"Do Not Sell My Personal Information": What It Means and How to Comply

What Does "Do Not Sell My Personal Information" Mean?

If you've browsed a website recently, you've likely seen a link in the footer that reads "Do Not Sell My Personal Information" or "Do Not Sell or Share My Personal Information." This phrase comes directly from the California Consumer Privacy Act (CCPA), which requires businesses that sell personal information to provide consumers with a clear, conspicuous opt-out mechanism.

Since the CCPA was enacted in 2020, the concept has spread far beyond California. Over 20 US states now have comprehensive privacy laws, and most of them include some form of opt-out right covering the sale of personal data — and increasingly, targeted advertising and profiling as well.

Which States Require a "Do Not Sell" Opt-Out?

While the specific language varies, the following states require businesses to offer consumers the ability to opt out of the sale of their personal information:

California (CCPA/CPRA) — the original "Do Not Sell My Personal Information" requirement, expanded by the CPRA to include "sharing" for cross-context behavioral advertising
Virginia (VCDPA) — opt-out rights for sale, targeted advertising, and profiling
Colorado (CPA) — opt-out for sale, targeted advertising, and profiling; requires honoring universal opt-out mechanisms
Connecticut (CTDPA) — opt-out for sale, targeted advertising, and profiling; requires honoring universal opt-out signals
Texas (TDPSA) — opt-out for sale and targeted advertising
Oregon (OCPA) — opt-out for sale and targeted advertising; recognizes universal opt-out
Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, Kentucky, Indiana — all include opt-out rights for the sale of personal data

Use our privacy law calculator to determine which of these laws apply to your business based on your revenue, consumer count, and data practices.

What Counts as a "Sale" of Personal Information?

The definition of "sale" under state privacy laws is broader than you might expect. It generally means making personal information available to a third party in exchange for monetary or other valuable consideration. This includes:

Sharing data with ad networks — if you use third-party advertising cookies or pixels that transmit user data to ad platforms, that may qualify as a "sale"
Data broker transfers — selling or licensing consumer data to data aggregators
Analytics sharing — providing user-level data to analytics providers who use it for their own purposes
Cross-context behavioral advertising — under California's CPRA, "sharing" personal data for targeted advertising is treated the same as "selling"

Common exemptions include sharing data with service providers who process it solely on your behalf (under a written contract), disclosures required by law, and transfers as part of a merger or acquisition.

How to Implement "Do Not Sell" Compliance

Step 1: Add a Clear Opt-Out Link

California law specifically requires a "Do Not Sell or Share My Personal Information" link on your website homepage. Best practices include placing the link in your website footer where it is easily visible, using the exact or substantially similar language from the applicable state law, making the link functional (not just decorative), and ensuring it is available without requiring the user to create an account or log in.

Step 2: Honor Global Privacy Control (GPC) Signals

At least 12 states now require businesses to recognize universal opt-out mechanisms like Global Privacy Control (GPC). When a user's browser sends a GPC signal (the Sec-GPC: 1 HTTP header), your website must treat it as a valid opt-out request. This means suppressing third-party tracking cookies and pixels, stopping the transmission of user data to advertising partners, and recording the opt-out preference for that user.

Check your GPC obligations with our GPC Compliance Checker.

Step 3: Build an Opt-Out Mechanism That Works

When a consumer submits an opt-out request — whether via your link or through GPC — you must process the request within 15 business days (California standard), stop selling or sharing their personal information going forward, notify any third parties you've sold their data to in the prior 90 days, and not ask the consumer to re-submit or verify their identity (opt-out requests should not require ID verification under most state laws).

Step 4: Update Your Privacy Policy

Your privacy policy must disclose whether you sell personal information, the categories of personal information sold, the categories of third parties to whom you sell, and how consumers can exercise their opt-out rights (including mention of GPC). California requires that you list these disclosures in a specific format and update them at least annually.

Step 5: Avoid Dark Patterns

Regulators have made dark patterns a top enforcement priority. Practices that violate opt-out requirements include requiring multiple clicks or confirmation steps to opt out when opting in takes a single click, using confusing toggle labels (like "Do Not Do Not Sell" double negatives), requiring consumers to provide email verification before processing opt-out requests (Ford was fined $375K for this exact practice), and using manipulative language that discourages opt-outs.

Common Compliance Mistakes

Missing the link entirely — some businesses simply don't include the required "Do Not Sell" link on their homepage. This is the most basic violation and the easiest to detect.
Ignoring GPC signals — the multi-state GPC enforcement sweep specifically targeted businesses that failed to honor GPC. If your website doesn't detect and respond to the Sec-GPC header, you are at risk.
Treating it as California-only — with 20+ states now having opt-out rights, a California-only approach leaves you exposed in other jurisdictions. The safest strategy is to offer opt-out rights to all US consumers.
Not stopping data flows downstream — opting out means nothing if you continue transmitting data to third-party ad partners. You must actually suppress the data sharing, not just record the preference.
Resetting preferences after cookie deletion — if a consumer opts out and then clears their cookies, you cannot treat them as a new consumer who hasn't opted out. Server-side opt-out records help solve this problem.

Enforcement Is Real — and Growing

Opt-out compliance is one of the most actively enforced areas of state privacy law. In 2026 alone, California's CPPA has issued over $4 million in fines in three enforcement actions, with opt-out violations featured in every case. Notable penalties include Disney ($2.75M), Ford ($375K), and PlayOn Sports ($1.1M) — all stemming from failures to properly implement "Do Not Sell" mechanisms.

See the full list of enforcement actions on our penalties tracker.

Multi-State Compliance Checklist

Add a "Do Not Sell or Share My Personal Information" link to your website footer
Implement GPC signal detection and honor it as a valid opt-out
Audit all third-party data sharing and categorize what constitutes a "sale"
Process opt-out requests within 15 business days
Notify downstream data recipients of consumer opt-outs
Update your privacy policy with required disclosures
Test your opt-out mechanism quarterly to ensure it still works after site updates
Maintain server-side opt-out records (don't rely solely on cookies)
Train customer service staff on how to handle verbal or email opt-out requests

Use our state law comparison tool to see exactly which opt-out requirements apply in each state, and our California compliance checklist for a step-by-step guide to CCPA compliance.

Last updated: March 28, 2026.