Compliance CCPA

How does the “Do Not Sell or Share My Information” impact businesses?

Apr 08, 2025 | Time to read 10 min read
How does the “Do Not Sell or Share My Information” impact businesses?
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

Adopting the “Do not sell or share my personal information” link as an opt-out request may seem straightforward but it can raise questions during implementation. It’s a required opt-out method for businesses trying to achieve compliance with the California Consumer Privacy Act (CCPA), which took effect in 2020 to enhance user privacy rights.

However, the varying CCPA requirement interpretations leave website owners speculating if their request process is truly compliant. In this article, I’ll cover everything there is to know about the implementation of the “Do not sell or share my personal information” link and concrete compliance requirements.

Create a CCPA-compliant banner on Shopify
CheckmarkFree plan available
CheckmarkHonors GPC signals
Try TinyCookie

What does 'Do Not Sell My Personal Information' mean?

A “Do not sell or share my personal information” link (or DNS link) is a CCPA requirement that mandates websites to let users withdraw consent for data sharing or selling to third parties. Under the CCPA, users have the right to opt out of the sale of their personal data, including via the DNS link or Global Privacy Controls (GPC).

The CCPA notes that “sharing” refers particularly to cross-context behavioral advertising or targeted advertising. When the user selects this option, businesses must respond to the request in up to 15 working days and stop selling or sharing user data.

To properly add “Do not sell” requests to your website and stay compliant, it’s important to first understand the basics of the CCPA and CPRA:

  • Personal information definition: The California Privacy Protection Agency defines personal information as “data that identifies or is capable of being associated with a person or household.” It encompasses sensitive personal data, like social security numbers, but doesn’t include aggregated data. So, the DNS link only applies to the information covered under this definition.
  • Consent under CPPA and CPRA: The CCPA differs from such regulations as the General Data Protection Regulation (GDPR) which require specific and freely given user consent. Instead, you can freely gather and process user data as soon as you inform them about it.
  • Data selling and sharing: When the CPRA came into effect as an extension of the CCPA, the “Do not sell my personal information” link was replaced with the “Do not sell or share my personal information” link. That’s because businesses didn’t necessarily exchange data for money but rather for other benefits, like advertising or analytics.
  • Opt-out right exceptions: Under the CCPA, there are specific exceptions for when a business can refuse an opt-out request. For example, it applies when data sharing or selling is necessary for compliance or when the data is publicly available information. You can learn more about exceptions in the Civil Code section 1798.145.

If you’re unsure whether the CCPA applies to you or want to find out how to become compliant, check out our CCPA compliance guide.

How can businesses comply with the CCPA and “Do Not Sell” requests?

To comply with the CCPA and properly adopt “Do not sell” links, you need to create a separate page or popup that the link would lead to. There, you should explain to users how to opt out and provide options to opt out.

To stay compliant with CCPA “Do not sell” requests, follow these requirements:

  1. Make the “Do not sell or share my personal information” link easily accessible for all site visitors.
  2. Create two opt-out methods: the “Do not sell or share my personal information” page and another method of your choice. This can be a toll-free number or email address.
  3. You cannot request users to create an account in order to opt out according to the CCPA FAQ (B.3).
  4. Do not ask users to verify their identity. However, you may ask some questions to identify what personal data is related to the user.
  5. Honor opt-out requests for at least 12 months unless the user grants consent again. After the 12-month period, businesses may ask users to opt in again.
  6. Provide training for processing opt-out requests to the team that will be responsible for it.
  7. Do not discriminate against users for exercising their rights. You may not provide higher pricing or block access to site visitors for opting out of data sharing or selling.
  8. Record and keep opt-out requests for at least 24 months, as stated in the CCPA 999.317(b).
  9. You must respond to the opt-out request in up to 15 business days.
  10. Add the DNS link to all pages that collect data. You can place it on a cookie banner or page footer. Including it in the privacy policy is mandatory as well.
Become CCPA-compliant on Shopify
CheckmarkFree plan available
CheckmarkCustomizable cookie banner
Try TinyCookie free

There are many websites that offer “Do not sell or share my personal information” links but not all of them are user-friendly or compliant. Let’s take a look at a few compliant DNS links for inspiration.

Disney’s DNS link example

Disney has placed a “Do not sell or share my personal information” link on the footer of their website. As visible below, it doesn’t take you to a separate page but rather opens up a banner.

Disney's Do not sell my personal information example

The opt out process is quick and user-friendly. All you have to do is untick the “Selling, Sharing, Targeted Advertising” section and press “Confirm my choices.” The user isn’t asked for any personal information that would disrupt their experience.

Wells Fargo DNS link example

Another great example is the Wells Fargo “Do not sell or share my personal information” link. It’s placed at the footer of the site and takes you to another page.

All you have to do is click “Manage cookies” and you get a cookie banner where you can manage preferences.

Wells Fargo DNS link example

I liked that the Wells Fargo opt-out method is so intuitive and straightforward. They provide transparent information about their data collection practices and all you need to do is click two buttons to opt out.

The CCPA doesn’t mandate a strict place where website owners must put the “Do not sell or share my personal information” link. However, it must be in an easily accessible place where all users can find it as well as mentioned in the privacy policy.

Here are a few tips on where you could place the DNS link:

  • Website footer. Many websites place legal documents at the website footer, so putting the DNS link there seems intuitive. However, ensure that the link is visible on all pages where data is collected.
  • Cookie banner. Some businesses include the DNS link on their cookie banner. However, you must ensure that the cookie banner is accessible at all times or also place the link in the website footer.

Cookie banner Do not sell link

  • Privacy policy. Aside from placing the “Do not sell or share” link in an accessible part of your site, you must also mention it in your privacy policy.

Privacy policy do not sell link example

When mentioning the “Do not sell or share” requests in the privacy policy, you must also mention the actual user right to opt out.

How can users opt out of selling personal information?

The CCPA requires businesses to provide at least two options to opt out of data processing, one of which has to be a “Do not sell or share my personal information” link. Other methods can be:

  • Email
  • Toll-free number
  • Global privacy controls (GPC)

When using a “Do not sell or share my personal information” link, you have to create a dedicated page or banner to provide actual opt-out methods. The exact process will depend on the extent to which you sell or share data. Here are a few of them:

Using a consent management platform

If your website is using cookies, the easiest way to automate “do not share or sell” requests is to leverage a Consent Management Platform (CMP). You can use it to create a cookie banner with the “Do not sell or share my personal information” rejection button.

For example, TinyCookie lets Shopify users customize the banner content to be CCPA compliant. As soon as the user clicks it, the CMP automatically stops deploying cookies on their device.

How to add do not sell link TinyCookie

Here’s how a CMP helps you comply with the CCPA:

  • Lets you create a cookie banner with custom design and content for your website
  • Scans your website cookies to understand what personal information is collected
  • Records user consent approval or rejection choices in one place

Using web forms

You can create a separate page for “Do not sell or share my personal information” requests with a web form. The CCPA prohibits asking users to create an account to opt out but you can ask for the minimum data necessary to process the opt-out request.

Here are a few example fields you could use:

  • Email address
  • User ID
  • “I want to opt out of the selling and sharing of my personal data” checkbox
  • A button to “Submit” the request

Using Global Privacy Controls

Global Privacy Controls (GPC) is a notification that users can set up to inform companies about their privacy preferences, including a “do not sell or share” request. Users usually enable it through browser settings or use a browser plugin.

The easiest way to honor GPC requests is using a consent management platform that supports the signal on your Content Management System (CMS) or website builder. 

For example, TinyCookie allows you to enable GPC signal detection in one click on Shopify:

TinyCookie GPC control enabling

Alternatively, you can honor the signal by editing your site code. This method is more challenging and time-consuming, especially if you’re not familiar with coding. So, you can either request a developer for assistance or follow the official Global Privacy Control guide.

× Enlarged Image

Frequently asked questions

Yes, there are many companies that sell or share your personal data with third parties. It may include anything from your account information to financial data, purchasing habits, browsing activities, location, and more.

The “Do not sell my personal information” link is a CCPA and CPRA requirement. The GDPR requires websites to obtain freely given user consent before processing data and make the opt-out process, usually a simple “Reject” button, as easy as it was to opt in.

Whether you can sue someone for disclosing your personal information depends on the violation and the jurisdiction you live in. For example, if your data is being sold to third parties even when you’ve opted out of data selling and sharing under the CCPA, you can make a complaint to the Attorney General.

Personal information, under the CCPA, refers to any data that can be used to identify or be associated with a specific person or household. This includes:

  • Personal data, such as name, email address, purchase history, biometrics, IP address, etc.
  • Sensitive data, like passport numbers, geolocation, content of messages, etc.

Note that personal information does not encompass de-identified information, publicly available information, or information that the user has made publicly available.

About the author
Kristina Jaruseviciute
Kristina Jaruseviciute
Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.