CCPA/CPRA
Privacy

Opt-Out & Do Not Sell/Share Policy Template

Procedures for honoring consumer opt-out requests from sale and sharing of personal information under CCPA/CPRA.

What This Policy Covers

Purpose and Scope-Policy objectives and definition of sale/sharing.
Opt-Out Signal Recognition-Global Privacy Control (GPC) and other opt-out signals.
Opt-Out Request Fulfillment-15-business-day fulfillment requirement.
Downstream Third-Party Notification-Notifying recipients of personal information sold/shared prior to opt-out.
Re-Opt-In Process-12-month waiting period and voluntary re-opt-in procedures.
Financial Incentive Programs-Disclosures and limitations for loyalty/incentive programs.
Record Keeping-Opt-out request records and retention requirements.

Required Sections

A compliant Opt-Out & Do Not Sell/Share Policy for CCPA/CPRA must include the following7 sections. Each section addresses a specific control requirement that auditors will review.

1

Purpose and Scope

Policy objectives and definition of sale/sharing.

2

Opt-Out Signal Recognition

Global Privacy Control (GPC) and other opt-out signals.

3

Opt-Out Request Fulfillment

15-business-day fulfillment requirement.

4

Downstream Third-Party Notification

Notifying recipients of personal information sold/shared prior to opt-out.

5

Re-Opt-In Process

12-month waiting period and voluntary re-opt-in procedures.

6

Financial Incentive Programs

Disclosures and limitations for loyalty/incentive programs.

7

Record Keeping

Opt-out request records and retention requirements.

Generate a Customized Version

This template shows the required structure. PoliWriter generates a fully customized Opt-Out & Do Not Sell/Share Policy that references your actual cloud providers, identity systems, tools, and team practices — ready for auditor review.

Generate Customized Opt-Out & Do Not Sell/Share Policy

Policy Details

Framework
CCPA/CPRA
Category

Privacy

Sections

7 total (7 required)

Generate with AI

Other CCPA/CPRA Templates

Privacy Notice / Privacy Policy

Consumer-facing privacy notice disclosing data collection, use, sharing practices, and consumer rights under CCPA/CPRA.

Consumer Rights Procedures

Internal procedures for handling consumer rights requests including access, deletion, correction, opt-out, and portability.

Data Inventory & Mapping Policy

Policy for maintaining an inventory of personal information collected, used, shared, and deleted across the organization.

Data Retention & Deletion Policy

Retention schedules and secure deletion procedures for personal information under CCPA/CPRA data minimization principles.

Vendor & Service Provider Contracts Policy

Requirements for data processing agreements and service provider contracts to comply with CCPA/CPRA third-party requirements.

Security Practices Policy

Reasonable security measures required to protect personal information and avoid CCPA private right of action for data breaches.

Employee Privacy Training Policy

Training requirements for employees who handle consumer personal information or process consumer rights requests.

Back to all templates