What is Do Not Sell?

The "Do Not Sell or Share My Personal Information" link has become one of the most visible manifestations of CCPA compliance on the internet. Under CPRA, the link text was updated to include "sharing" in addition to "selling" to cover cross-context behavioral advertising. The link must be easily accessible, typically placed in the website footer alongside the privacy policy link. When clicked, it must lead to a simple mechanism for opting out that does not require the consumer to create an account. Businesses must also honor the Global Privacy Control (GPC) signal, a browser-based mechanism that communicates opt-out preferences automatically. The definition of "sale" under CCPA is broad and includes any exchange of personal information for monetary or other valuable consideration. Many businesses were surprised to learn that common practices like sharing data with analytics providers, ad networks, or affiliate partners could constitute a "sale" under this definition. Organizations should conduct a thorough data sharing audit, classify each sharing relationship as a sale or non-sale, and implement technical controls to suppress data flows when consumers opt out.