“Do Not Sell or Share My Personal Information” CCPA & CPRA Compliance Requirements

Privacy & Data Security Law

 

A guide to the statutory and regulatory requirements governing opt-out rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and the California Privacy Protection Agency’s implementing regulations.

California’s privacy law gives consumers a direct, affirmative right to tell a business: stop selling or sharing my personal information. That right, codified in Civil Code Section 1798.120 and expanded by the California Privacy Rights Act of 2020 (CPRA), comes with concrete, enforceable obligations for businesses — obligations that extend well beyond simply posting a link.

This page sets out, in plain terms, what the law actually requires: which businesses must comply, what the opt-out page must say and do, what mechanisms must be offered, how and when requests must be honored, and what the California Privacy Protection Agency’s (CPPA) regulations — including major updates effective January 1, 2026 — add to those baseline requirements.

Important — January 1, 2026 Regulatory Updates: The CPPA’s amended regulations, approved by the California Office of Administrative Law in September 2025, impose significant new obligations on businesses regarding opt-out confirmation, the symmetry of opt-out and opt-in processes, and Global Privacy Control (GPC) signal handling. Key new requirements are flagged throughout this page.

I. Which Businesses Must Comply

The opt-out obligations described here apply to any “business” under the CCPA (§ 1798.140(d)) that sells or shares consumers’ personal information with third parties, or that uses or discloses consumers’ sensitive personal information for purposes beyond those enumerated in Section 1798.121(a).

A “business” under the statute is a for-profit entity that collects consumers’ personal information, does business in California, and meets at least one of the following thresholds (§ 1798.140(d)):

• Annual gross revenues exceeding $25 million (adjusted periodically);
• Alone or in combination, buys, sells, or shares the personal information of 100,000 or more consumers or households per year; or
• Derives 50% or more of annual revenues from selling or sharing consumers’ personal information.

Two statutory definitions bear particular attention for scoping purposes:

Sale (§ 1798.140(ad))

A “sale” means disclosing a consumer’s personal information to a third party for monetary or other valuable consideration. The “other valuable consideration” language is broad: data exchanges, reciprocal data-sharing arrangements, and other non-cash transactions may qualify, depending on the circumstances.

Share (§ 1798.140(ah))

The CPRA added “sharing” as a distinct concept covering the disclosure of personal information to a third party for cross-context behavioral advertising — even at no cost. A business that passes consumer data to an advertising or analytics partner for the purpose of targeting advertising across different websites or services is “sharing” that data under the statute, regardless of whether money changes hands.

II. The Consumer’s Right to Opt Out

Right to Opt Out of Sale or Sharing (§ 1798.120(a))

A consumer has the right, at any time, to direct a business not to sell or share the consumer’s personal information with third parties. This right is unconditional — it does not require the consumer to provide a reason, and it cannot be conditioned on the consumer creating an account or providing information beyond what is necessary to process the request.

Right to Limit Use of Sensitive Personal Information (§ 1798.121(a))

A consumer also has the right to direct a business that collects their sensitive personal information (SPI) to limit its use to what is necessary to perform the services or provide the goods the consumer reasonably expects, and to uses specifically authorized by regulation. “Sensitive personal information” includes, among other categories: Social Security and government ID numbers; financial account credentials; precise geolocation data; racial or ethnic origin; religious or philosophical beliefs; genetic data; biometric data processed to identify an individual; health information; sex life or sexual orientation; and the contents of personal communications (§ 1798.140(ae)).

No Re-Solicitation for Twelve Months (§ 1798.135(d))

Once a consumer opts out, the business must wait at least twelve months before requesting that the consumer authorize the sale or sharing of their personal information. Any such request must be presented in a manner that does not employ dark patterns or other manipulative design intended to impair the consumer’s decision-making.

Special Rule for Minors (§ 1798.120(c))

A business that has actual knowledge that a consumer is under the age of 16 may not sell or share that consumer’s personal information unless affirmative opt-in authorization is obtained — from the consumer themselves if they are between 13 and 15 years old, or from a parent or guardian if the consumer is under 13. A business that willfully disregards a consumer’s age is deemed to have actual knowledge. This inverts the standard model: for minors, the default is no sale or sharing, and explicit consent is required to proceed.

III. The Required Link: Placement and Labeling

The “Do Not Sell or Share My Personal Information” Link (§ 1798.135(a)(1); 11 CCR § 7013(a))

Any business subject to the opt-out obligation must provide a clear and conspicuous link on its internet homepage(s) with the exact title: “Do Not Sell or Share My Personal Information.” The link must direct consumers to a webpage where they can exercise this right. “Clear and conspicuous” is a legal standard of accessibility — the link must be readily visible, not buried in fine print, not rendered in a color that obscures it against the page background, and not structurally deemphasized compared to surrounding content.

The “Limit the Use of My Sensitive Personal Information” Link (§ 1798.135(a)(2))

Businesses that use or disclose sensitive personal information for non-authorized purposes must provide a separate clear and conspicuous link titled: “Limit the Use of My Sensitive Personal Information.” This link must also lead to a page enabling consumers to exercise this right.

Single Combined Link Option (§ 1798.135(b); 11 CCR § 7013(b))

At the business’s discretion, the two links above may be combined into a single, clearly labeled link — provided that single link allows a consumer to easily accomplish both: opting out of sale/sharing and limiting the use of SPI. The combined link or page must make both rights available without confusion.

Privacy Policy (§ 1798.135(a)(3); 11 CCR §§ 7011, 7013(e))

The business’s online privacy policy must include at least one of the following:

• A description of the consumer’s rights under Sections 1798.120 and 1798.121, together with a separate link to the DNS/S page and a separate link to the Limit SPI page;
• A single link providing access to both rights; or
• If the business uses the frictionless opt-out preference signal alternative (see Section VI below), a statement that the business processes and abides by opt-out preference signals.

Notice at Collection (11 CCR § 7012(b))

The business’s Notice at Collection — provided to consumers at or before the time personal information is collected — must include a link to the DNS/S page if the business sells or shares personal information.

Mobile Applications (11 CCR § 7013(c))

For businesses operating mobile applications, the DNS/S link or its equivalent must appear in the app’s settings menu or on a landing page — not merely in a desktop-only location.

IV. Required Content on the Opt-Out Page

The Notice of Right to Opt-Out must be posted on the webpage to which consumers are directed after clicking the DNS/S link. Alternatively, the link may take the consumer directly to the relevant section of the business’s privacy policy, provided that section contains all required information. (11 CCR § 7013(f))

The following information must be present:

• Description of the right. A plain-language explanation of the consumer’s right to opt out of the sale or sharing of their personal information — and, if applicable, the right to limit the use of their sensitive personal information.
• Categories of personal information sold or shared. An enumeration of the categories of personal information the business sells, shares, or uses/discloses for non-authorized purposes.
• Categories of third parties. Identification of the categories of third parties to whom the business sells or shares personal information.
• Opt-out mechanisms. A clear description of all available methods for submitting an opt-out request, presented in an accessible format. The process must be easy to understand and straightforward to complete.
• Non-discrimination statement. A statement that the business will not discriminate against the consumer for exercising the right to opt out. This may link to, or incorporate, the business’s broader non-discrimination notice.
• Authorized agents. Information explaining that a consumer may designate an authorized agent to submit an opt-out request on their behalf, and what documentation the agent must provide.
• Re-authorization timeline. A statement that, following an opt-out, the business will not request consent to resume sale or sharing for at least twelve months.

V. Opt-Out Mechanisms: What the Business Must Offer

General Standards (11 CCR § 7026(a))

Methods for submitting opt-out requests must be easy for consumers to execute and must require minimal steps. Businesses may not construct opt-out processes that are deliberately burdensome, confusing, or that otherwise impair the consumer’s ability to exercise the right.

2026 Update — Symmetry Requirement: Effective January 1, 2026, the number of steps a consumer must take to complete an opt-out request — measured from when the consumer clicks the DNS/S link to completion of the request — must be the same or fewer than the number of steps required to opt in to sale or sharing (where the business offers an opt-in pathway). A process that requires more steps to opt out than to opt in is a per se dark pattern violation. (Amended 11 CCR § 7026, eff. Jan. 1, 2026)

Required Methods (11 CCR § 7026(a)(1)–(6))

At minimum, the business must offer at least two designated methods for submitting an opt-out request, and at least one must be an interactive webform accessible through the DNS/S link. Additional acceptable methods include:

• A toll-free telephone number;
• A designated email address;
• A consumer-facing application with a dedicated opt-out feature;
• A user-enabled privacy settings page; and/or
• An opt-out preference signal or Global Privacy Control (GPC) — discussed in detail in Section VI below.

No Account Creation Required (§ 1798.135(c); 11 CCR § 7026(b))

A business may not require a consumer to create an account, log in, or provide information beyond what is reasonably necessary to identify the consumer and process the request. This is a firm prohibition — conditioning the opt-out process on account creation is a violation.

No Verification Required (11 CCR § 7026(b))

Unlike requests to know or requests to delete, an opt-out request does not require verifiable consumer verification. The business may request information reasonably necessary to identify the consumer, but only to the extent it cannot comply without it. Where the business can process the request without additional information, it must do so.

VI. Opt-Out Preference Signals and Global Privacy Control (GPC)

Statutory Framework (§ 1798.135(b); 11 CCR § 7025)

For businesses that collect personal information from consumers online, an opt-out preference signal — such as the Global Privacy Control — constitutes a valid opt-out request when it is sent with the consumer’s consent by a platform, technology, or mechanism that meets the CPPA’s technical specifications. The GPC is a browser- or platform-level signal that communicates a consumer’s opt-out choice automatically to every website they visit.

Alternative Compliance Pathway (§ 1798.135(b))

A business that processes opt-out preference signals in a frictionless manner is not required to post the “Do Not Sell or Share My Personal Information” link — provided that the business states in its online privacy policy that it processes such signals and abides by them. “Frictionless” means the signal is detected and acted upon automatically, without requiring the consumer to take any additional steps on the website.

2026 Update — Mandatory Confirmation of GPC Processing: Effective January 1, 2026, when a consumer using an opt-out preference signal visits the business’s website, the business must display a visible confirmation that the signal has been recognized and processed — for example, by displaying an “Opt-Out Request Honored” message, or by reflecting the opt-out status through a toggle or radio button in the consumer’s privacy settings. Passive, invisible signal processing is no longer sufficient. (Amended 11 CCR § 7026, eff. Jan. 1, 2026)

VII. Processing and Honoring Opt-Out Requests

Response Deadline (11 CCR § 7026(d))

The business must honor an opt-out request no later than 15 business days from the date the request is received.

Third-Party Notification (11 CCR § 7026(e))

After receiving an opt-out request and before completing it, the business must notify all third parties to whom it has sold or shared the consumer’s personal information — directing those parties to comply with the request and to forward it downstream to any subsequent recipients. This creates a chain-of-custody obligation that extends beyond the initial business relationship.

Opt-Out Confirmation (11 CCR § 7026(f); amended eff. Jan. 1, 2026)

The business must provide a means by which the consumer can confirm that their opt-out request has been processed. Under the regulations effective January 1, 2026, this confirmation obligation is mandatory. Acceptable methods include displaying an “Opt-Out Request Honored” message on the website, or updating the consumer’s privacy settings to reflect the opt-out decision through a toggle or radio button.

Prohibition on Re-Solicitation for Twelve Months (§ 1798.135(d))

The business may not request that the consumer authorize the sale or sharing of their personal information for at least twelve months following an opt-out. Any re-authorization request must not use dark patterns or other design choices that impair or subvert the consumer’s free decision-making.

VIII. Authorized Agents

The Right to Use an Authorized Agent (§ 1798.135(c); 11 CCR § 7026(c))

A consumer may designate an authorized agent — an individual or a business entity registered with the California Secretary of State — to submit an opt-out request on the consumer’s behalf. To do so, the consumer must provide the agent with written permission (signed by the consumer) authorizing the agent to act.

Business’s Right to Verify Agent Authorization

A business may deny an opt-out request submitted by a purported authorized agent if the agent fails to provide the consumer’s signed authorization. However — and this is a significant distinction from deletion and access requests — the business cannot require the consumer to directly verify the opt-out request themselves. The business may only seek confirmation that the consumer has authorized the agent. (11 CCR § 7026(c))

IX. Non-Discrimination

A business shall not discriminate against a consumer for exercising the right to opt out of sale or sharing. Prohibited acts of discrimination include (§ 1798.125; 11 CCR § 7070):

• Denying goods or services to the consumer;
• Charging a different price or rate for goods or services, including through discounts, benefits, or penalties;
• Providing a different level or quality of goods or services; or
• Suggesting that the consumer will receive a different price, rate, level, or quality of goods or services.

Financial incentive programs — such as loyalty or rewards programs that involve the use of personal information — are subject to separate disclosure requirements and require a distinct opt-in under Section 1798.125(b). The existence of a lawful financial incentive program does not neutralize the non-discrimination obligation.

X. Dark Patterns: The Enforcement Risk

The CCPA expressly prohibits “dark patterns” in the opt-out process — user interface designs that subvert or impair consumer autonomy, decision-making, or choice when asserting privacy rights or providing consent. (§ 1798.140(l); 11 CCR § 7004(b))

In September 2024, the CPPA issued an Enforcement Advisory specifically addressing dark patterns in the context of privacy choices. The Advisory confirms that the CPPA treats the following design practices as violations:

• Opt-out paths that require more steps, clicks, or decisions than the corresponding opt-in path;
• Visual hierarchy or color choices that deemphasize or obscure the opt-out option relative to data-sharing options;
• Misleading language that implies negative consequences for opting out;
• Pre-checked boxes or default settings that assume consent to data selling or sharing;
• Unnecessary confirmation screens, interstitials, or guilt-tripping (“are you sure?”) dialogs in the opt-out flow; and
• Consent banners or cookie overlays structured so that “accept all” is prominent and one-click while opting out requires navigating multiple sub-menus.

The September 2024 Advisory should be treated as a compliance benchmark. A UI that would draw the CPPA’s attention under the Advisory is a UI that needs to be redesigned before January 1, 2026, when the symmetry-of-steps regulation takes effect and creates a bright-line rule.

XI. Summary of January 1, 2026 Regulatory Changes

The CPPA’s amended regulations, finalized by the California Office of Administrative Law in September 2025, introduce the following changes directly relevant to DNS/S compliance, each effective January 1, 2026:

• Mandatory opt-out confirmation. Businesses must provide consumers with a visible, affirmative confirmation that an opt-out request — including requests made via an opt-out preference signal — has been processed. An invisible or back-end-only processing of the signal no longer satisfies the requirement.
• Symmetry of steps. The number of steps to complete an opt-out request must be the same as, or fewer than, the number of steps to opt in to sale or sharing where an opt-in mechanism is provided. A longer opt-out flow is a per se violation.
• GPC acknowledgment. When a consumer whose browser or platform sends a GPC signal visits the business’s website, the website must display a message confirming that the signal has been recognized and honored — for example, “Opt-Out Request Honored.”

Looking ahead: Businesses using automated decision-making technology (ADMT) to make significant decisions affecting consumers should also track the CPPA’s ADMT regulations, which impose separate opt-out obligations effective January 1, 2027.

XII. Quick-Reference: Statutory and Regulatory Citations

Requirement	Source
Consumer’s right to opt out of sale or sharing	Cal. Civ. Code § 1798.120
Consumer’s right to limit use of sensitive personal information	Cal. Civ. Code § 1798.121
DNS/S link, Limit SPI link, and opt-out page requirements	Cal. Civ. Code § 1798.135
Notice of right to opt-out / DNS link placement and content	11 CCR § 7013
Opt-out request submission, processing, confirmation, and third-party notification	11 CCR § 7026
Opt-out preference signals (GPC) — frictionless alternative	11 CCR § 7025
Anti-dark-patterns / request design standards	11 CCR § 7004
Non-discrimination for exercising privacy rights	Cal. Civ. Code § 1798.125; 11 CCR § 7070
Privacy policy requirements	11 CCR § 7011
Notice at collection	11 CCR § 7012
Minors (under-16 opt-in requirement)	Cal. Civ. Code § 1798.120(c)
Authorized agents for opt-out requests	11 CCR § 7026(c)
2026 opt-out confirmation, symmetry of steps, GPC acknowledgment	Amended 11 CCR § 7026 (eff. Jan. 1, 2026)
Dark patterns enforcement guidance	CPPA Enforcement Advisory (Sept. 2024)