US CCPA Do Not Sell Share Implementation

A compliant implementation has three parts. First, give consumers a clear opt-out method: businesses that sell or share personal information must post a "Do Not Sell or Share My Personal Information" link (or use an alternative opt-out mechanism that the regulations allow) so a consumer can exercise the right without friction. Second, detect and honor opt-out preference signals: the California Attorney General has confirmed that a Global Privacy Control signal must be honored by covered businesses as a valid consumer opt-out request, so the site must read that signal and treat it as an opt-out for that browser or device.

Third, make the opt-out actually take effect downstream. Once a consumer opts out, the business must stop selling or sharing that consumer's personal information, update its ad-tech tags and audience integrations so identifiers are no longer passed for sale or cross-context behavioral advertising, and notify third parties it previously sold or shared the data to. Disclose the right and the opt-out method in the privacy policy, and keep the design free of dark patterns that steer consumers away from opting out.

Decide first which surface the work touches: business-threshold status, notice at collection, privacy-policy disclosures, the opt-out link, GPC signal handling, service-provider and contractor restrictions, or enforcement exposure. For each item, name the exact trigger, the affected product or process, the required action, the owner, the evidence, and the escalation point so the decision is actionable rather than abstract.

Keep the California source, threshold calculation, notice text, consumer-right workflow, opt-out/GPC evidence, and service-provider contract record together so the CCPA decision can be reviewed later.

Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.

Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.

Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations.

Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.

Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.

The output should be a threshold note, notice update, consumer request decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.