CCPA Opt-Out: How "Do Not Sell My Personal Information" Actually Works

The Opt-Out Right

The California Consumer Privacy Act (CCPA), as amended by CPRA, gives California residents the right to opt out of the "sale" or "sharing" of their personal information. If your website collects data from California visitors — and if you use advertising cookies, analytics that share data with third parties, or any form of data monetisation — you likely need a "Do Not Sell or Share My Personal Information" link.

What Counts as "Selling" Data?

Under CCPA, "selling" has a broad definition. It includes any disclosure of personal information to a third party for monetary or other valuable consideration. This means:

• Running Google Ads with remarketing — you're sharing user data with Google in exchange for ad targeting capabilities. That's a "sale" under CCPA.
• Using Facebook Pixel — user browsing data is sent to Meta for ad targeting. Also a "sale."
• Ad networks and data brokers — any third-party that receives your users' data and provides value in return.

The CPRA amendment added "sharing" as a separate concept, covering cross-context behavioural advertising even without monetary exchange. If you use retargeting, you're almost certainly "sharing" under CCPA.

Who Needs to Comply?

CCPA applies to businesses that meet any one of these thresholds:

• Annual gross revenue over $25 million
• Buy, sell, or share personal information of 100,000+ California consumers/households per year
• Derive 50%+ of annual revenue from selling/sharing personal information

Even if you're below these thresholds, implementing the opt-out link is a low-cost, high-trust best practice.

How to Implement the Opt-Out

1. Add a "Do Not Sell or Share My Personal Information" link in your website footer, visible on every page
2. When clicked, it must immediately stop the sale/sharing of that user's personal information, or open a page where they can make that choice
3. You cannot require account creation to process the opt-out request
4. You must honour the request within 15 business days
5. You cannot retaliate by degrading service quality, charging different prices, or limiting functionality

Global Privacy Control (GPC)

CCPA also requires that you honour Global Privacy Control signals. GPC is a browser-level setting that automatically tells websites the user opts out of data sales. Browsers like Firefox, Brave, and DuckDuckGo support GPC natively.

If you receive a GPC signal from a California visitor, you must treat it as a valid opt-out request. Ignoring GPC signals is a CCPA violation.

How LegalBanner Handles CCPA

LegalBanner detects California visitors automatically (via geo-IP) and displays the appropriate CCPA-compliant interface:

• The "Do Not Sell or Share" link is displayed in the banner and footer
• GPC signals are automatically detected and honoured
• When a user opts out, marketing and advertising scripts are immediately disabled
• Opt-out decisions are logged for compliance records

No separate CCPA plugin needed. LegalBanner handles both GDPR and CCPA from the same script tag.