch-submits opt-outs across many businesses; an individual person with a signed letter of authorization; or, increasingly, automated services consumers use to mass-opt-out.

You may require the agent to provide proof of authorisation, but you cannot make the process so onerous that it amounts to a refusal. A typical compliant flow accepts the consumer identifier, the agent's identifier, and a written or digital authorisation document; verifies it within the § 1798.135(d) timelines; and treats unverifiable requests by responding to the consumer with a request to verify directly.

The 15-business-day fulfilment rule

Opt-out requests must be effected as soon as feasibly possible, but no later than 15 business days from receipt of the request (CCPA regulations § 7026). This is shorter than the 45-day window for access and deletion under § 1798.130, and is one of the most-missed timelines we see in audits.

"Effected" means more than recording the opt-out in your CRM. It means stopping the actual sale or share — suppressing the relevant tags, propagating the opt-out to downstream service providers (more on that below), and ensuring the consumer is excluded from any future sale or sharing.

The 12-month no-reask rule

Once a consumer has opted out, you cannot ask them to opt back into the sale or sharing of their personal information for at least 12 months from the date of opt-out (§ 1798.135(c)(4)). You can offer the choice in a non-prominent, non-coercive way after 12 months. You may not pop up a modal in month two saying "we noticed you opted out — want to opt back in for a 10% discount?". The CPPA has cited this provision in enforcement letters.

Downstream service-provider obligations

An opt-out is only meaningful if it propagates. Under § 1798.135(b)(3), when a consumer opts out, the business must notify all third parties to whom it sold or shared the consumer's personal information in the 90 days preceding the opt-out request, and direct those third parties to no longer sell or share the consumer's personal information.

For each ad-tech vendor that received user data on a sale/share basis, you need a mechanism to push a downstream opt-out. Most major platforms (Google, Meta, TikTok, LinkedIn) now expose a server-side conversion API parameter or limited-data-use signal that flags the user as opted out. You must use it. "We told them in the contract not to use it" is not sufficient compliance.

Sale vs share vs service-provider transfer — a decision table

Implementation checklist for engineering

1. Inventory all third-party tags and SDKs. For each one, classify it as service provider, sale, or share. Document the basis in your processing register.
2. Stand up consent infrastructure capable of suppressing each tag at runtime per-user-state.
3. Implement GPC detection. Read Sec-GPC: 1 and navigator.globalPrivacyControl. Suppress sale/share tags on every page render.
4. Add the link. Exact text "Do Not Sell or Share My Personal Information" on the footer of every page that collects personal information. Add the SPI link if applicable.
5. Build the opt-out endpoint. Verify identity (or attach to current session for browser-level), record opt-out with timestamp, propagate to internal systems within 15 business days.
6. Wire downstream propagation. For each sale/share vendor, integrate the limited-data-use or opt-out signal. Suppress server-to-server transfers for opted-out users.
7. Honour authorized agents. Accept a documented agent submission, verify the authorisation, and process.
8. Lock the 12-month no-reask. Suppress any marketing that prompts re-consent to sale/sharing within 12 months.
9. Log everything. Keep an audit log of opt-out requests, GPC signals received and honoured, downstream propagation confirmations, and the timestamp of every action. CPPA investigators ask for this first.
10. Test. Open a private window with a GPC-enabled browser and confirm no sale/share tags fire on any page. Submit an opt-out and confirm propagation. Submit an agent opt-out and confirm acceptance.

CPPA enforcement — the patterns to learn from

Sephora (Attorney General, 2022)

Before the CPPA took primary enforcement, the California Attorney General fined Sephora $1.2 million for: (a) failing to disclose that the company sold consumer personal information; (b) failing to offer a Do Not Sell link; (c) failing to honour GPC signals; and (d) failing to fix the issues within the (then 30-day) cure period. The case turned on the AG's classification of ad-tech sharing as "sale" — Sephora had argued the transfers were service-provider relationships, but the contracts did not satisfy the service-provider definition. Lesson: if your contract isn't actually compliant with § 1798.140(ag), you are selling.

DoorDash (CPPA, 2024)

The CPPA's settlement with DoorDash for $375,000 found that the company had participated in a marketing co-operative that exchanged customer information with other businesses. DoorDash classified the exchange as a service-provider relationship; the CPPA classified it as a sale. The settlement required DoorDash to update its disclosures, opt-out infrastructure, and downstream vendor controls. Lesson: any data-exchange relationship where consideration flows in either direction is almost certainly a sale.

Repeated patterns in CPPA enforcement letters

• Link text variants ("Do Not Sell My Info," "Manage Privacy") that don't match the statute.
• GPC signals received but not honoured.
• Cookie banners that buried the opt-out option.
• "Service provider" relationships with contracts that omit the prohibited-purposes language from § 1798.140(ag).
• No mechanism to propagate opt-outs to downstream vendors.
• Asking the consumer to re-opt-in within 12 months.

How this fits with the rest of the privacy programme

The opt-out flow is one slice of the broader rights infrastructure. The same logic that powers your opt-out endpoint should also power your CCPA deletion flow (see our CCPA deletion request checklist) and your access requests. The verification model, the authorized-agent acceptance, and the audit logging are shared.

On the assessment side, any new product that involves sale or sharing should trigger a screening — the same trigger you use for DPIAs under GDPR. See DPIA vs PIA for how the two assessment regimes interact. For the request-side timelines, the DSAR deadline calculator covers both CCPA and GDPR clocks. And for where the product physically processes California consumer data, see our trust architecture.

FAQ

We don't sell data — do we still need a Do Not Sell or Share link?

If you do not sell or share personal information and have an explicit statement to that effect in your privacy policy, you do not need the link. The bar for "do not share" is high — if you fire any cross-context behavioural ad pixel, you share. Most consumer businesses share. Audit before claiming you don't.

Does the opt-out apply to logged-out browser visits?

Yes. GPC is a browser-level signal and the opt-out applies to the browser session, not just identified accounts. Tags must be suppressed for any browser sending GPC.

What if we operate across many states?

The CCPA opt-out flow is the most demanding state requirement; building to CCPA generally satisfies the other state laws (Virginia, Colorado, Connecticut, Texas, Oregon) on the sale-and-share dimension. You may need additional state-specific disclosures.

Can we use a single consent platform for cookies, CCPA opt-out, and GDPR consent?

Yes, if it correctly distinguishes legal bases per jurisdiction. The same UI can serve both, but the underlying logic differs: CCPA is opt-out, GDPR is opt-in, and the user state machine has to track which one applies.

Related reading

• CCPA deletion request checklist
• DPIA vs PIA: what's the difference?
• DSAR deadline calculator