--- title: "US CCPA Do not sell or share Guide" canonical_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/do-not-sell-or-share" source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/do-not-sell-or-share" author: "Sorena AI" description: "US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "US CCPA" - "Do not sell or share" - "US CCPA Do not sell or share" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # US CCPA Do not sell or share Guide US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *US* *Do not sell or share* ## US CCPA Do not sell or share Do not sell or share decisions under the US CCPA should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed. This guide converts official requirements into scope, evidence, ownership, and review decisions for practical implementation, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. Under the CCPA, California consumers can tell a business to stop selling or sharing their personal information, and the business has to honor that choice. This page first explains what that right actually means, then maps the obligation to trigger conditions, accountable owners, required deadlines, evidence records, and review paths that product, legal, privacy, security, and compliance teams can apply. ## What does "do not sell or share" actually mean? The CCPA gives a consumer the right to direct a business to stop selling or sharing their personal information. "Sell" means disclosing a consumer's personal information to a third party for monetary or other valuable consideration. "Share" is narrower and specific to advertising: it means disclosing personal information to a third party for cross-context behavioral advertising, whether or not any money changes hands. A common example of sharing is letting an ad-tech vendor use a site visitor's identifiers to target ads across other sites and apps. In practice, a business that sells or shares personal information must give consumers a clear way to opt out, most commonly a "Do Not Sell or Share My Personal Information" link, and must treat an opt-out preference signal such as Global Privacy Control as a valid opt-out request. Once a consumer opts out, the business must stop selling or sharing that person's personal information and must pass the opt-out on to third parties it had already sold or shared the information with. A consumer can also authorize someone else to opt out on their behalf. - Opt out applies to two things: selling personal information for value, and sharing it for cross-context behavioral advertising. - If the business sells or shares, it must offer an opt-out link and honor opt-out preference signals like Global Privacy Control. - After an opt-out, stop selling or sharing that consumer's data and tell downstream recipients to do the same. - If the business does not sell or share personal information at all, it has no opt-out link duty but should be able to show why the right does not apply. Sources for this answer: - [California Civil Code Title 1.81.5 - California Consumer Privacy Act](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - California statutory source defining sell and share and the consumer opt-out right. - [California Civil Code section 1798.135](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - California statutory source for the opt-out link, opt-out preference signals, and authorized opt-out requests. *Recommended next step* *Placement: after the practical guidance* ## Turn US CCPA Do not sell or share into assigned work This US CCPA guide turns Do not sell or share into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena. - [Open Assessment Autopilot for US CCPA](/solutions/assessment.md): Turn Do not sell or share into scoped questions, evidence fields, and review tasks. - [Review US CCPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. ## What should teams decide about Do not sell or share under the US CCPA? Start by deciding whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure. The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point. Keep the California source, threshold calculation, notice text, consumer-right workflow, opt-out/GPC evidence, and service-provider contract record together so the CCPA decision can be reviewed later. - Define the exact Do not sell or share trigger and the business process it affects. - Record which role, product, system, customer group, or data flow is in scope. - Attach the source-linked rule, the owner, and the evidence field before approving the control. - Escalate uncertainty when the facts depend on thresholds, exemptions, cross-border activity, vulnerable users, or enforcement-sensitive wording. Sources for this answer: - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA consumer-facing source for enforcement and complaint context around do-not-sell-or-share rights. - [California Civil Code section 1798.135](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - California statutory source for do-not-sell-or-share links, opt-out preference signals, and downstream opt-out communication. - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - CPPA advisory source for applying data minimization when collecting information to process consumer requests. ## Who should own Do not sell or share, and what evidence should prove the decision? Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases. Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness. - Name one accountable owner and one reviewer for the Do not sell or share workflow. - Keep source screenshots or source links, decision notes, implementation tickets, and approval records together. - Use dated evidence for deadlines, notices, risk assessments, contracts, user journeys, and regulator-facing records. - Review the evidence after product changes, new markets, new vendors, enforcement updates, or material changes in the source text. Sources for this answer: - [California Civil Code section 1798.135](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - California statutory source for evidence that the business supports opt-out preference signals or provides the required links. - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - CPPA advisory source for minimizing the information collected while handling consumer requests. - [U.S. Privacy User Signal Mechanism](https://iabtechlab.com/standards/ccpa?ref=sorena.io) - Technical reference for legacy privacy signal mechanisms that may appear in ad-tech or publisher workflows. ## Which edge cases should teams check before relying on a Do not sell or share decision? Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations. Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process. - Check whether the rule changes for minors, consumers, business users, public-sector bodies, regulated sectors, high-risk services, or cross-border transfers. - Separate binding law, regulator guidance, consultation material, standards, and enforcement commentary in the evidence record. - Do not rely on a previous answer if the data categories, user interface, vendor role, or contractual flow changed. - Track unresolved assumptions in an open-questions section and route legal interpretation points for review. Sources for this answer: - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Boundary and edge-case support for this artifact page. - [California Civil Code section 1798.135](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - California statutory source for edge cases involving opt-out preference signals and authorized opt-out requests. - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - CPPA advisory source for request-handling edge cases where intake data should remain limited to the request. - [U.S. Privacy User Signal Mechanism](https://iabtechlab.com/standards/ccpa?ref=sorena.io) - Boundary and edge-case support for this artifact page. ## How should teams operationalize Do not sell or share with proportionate controls? Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date. The output should be a threshold note, notice update, DSAR decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack. - Create a short intake question that identifies the Do not sell or share scenario. - Map the answer to a required action, evidence field, owner, reviewer, and review date. - Link related artifact pages with descriptive anchors so users can move from scope to deadlines, controls, penalties, and templates. - Update the workflow when official source material changes or when internal evidence shows recurring exceptions. Sources for this answer: - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Operational implementation support for Do not sell or share. - [California Civil Code section 1798.135](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - California statutory source for operationalizing do-not-sell-or-share links and opt-out preference signal handling. - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - CPPA advisory source for designing request workflows around data-minimization principles. ## Primary sources - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA consumer-facing source for enforcement and complaint context around do-not-sell-or-share rights. - Quote: "You cannot sue businesses for most CCPA violations" - [California Civil Code section 1798.135](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - California statutory source for do-not-sell-or-share links, opt-out preference signals, and downstream opt-out communication. - Quote: "opt out of the sale or sharing of their personal information" - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - CPPA advisory source for applying data minimization when collecting information to process consumer requests. - Quote: "Applying Data Minimization to Consumer Requests" - [U.S. Privacy User Signal Mechanism](https://iabtechlab.com/standards/ccpa?ref=sorena.io) - Technical reference for legacy privacy signal mechanisms that may appear in ad-tech or publisher workflows. - Quote: "Privacy User Signal Mechanism ("USP API") (CCPA Compliance Mechanism) produced by IAB Technology Laboratory (IAB Tech Lab)" - [California Civil Code Title 1.81.5 - California Consumer Privacy Act](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - California statutory source for the CCPA title and do-not-sell-or-share opt-out duties. - Quote: "Do Not Sell or Share My Personal Information" ## Related Topic Guides - [California CCPA/CPRA Opt Out Signal Workflow Guide](/artifacts/us/california-consumer-privacy-act/opt-out-signal-workflow.md): California CCPA/CPRA guidance for Opt Out Signal Workflow, with practical decisions, evidence, edge cases, and external source citations. - [CCPA Global Privacy Control (GPC): team obligations and technical implementation](/artifacts/us/california-consumer-privacy-act/faq/gpc.md): US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations. - [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md): US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Applicability Test Guide](/artifacts/us/california-consumer-privacy-act/applicability-test.md): Practical guidance for the US CCPA applicability test, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Compliance Checklist](/artifacts/us/california-consumer-privacy-act/checklist.md): Practical guidance for the US CCPA checklist, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Compliance Guide](/artifacts/us/california-consumer-privacy-act/compliance.md): Practical guidance for the US CCPA compliance, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Consumer Rights Workflow Guide](/artifacts/us/california-consumer-privacy-act/consumer-rights-workflow.md): US CCPA guidance for Consumer Rights Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Contract Classification Workflow Guide](/artifacts/us/california-consumer-privacy-act/contract-classification-workflow.md): US CCPA guidance for Contract Classification Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Dark Patterns Guide](/artifacts/us/california-consumer-privacy-act/dark-patterns.md): US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Data Broker Crossover Guide](/artifacts/us/california-consumer-privacy-act/data-broker-crossover.md): US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Deadlines and Compliance Calendar Guide](/artifacts/us/california-consumer-privacy-act/deadlines-and-compliance-calendar.md): US CCPA guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Do Not Sell Share Implementation Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-share-implementation.md): US CCPA guidance for Do Not Sell Share Implementation, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA DSAR Verification Guide](/artifacts/us/california-consumer-privacy-act/dsar-verification.md): US CCPA guidance for DSAR Verification, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA DSAR Workflow Guide](/artifacts/us/california-consumer-privacy-act/dsar-workflow.md): US CCPA guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Enforcement And Penalties Guide](/artifacts/us/california-consumer-privacy-act/enforcement-and-penalties.md): US CCPA guidance for Enforcement And Penalties, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Financial Incentives Guide](/artifacts/us/california-consumer-privacy-act/financial-incentives.md): US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA GPC Signal Guide](/artifacts/us/california-consumer-privacy-act/gpc.md): US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Minors Guide](/artifacts/us/california-consumer-privacy-act/minors.md): US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Notice at collection Guide](/artifacts/us/california-consumer-privacy-act/notice-at-collection.md): US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA penalties and fines Guide](/artifacts/us/california-consumer-privacy-act/penalties-and-fines.md): US CCPA guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Personal And Sensitive Pi Categories Guide](/artifacts/us/california-consumer-privacy-act/personal-and-sensitive-pi-categories.md): US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Privacy Law FAQ](/artifacts/us/california-consumer-privacy-act/faq.md): Practical guidance for the US CCPA FAQ, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Privacy Notices And Disclosures Guide](/artifacts/us/california-consumer-privacy-act/privacy-notices-and-disclosures.md): US CCPA guidance for Privacy Notices And Disclosures, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Privacy Policy Guide](/artifacts/us/california-consumer-privacy-act/privacy-policy.md): US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Privacy Policy Template Guide](/artifacts/us/california-consumer-privacy-act/ccpa-privacy-policy-template.md): US CCPA guidance for CCPA Privacy Policy Template, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Requirements Guide](/artifacts/us/california-consumer-privacy-act/requirements.md): Practical guidance for the US CCPA requirements, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Risk And Cyber Audits Guide](/artifacts/us/california-consumer-privacy-act/risk-and-cyber-audits.md): US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Scope and Thresholds Guide](/artifacts/us/california-consumer-privacy-act/scope-and-thresholds.md): US CCPA guidance for Scope and Thresholds, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Service Provider Contractor And Third Party Contracts Guide](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-and-third-party-contracts.md): US CCPA guidance for Service Provider Contractor And Third Party Contracts, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Service Provider Contractor Contracts Guide](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-contracts.md): US CCPA guidance for Service Provider Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA Thresholds Guide](/artifacts/us/california-consumer-privacy-act/thresholds.md): US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA vs CPRA Guide](/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra.md): US CCPA guidance for CCPA vs CPRA, with practical decisions, evidence, edge cases, and external source citations. - [US CCPA vs GDPR Guide](/artifacts/us/california-consumer-privacy-act/ccpa-vs-gdpr.md): US CCPA guidance for CCPA vs GDPR, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about consumer request verification under the CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md): US CCPA guidance for consumer request verification, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md): US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md): US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md): US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md): US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md): US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md): US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md): US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md): US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md): US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md): US CCPA guidance for Service Provider And Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act/do-not-sell-or-share