Do Not Sell or Share My Personal Information: the CCPA Opt-Out Explained

What "Do Not Sell or Share My Personal Information" means under the CCPA, who must add the link, and how Global Privacy Control fits in.


by Riad Us Salehin • 4 July 2026


"Do Not Sell or Share My Personal Information" is a CCPA opt-out right, expanded by the CPRA. It lets a consumer tell a business to stop selling or sharing their personal data. Covered businesses must offer it through a clear, conspicuous website link.

California and other US state residents use the link to submit the request. Below: what the link means, what counts as a sale or a share, who must add it, and how Global Privacy Control fits in.

What Does "Do Not Sell or Share My Personal Information" Mean?

"Do Not Sell or Share My Personal Information" is a consumer's right under the California Consumer Privacy Act, as amended by the CPRA. It lets a person stop a business from selling or sharing their personal data. The phrase also names the on-site control, usually a footer link, that lets a visitor exercise that right.

The right works as an opt-out, not an opt-in. A business can collect and sell personal information by default, and the consumer has to actively say stop. That is why the control is worded "Do Not Sell" rather than "ask before you sell."

GDPR's cookie consent model runs the opposite way. EU sites need a visitor's opt-in before non-essential data collection starts. Under the CCPA's opt-out model, a US visitor's data may already have moved through ad tech before they click the link. Each opt-out only stops sales and sharing going forward.

What Is the "Do Not Sell or Share My Personal Information" Link?

The "Do Not Sell or Share My Personal Information" link is the mechanism a covered business must post so consumers can submit an opt-out request. California's Attorney General requires it to be clear and conspicuous. Businesses commonly place it in the website footer or inside the notice at collection shown when a visitor's data is first gathered.

Clicking the link opens an opt-out page, a form, or a preference toggle. There, the visitor confirms they want the business to stop selling or sharing their data.

The label varies slightly by site. Some businesses use the full CPRA-updated phrase. Some use the older "Do Not Sell My Personal Information." California's own consumer guidance also recognizes "Your CA Privacy Choices" as an equivalent link name.

Do not confuse this link with the separate "Limit the Use of My Sensitive Personal Information" control. That is a distinct CPRA right covering sensitive data like precise location or health information. A business may post both links side by side.

Three obligations follow once a business receives the request:

  • Respond within 15 business days. The business must act as soon as feasibly possible, no later than 15 business days from receipt.
  • Stop selling and sharing going forward. The business cannot sell or share that person's data again unless the consumer later authorizes it.
  • Never penalize the opt-out. The business cannot deny goods or services, charge a different price, or degrade service quality because a consumer opted out.

What Counts as "Selling" and "Sharing" Personal Information?

Under the CCPA and CPRA, "sell" and "share" are broader terms than most people expect. The CPRA added "sharing" specifically to bring ad tracking inside the opt-out.

What Does "Sell" Mean Under the CCPA?

"Sell" means disclosing, making available, or transferring personal information to a third party for money or for any other valuable consideration, not just cash. That broad wording matters in practice. Letting third-party ad or analytics cookies pass visitor data to another company can count as a "sale," even when no payment changes hands.

A site that never charges a data broker a cent can still be "selling" personal information. That happens the moment an ad-tech tag shares visitor data with a third party in exchange for something of value, such as ad-targeting services.

What Does "Share" Mean (and Why the CPRA Added It)?

"Share" means disclosing personal information for cross-context behavioral advertising. That is targeting ads to a person based on their activity across numerous websites, tracked over time. The CPRA added this category on January 1, 2023. It closed a gap. Ad-tracking data transfers did not always meet the older, narrower definition of a "sale."

That expansion is why the link's wording shifted. "Do Not Sell My Personal Information" became "Do Not Sell or Share My Personal Information." The longer phrase covers both transactions and cross-site ad tracking.

Which Businesses Must Add a "Do Not Sell or Share" Link?

The CCPA applies to for-profit businesses doing business in California that meet at least one of three thresholds. Only businesses that actually sell or share personal information have to post the link.

A covered business meets any one of these:

  • Revenue. Gross annual revenue over $26,625,000 for the previous calendar year, the current inflation-adjusted threshold set by the California Privacy Protection Agency.
  • Data volume. Buys, sells, or shares the personal information of 100,000 or more California consumers or households in a year.
  • Revenue mix. Derives 50% or more of annual revenue from selling or sharing California residents' personal information.

The law reaches businesses outside California too. Any company that meets a threshold and does business in the state is covered, regardless of where it is headquartered. A growing number of other US state privacy laws now carry similar opt-out requirements. A site built for California compliance is often most of the way to compliance elsewhere.

Many small sites sit below every threshold and assume the rule does not apply to them. That assumption breaks down fast once ad-tech or analytics cookies enter the picture.

A site with modest revenue can still be "sharing" personal information for cross-context behavioral advertising the moment a third-party ad pixel fires. That single tag can pull the site into the data-volume or revenue-mix trigger, even without a large-dollar sale.

What Is the Global Privacy Control (GPC) Opt-Out Signal?

The Global Privacy Control (GPC) is a browser or extension-level setting. It automatically tells every participating website that a visitor opts out of the sale and sharing of their personal information. The visitor does not have to click each site's link individually.

GPC is not a Consently feature or any other vendor's feature. It is a signal the visitor's own browser sends.

Under California law, covered businesses must honor it as a valid opt-out request, the same as a click on the footer link. The burden sits entirely with the business. Detecting the signal and stopping the sale or sharing of that visitor's data is the site's legal obligation, not something the visitor configures per site.

GPC is built into privacy-focused browsers like Firefox and Brave, and available through extensions such as Privacy Badger. It has real limits worth knowing.

GPC does not opt a visitor out of every non-essential cookie, and it does not delete data already collected before the signal was sent. It is also not recognized by every website or every jurisdiction. GPC is legally binding in California, Colorado, and Connecticut, among a growing list of states. A site outside those laws' reach can still choose to ignore it.

How Does a Business Add a "Do Not Sell or Share" Link to Its Website?

A covered business adds the link and the opt-out mechanism behind it in six steps.

  1. Determine whether you sell or share personal information, including through ad or analytics cookies that pass data to third parties.
  2. Post a clear, conspicuous "Do Not Sell or Share My Personal Information" link, typically in the footer or inside the notice at collection.
  3. Connect the link to an opt-out page, form, or banner control where visitors submit the request.
  4. Honor requests within 15 business days, and detect and honor Global Privacy Control signals automatically.
  5. Disclose your sale and sharing practices, and the opt-out itself, in your privacy policy.
  6. Keep records of opt-out choices as evidence the request was honored.

Many website platforms and consent-management tools can generate the footer link and the opt-out page for you. The mechanism does not have to be hand-coded.

The same discipline that blocks non-essential third-party tags for GDPR cookie consent applies here. Analytics and advertising scripts should stay off until the visitor's choice is recorded. A script that fires before consent is exactly what turns routine analytics into a "share" under the CPRA.

What If a Business Does Not Sell or Share Personal Information?

A business that genuinely does not sell or share personal information is not required to post the footer link. It must still say so clearly in its privacy policy.

Confirm that claim before relying on it. Many sites that believe they do not sell or share data actually do.

That happens once a third-party analytics tag, an ad pixel, or an embedded video player passes visitor information to another company for anything of value. Check every script running on the site against the "sell" and "share" definitions above before deciding the footer link is unnecessary.

How Consently Helps You Honor Do-Not-Sell Opt-Out Requests

Consently gives US-facing sites the consumer-side controls the CCPA/CPRA opt-out right requires. That means an opt-out banner, a Do-Not-Sell link, and the records to prove requests were honored.

Consently's CCPA / US State Laws Opt-Out Template shows US visitors an opt-out-model banner with a Do-Not-Sell control built in. Region-based banner display shows the right model per visitor. US visitors see the opt-out model; visitors covered by opt-in laws see the opt-in model instead.

Auto-blocking stops ad and analytics tags from firing until a visitor's choice is recorded. That is exactly the kind of tag that can turn routine tracking into a "share" under the CPRA.

Two features back the paperwork side. Consent logs with export keep a timestamped record of who opted out and when. That record helps if a regulator ever asks for proof of compliance.

The privacy and cookie policy generators produce the privacy-policy disclosure the CCPA requires, including a statement of whether the site sells or shares personal information.

One honest limit: Consently does not detect or automatically honor a visitor's browser-level Global Privacy Control signal. Honoring GPC is a separate legal obligation a covered business has to meet through other means.

Consently also does not make a site "CCPA compliant" on its own. It supports the specific consent and disclosure tasks above, and legal compliance remains the business's responsibility.

Consently's CCPA opt-out tools set up the Do-Not-Sell banner in minutes. Try Consently free with a 14-day trial, no credit card required.

FAQs

What does "Do Not Sell or Share My Personal Information" mean?

It is a CCPA/CPRA right to tell a business to stop selling or sharing your personal data. You exercise it through a website link or a browser-level opt-out signal like Global Privacy Control.

Should I click "Do Not Sell or Share My Personal Information"?

Clicking it submits an opt-out request. It does not delete data already collected and does not remove all cookies from the site. It stops the business from selling or sharing your data going forward, within 15 business days.

Is "Do Not Sell My Personal Information" the same as "Do Not Sell or Share"?

They point to the same right. The CPRA added "or Share" on January 1, 2023 to cover cross-context behavioral advertising. Newer links use the longer phrase, while some older sites still use the original wording.

Does every website need a "Do Not Sell or Share" link?

No. Only covered businesses that actually sell or share personal information need it. Coverage turns on three thresholds. A business qualifies at over $26,625,000 in gross annual revenue. It also qualifies at 100,000 or more California residents' records bought, sold, or shared, or at 50% or more of revenue from selling that data.

Sites that do not sell or share must still disclose that in their privacy policy.

How long does a business have to honor an opt-out request?

Up to 15 business days from the date it receives the request, under the CCPA.

Does "Do Not Sell My Personal Information" stop all cookies?

No. It stops the sale and sharing of your data, not every cookie. Essential cookies still load; the opt-out targets the data-selling and ad-tracking cookies specifically.

What is the Global Privacy Control?

A browser or extension signal that opts a visitor out of the sale and sharing of their data on every participating site at once. Covered businesses must honor it as a valid opt-out request.

Can a business be fined for not having a "Do Not Sell or Share" link?

Yes. The CCPA is enforced by the California Privacy Protection Agency and the California Attorney General. A covered business that fails to provide a required opt-out mechanism can face enforcement action.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.