CCPA Opt-Out Requirements: "Do Not Sell or Share My Personal Information" Explained

The California Consumer Privacy Act (CCPA) grants residents the explicit right to stop businesses from selling or sharing their personal data.

This opt-out mechanism forms the backbone of US privacy compliance, differing significantly from the European GDPR model. Website owners serving Californian visitors must provide clear paths for users to exercise this right.

You cannot hide this option deep within a privacy policy or require users to jump through complex hoops. The law demands visibility, simplicity, and technical readiness to process automated signals. If your website loads tracking scripts before a user has a chance to object, you might already be violating these rules.

New amendments effective from January 1, 2026, add a mandatory visual confirmation requirement that fundamentally changes how your website must interact with visitors.

What Qualifies as Selling or Sharing?

The CCPA definition of "selling" extends far beyond exchanging data for money. It covers any disclosure of personal information to a third party for monetary or other valuable consideration. If you use third-party advertising trackers on your website, you are likely engaging in a "sale" under California law.

"Sharing" specifically targets cross-context behavioural advertising. This means transferring a consumer's personal information to a third party to target advertising based on their activity across different websites.

A typical e-commerce site using the Meta Pixel falls directly into this category.

Data transfers to formally designated "Service Providers" do not count as a sale or share, provided a strict data processing agreement is in place. The vendor must be contractually restricted from using the data for any purpose other than providing the specified service to your business. If a vendor uses your data to improve their own models or build external profiles, they are a third party, and the data transfer is a sale.

Visitors have the right to halt these data transfers instantly. You must honour this request without requiring the user to create an account or verify their identity. The process must require minimal steps, and you cannot make the "opt-out" path more difficult than the "opt-in" path. Dark patterns, such as using confusing toggle colours or hiding the decline option, are strictly prohibited.

While functional cookies often remain exempt if they do not share data across contexts, marketing trackers require strict control. A consent management platform helps automate this separation by blocking tags until the correct conditions are met.

The "Do Not Sell or Share" Link

The most visible requirement of the law is the mandatory footer link. You must place a clear, conspicuous link titled "Do Not Sell or Share My Personal Information" on your homepage and any page that collects personal data.

This link must open a dialogue or webpage that allows the user to immediately opt out of data selling and sharing. A compliant consent banner handles this interaction by categorising trackers into strict buckets. When a user clicks the link and confirms their choice, your website must instantly stop firing the relevant marketing and analytics cookies. You cannot wait for the next page load to stop the data transfer.

Clicking the link acts as an immediate override switch for third-party scripts.

The CPRA amendments introduced an alternative to the lengthy text link. Businesses can use a consolidated link titled "Your Privacy Choices" or "Your California Privacy Choices", often accompanied by an official opt-out icon developed by the state. The icon features a blue checkmark and a toggle switch. This consolidated link must route the user to a page where they can exercise both their opt-out rights and their right to limit the use of sensitive personal information. Regardless of which naming convention you choose, the functionality remains identical, and the link must be prominently displayed.

Global Privacy Control and Automated Signals

California law recognises that clicking a footer link on every website creates friction for users. To solve this, the CCPA requires businesses to respect opt-out preference signals. The most prominent example is the Global Privacy Control (GPC), a browser-level signal that automatically broadcasts a user's choice to opt out of tracking. When a visitor arrives with GPC enabled in their browser, your website must read that signal and apply the opt-out preference automatically.

You cannot ask the user to confirm their GPC choice or force them to click through a separate banner. The signal itself constitutes a legally binding request.

Treating a GPC header as anything less than a full opt-out violates the regulations.

The GPC transmits as an HTTP header (Sec-GPC: 1) or a JavaScript property (navigator.globalPrivacyControl). When a browser requests a page from your server, it includes this header to declare the user's intent before the HTML even loads. Server-side architectures can read this header and modify the resulting page to strip out tracking scripts completely. For client-side implementations, your consent manager must read the JavaScript property and block tags from firing. Regulators explicitly reject any implementation that loads trackers first and attempts to remove them after detecting the signal.

The 2026 "Opt-Out Request Honored" Mandate

A major regulatory update transforms how businesses must handle automated opt-out signals starting January 1, 2026.

Previously, the California Privacy Protection Agency (CPPA) suggested that websites "may" show users when their preference signal was recognised. The revised regulations changed this language from optional to mandatory. You are now legally required to display a confirmation message on your website when you process an automated opt-out signal.

Section 7025(c)(6) of the updated rules states that businesses must display whether they have processed the consumer's preference signal. The CPPA provides the exact phrase "Opt-Out Request Honored" as the standard example of compliance. You must display this text, along with a toggle or radio button in the privacy settings, to prove the choice was registered. Silent compliance no longer meets the legal standard.

This specific phrasing acts as a trust signal for the consumer. The regulations mandate that this confirmation must be easy to read and logically placed. You cannot hide the confirmation text in a footer with tiny font. Most compliant implementations display a small notification banner or update the status within the privacy preference centre immediately upon detecting the GPC signal.

Furthermore, the updated regulations explicitly prohibit businesses from making the confirmation message confusing or transient. If a user returns to your site, their privacy settings must continue to reflect that their opt-out status remains active and honoured. This change gives consumers immediate visual feedback while providing regulators with an incredibly simple way to audit your website.

Enforcement Actions and Fines

The California Attorney General and the CPPA actively police these specific technical requirements. In 2022, Sephora received a $1.2 million fine specifically for failing to process GPC signals and lacking a compliant opt-out mechanism.

Enforcement has only accelerated since then. In February 2024, DoorDash paid a $375,000 penalty for similar violations regarding consumer privacy opt-out rights. More recently, in May 2025, the CPPA fined Todd Snyder, Inc. $345,178 for multiple infractions, including the use of dark patterns.

Regulators run automated sweeps to detect websites that ignore GPC headers or fail to provide the required footer links.

The CPPA has broadened its enforcement scope significantly over recent years. Beyond standard violations, the agency now heavily enforces the Delete Act, which targets data brokers. In February 2025, the CPPA brought an enforcement action against Jerico Pictures, Inc. for failing to register and pay annual fees, carrying administrative fines of $200 per day. If your consent interface uses confusing language, asymmetric toggle designs, or buried decline buttons, you face immediate regulatory scrutiny. The state does not offer a mandatory cure period for these violations.

How to Test Your Website's Compliance

Testing your implementation requires specific tools to simulate California traffic and GPC signals. First, you need a VPN to route your connection through a California server, as many consent platforms use geolocation to display the statutory link only to relevant visitors.

Next, install a browser extension that broadcasts the GPC signal, such as the official DuckDuckGo Privacy Essentials or the EFF's Privacy Badger. Open your browser's developer tools and navigate to the network tab.

Load your website and observe the network requests. If you see calls to Meta, Google Ads, or TikTok before you have interacted with any banner, your site is ignoring the GPC signal. Look for the mandatory "Opt-Out Request Honored" text. If the text does not appear, or if the trackers continue to fire, your current setup fails the 2026 compliance standards.

Run a full audit using an automated scanner to catch hidden pixels that fire outside of your tag manager. A single rogue script can trigger an enforcement sweep.

Frequently Asked Questions

Take Control of Your Cookie Compliance

If your website receives traffic from California, you must provide a compliant opt-out mechanism and handle GPC signals correctly. Kukie.io detects first-party and third-party cookies, applies the correct categorisation, and displays the mandatory 2026 opt-out confirmation to your visitors automatically.

You can test this functionality directly by creating a free plan account.

Start Free - Scan Your Website ->