CCPA7 min readUpdated Feb 2026

CCPA Opt-Out Requirements: Sale, Sharing, and GPC Compliance

The right to opt out of the sale and sharing of personal information is one of the most visible CCPA requirements. Understanding opt-out obligations is essential for businesses engaged in advertising, data partnerships, or any form of data monetization.

Alban Veauté

•

Security Engineer

Alban is a security engineer at Bastion with deep expertise in information security, SOC 2, and ISO 27001. He also specializes in data protection and privacy compliance, including GDPR requirements, and helps companies build robust security programs.

SOC 2ISO 27001GDPRCyber Essentials

Key Takeaways

Point	Summary
Core requirement	"Do Not Sell or Share My Personal Information" link on homepage
What triggers it	Any sale or sharing of personal information
GPC requirement	Must honor Global Privacy Control signals as valid opt-out
Re-authorization	12 months before asking consumer to opt back in
No account required	Opt-out must work without requiring user login

Quick Answer: Businesses that sell or share personal information must provide a clear "Do Not Sell or Share My Personal Information" link on their homepage, honor opt-out requests immediately, recognize Global Privacy Control signals, and wait 12 months before requesting re-authorization.

What is "Sale" Under CCPA?

The CCPA defines "sale" broadly as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information for monetary or other valuable consideration.

Activity	Considered Sale?
Exchanging data for money	Yes
Trading data for services	Yes (other valuable consideration)
Sharing data for discounted services	Yes
Disclosing to service provider under contract	No
Disclosing at consumer's direction	No
Disclosing as part of business merger/acquisition	No

Common Sale Scenarios

Scenario	Sale?	Explanation
Third-party advertising pixels	Often yes	May involve data transfer for value
Data broker relationships	Yes	Classic sale arrangement
Affiliate marketing data sharing	Likely yes	Data transferred for commission value
Service provider processing	No	If proper contract in place
Customer referrals at customer request	No	Consumer-directed disclosure

What is "Sharing" Under CCPA?

The CPRA added "sharing" as a distinct category, defined as making personal information available for cross-context behavioral advertising.

Activity	Considered Sharing?
Third-party behavioral advertising	Yes
Retargeting campaigns	Yes
Advertising cookies/pixels	Yes
Contextual advertising (same session)	No
First-party analytics	No
Service provider processing	No

Sharing vs. Sale

Aspect	Sale	Sharing
Consideration	Monetary or other value	No consideration required
Purpose	Any purpose	Cross-context behavioral advertising
Third-party advertising	May be sale	Always sharing
Contract exception	Service provider exception applies	Service provider exception applies

Opt-Out Link Requirements

Homepage Link

Requirement	Details
Text	"Do Not Sell or Share My Personal Information"
Location	Homepage (visible without scrolling if possible)
Functionality	Must actually process opt-out
No account required	Cannot require login to use

Privacy Policy Link

Requirement	Details
Disclosure	Explain sale/sharing practices
Consumer right	Describe opt-out right
Link	Include opt-out link in privacy policy
Instructions	Explain how to exercise right

Alternative Combined Link

Businesses may use a single link covering multiple rights. This is particularly relevant if you collect sensitive personal information:

Combined Option	Acceptable Text
Opt-out + SPI limit	"Your Privacy Choices" or "Your California Privacy Rights"
Single link	"Do Not Sell or Share My Personal Information/Limit Use of Sensitive Personal Information"

Design Requirements

The opt-out mechanism must be:

Requirement	Details
Easy to use	Simple, clear, minimal steps
No dark patterns	Cannot use confusing design to discourage use
Symmetry	Opting out should not be harder than opting in
Immediate effect	Must process without unreasonable delay

Global Privacy Control (GPC)

What is GPC?

Aspect	Details
Definition	Browser or device signal indicating opt-out preference
Technical mechanism	HTTP header and JavaScript API
Legal status	Businesses must honor as valid opt-out under CCPA
User experience	Automatic, no per-site interaction needed

GPC Compliance Requirements

Requirement	Details
Detection	Must detect GPC signals
Recognition	Treat GPC as valid opt-out request
Effect	Stop sale/sharing for that consumer
Scope	Applies to browser/device sending the signal
Disclosure	Privacy policy must explain GPC handling

GPC Technical Implementation

Implementation	Details
HTTP header	`Sec-GPC: 1`
JavaScript API	`navigator.globalPrivacyControl`
Detection	Check for either signal
Response	Honor as opt-out for sale/sharing

GPC Scope and Limitations

Consideration	Details
Device-level	GPC applies to the browser/device, not user account
Cross-device	May not automatically apply across devices
Account linking	Business may associate GPC with logged-in account
Verification	No identity verification required for GPC

Handling Opt-Out Requests

Processing Steps

Step	Action
1. Receive request	Detect opt-out link click or GPC signal
2. Apply immediately	Stop sale/sharing without delay
3. No verification	Identity verification not required
4. Confirm	Provide confirmation (for link-based opt-outs)
5. Record	Document the opt-out for compliance

What Must Stop

Activity	Action Required
Third-party data sharing	Cease immediately
Advertising pixels	Disable or configure for opted-out users
Data broker transfers	Stop including opted-out consumers
Behavioral advertising	Stop cross-context targeting

Service Provider Instructions

Requirement	Details
Notification	Inform service providers of opt-out
Contractual	Ensure contracts require honoring opt-outs
Monitoring	Verify compliance

Re-Authorization Rules

12-Month Waiting Period

Requirement	Details
Minimum wait	12 months after opt-out
Exceptions	Consumer-initiated contact only
Request	May request authorization to sell/share
Consent	Must be affirmative, not assumed

Permissible Re-Authorization Request

Element	Requirement
Timing	After 12 months
Disclosure	Clear explanation of what authorization means
Voluntary	Cannot condition service on authorization
Easy decline	Declining must be as easy as authorizing

Minors and Opt-In Requirements

The CCPA flips the default for minors, requiring opt-in consent.

Consumers Under 16

Age Group	Requirement
Under 13	Parent/guardian must affirmatively authorize
13-15	Consumer must affirmatively opt in
16+	Standard opt-out model applies

Enhanced Penalties for Minors

For more details on penalties, see CCPA penalties and fines.

Violation	Penalty
Standard violation	$2,663 per violation
Violation involving known minor	$7,988 per violation

Common Opt-Out Challenges

Challenge: Identifying California Consumers

Approach	Considerations
IP geolocation	Reasonable approximation
Self-identification	Rely on consumer statement
Billing/shipping address	If available
Universal application	Apply opt-out to all (simplest)

Challenge: Third-Party Advertising Integration

Step	Action
1	Inventory all advertising pixels and SDKs
2	Identify which involve sale/sharing
3	Implement consent/opt-out logic
4	Configure for GPC detection
5	Test opt-out functionality

Challenge: Cross-Device Opt-Out

Approach	Details
Account-based	Associate opt-out with logged-in account
Device-based	Apply per device (minimum required)
Communication	Inform consumers about scope

Enforcement Focus Areas

Recent California Attorney General and CPPA enforcement has emphasized:

Focus Area	Common Violations
GPC compliance	Failing to honor GPC signals
Link visibility	Opt-out link not prominent enough
Dark patterns	Confusing interfaces discouraging opt-out
Effective processing	Opt-out not actually stopping data transfers

Notable Enforcement Actions

Company	Issue	Penalty
Sephora (2022)	Failed to honor GPC signals, inadequate opt-out	$1.2 million
DoorDash (2024)	Data sharing without proper notice/opt-out	$375,000
Multiple (2025 sweep)	GPC non-compliance investigations	Ongoing

Implementation Checklist

Add "Do Not Sell or Share My Personal Information" link to homepage
Include opt-out link in privacy policy
Implement GPC signal detection
Configure advertising pixels/SDKs for opt-out
Create opt-out confirmation mechanism
Update service provider contracts
Implement 12-month re-authorization tracking
Add minor consent mechanisms if applicable
Test opt-out functionality end-to-end
Train staff on opt-out handling

How Bastion Helps

Implementing compliant opt-out mechanisms requires technical integration and ongoing monitoring.

Challenge	How We Help
Opt-out link implementation	Design and deployment guidance
GPC compliance	Technical implementation and testing
Advertising integration	Pixel and SDK configuration
Dark pattern avoidance	UX review for compliance
Monitoring	Ongoing verification of opt-out effectiveness

Need help implementing CCPA opt-out requirements? Talk to our team →

Sources

California Consumer Privacy Act (CCPA) - California Attorney General official CCPA page
Global Privacy Control - GPC specification and information
CPPA Regulations - Implementing regulations
California Attorney General Enforcement Actions - Public enforcement actions

← PreviousCCPA Sensitive Personal Information: Categories and Requirements Next →CCPA Privacy Policy Requirements: Notice and Disclosure Guide

Back to CCPA guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company