← All guides
CCPA / CPRA8 min read18 May 2026

CCPA 'Do Not Sell or Share': How to Build a Compliant Opt-Out Page in 2026

CPRA added "sharing" to California's opt-out right. Here's exactly what your Do Not Sell or Share page must contain, how to honor the GPC signal, and how to handle authorized agents.

What changed when CPRA amended CCPA

California's original Consumer Privacy Act (CCPA) gave consumers the right to opt out of the sale of their personal information. The California Privacy Rights Act (CPRA), which became fully effective January 1, 2023, extended that right to cover sharing — specifically, sharing personal information with third parties for cross-context behavioral advertising, regardless of whether money changes hands.

This is a meaningful expansion. Under the original CCPA, many ad-tech platforms argued they didn't technically "sell" data because no money moved between parties. CPRA closed that loophole. If you run retargeting ads, use programmatic advertising platforms, or share user data with ad networks for audience targeting, you are now required to offer consumers an opt-out of that sharing — even if you're not directly paid for the data.

The result: virtually every consumer-facing SaaS, mobile app, or e-commerce site that uses Google Ads, Meta Pixel, or similar ad-tech now needs a compliant opt-out mechanism.

Who actually needs a Do Not Sell or Share page?

CCPA applies to for-profit businesses that collect personal information from California residents and meet any one of these thresholds:

  • Annual gross revenue exceeding $25 million;
  • Buy, sell, or share the personal information of 100,000 or more consumers or households per year; or
  • Derive 50% or more of annual revenue from selling or sharing consumers' personal information.

If you're a pure B2B SaaS with no consumer-facing product, you likely don't hit these thresholds early. But if you serve individual consumers — even in a freemium tier — and you use any third-party analytics, advertising, or data enrichment tools, you probably do. When in doubt, build the page. The cost is trivial; the regulatory exposure of not having one is not.

Important: even if you don't currently sell or share PI, you can still publish a "Do Not Sell or Share" page that simply discloses you don't do this. Regulators appreciate the transparency, and your privacy policy becomes more complete.

What "selling" and "sharing" mean under CCPA/CPRA

The California Civil Code definitions are worth understanding precisely:

  • Sell (§ 1798.140(ad)(1)): disclosing or making available personal information to a third party in exchange for monetary or other valuable consideration. "Other valuable consideration" has been interpreted broadly — data-for-services arrangements, reciprocal data exchanges, and loyalty program data trades have all been captured.
  • Share (§ 1798.140(ah)): disclosing, making available, or transferring personal information to a third party for the purpose of cross-context behavioral advertising, whether or not money changes hands. Cross-context behavioral advertising means targeting ads based on personal information obtained from a consumer's activity across businesses, distinctly branded websites, or services.

The practical implication: if you use Google Analytics 4 with advertising features enabled, Facebook Pixel, LinkedIn Insight Tag, TikTok Pixel, or any similar tool that observes user behaviour on your site and feeds it into a cross-site advertising profile, you are sharing personal information under CCPA/CPRA. You need an opt-out mechanism.

The Notice at Collection requirement

Before we get to the opt-out page, understand that CPRA also added a separate "Notice at Collection" requirement. At or before the time you collect personal information, you must provide a notice that states:

  • The categories of personal information you collect;
  • The purposes for which each category is collected or used;
  • Whether each category is sold or shared, and a link to the opt-out;
  • How long each category is retained (or the criteria used to determine retention);
  • If you collect sensitive personal information, its purpose and whether the consumer can limit its use.

This Notice at Collection is distinct from your full privacy policy. It's the short disclosure you put on signup forms, checkout pages, and anywhere you first collect data. It typically appears as a small notice near the form: "We collect [categories] for [purposes]. Do not sell or share my personal information."

What your Do Not Sell or Share page must include

California law and CPPA regulations are fairly specific about what the opt-out mechanism must contain. Here's the checklist:

1. Clear identification of the right

The page must be titled (or prominently link from) "Do Not Sell or Share My Personal Information" — that's the specific statutory phrase. You can't substitute "Opt Out of Data Sharing" or "Privacy Preferences" as the standalone entry point, though you can use those phrases on the page itself. The CPPA has been clear that the prescribed language must appear in the footer link and on the page heading.

2. Description of what you sell or share

The page should state clearly whether you currently sell or share personal information, and if so:

  • Which categories of PI are sold or shared;
  • Which categories of third parties receive the PI;
  • The purposes for which they receive it.

If you don't currently sell or share, state that clearly too. Don't just leave the page vague — the CPPA expects transparency in both directions.

3. The opt-out mechanism itself

The opt-out must be easy to submit. Acceptable formats include:

  • A simple web form requesting the consumer's name and email (or other identifiers sufficient to verify identity);
  • A preference centre where the consumer can toggle opt-out;
  • A button that triggers an immediate opt-out signal.

You cannot require consumers to create an account, pay a fee, or navigate a burdensome verification process to opt out. Verification must be "reasonably designed to verify" identity without creating excessive friction.

4. Global Privacy Control (GPC) recognition

The CPPA's regulations (§7025(c)) require that businesses treat the GPC browser signal as an opt-out request for the sale and sharing of personal information. The GPC is a browser setting (supported in Firefox, Brave, and as a browser extension) that sends a machine-readable opt-out signal to every site the user visits.

If you honor GPC — and you must under CPRA — your Do Not Sell or Share page should state this: "We recognize the Global Privacy Control (GPC) browser signal as an opt-out request for the sale and sharing of your personal information." This is both a legal requirement and a trust signal worth advertising.

5. Processing timeline and confirmation

After a consumer submits an opt-out request, you must act on it within 15 business days (§1798.135(b)). You must also direct all third parties to whom you sold or shared the consumer's PI within the preceding 90 days to stop using it (unless this would require disproportionate effort). Inform the consumer of both timelines in your confirmation.

6. Authorized agent disclosure

Consumers can designate an authorized agent — another person or entity — to submit opt-out requests on their behalf. Your page must acknowledge this. You can require the authorized agent to provide signed written permission from the consumer, and you can verify the consumer's identity directly, but you cannot require the consumer to verify their identity again if the agent has provided sufficient documentation.

7. Non-discrimination statement

CCPA prohibits discriminating against consumers who exercise their privacy rights. You cannot deny service, charge different prices, or provide a different level of service because a consumer opted out of the sale or sharing of their PI (with limited exceptions for financial incentive programs that are reasonably related to the value of the data). State this clearly on the page.

The footer link requirement

Under CCPA, the link to your opt-out page must appear in a "clear and conspicuous place" — specifically, in your website's footer. The CPPA has been firm that burying it in a nested preferences menu doesn't satisfy this requirement. The footer link must use the prescribed title: "Do Not Sell or Share My Personal Information."

Some businesses add an optional second link: "Limit the Use of My Sensitive Personal Information" — this is required if you use sensitive PI (as defined by CPRA) for purposes beyond the essential ones. For most SaaS companies, this won't be relevant unless you collect health data, precise geolocation, or biometric data.

Sensitive personal information (SPI) — extra obligations

CPRA created a new category of Sensitive Personal Information that includes:

  • Government ID numbers (SSN, passport, driver's licence);
  • Financial account login credentials;
  • Precise geolocation (within 1,852 metres);
  • Racial or ethnic origin, religious beliefs, union membership;
  • Mail, email, or text message contents (unless directed to your business);
  • Genetic data, biometric data processed for unique identification;
  • Health or sex life / sexual orientation data.

If you collect SPI, consumers have the right to limit your use of it to purposes necessary to provide the service. You're required to provide a separate "Limit the Use of My Sensitive Personal Information" link. Most SaaS platforms don't touch SPI — but if your product involves healthcare, financial services, or identity verification, review this carefully.

The California Delete Act (SB 362) — data broker obligations

California's Delete Act (SB 362) created additional obligations for data brokers specifically. If your business qualifies as a data broker under CPPA's definition — meaning you sell or share personal information about consumers with whom you have no direct business relationship — you must:

  • Register with the CPPA's data broker registry annually;
  • By January 1, 2026, participate in a centralized CPPA-operated deletion mechanism that allows consumers to submit a single deletion request that applies to all registered data brokers.

This is separate from the per-company opt-out mechanism. If you're a data broker, you need both.

Common mistakes to avoid

  • Using a cookie consent banner as a substitute. A cookie banner controls cookie placement on the current device. An opt-out of sale or sharing applies to all PI you hold about the consumer — across all interactions, not just browser cookies. They're complementary mechanisms, not substitutes.
  • Hiding the link in a legal page sub-menu. The footer link must be prominent and direct. A link that requires three clicks to find will not satisfy the CPPA.
  • Requiring account login to opt out. Consumers who've never created accounts may still be known to you via ad-tech identifiers. You must let them opt out without creating an account.
  • Not honouring GPC. The CPPA has signalled this as an enforcement priority. If your website doesn't process GPC signals, you are non-compliant.
  • Failing to cascade opt-outs to third parties. When a consumer opts out, you must notify the third parties you sold or shared their data with in the preceding 90 days and direct them to stop using it.

Build your CCPA compliance pack

ComplyKit's CCPA / CPRA Compliance Pack Generator generates all three required documents in one go: the Notice at Collection, the full "Do Not Sell or Share" opt-out page (with a live opt-out form template), and the California Consumer Privacy Rights summary you can embed in your privacy policy.

You'll also want a complete Privacy Policy that incorporates your California disclosures, and a Cookie Policy that aligns with your consent management setup.

More guides