Ever wonder what the Do Not Sell My Information notices are and what they do? 10 years ago you would not have seen “DNSMI” very often but today it’s starting to appear on more websites where users want to be compliant with the California privacy laws.

DNSMI Software: Navigating CCPA and Data Subject Access Requests

Litigation is rampant and California is enforcing privacy laws more now than ever. It’s not just users with privacy concerns are at an all-time high but business owners have taken notice and are finally taking this stuff serious not by choice but out of neccessity. Consumers are increasingly aware of how their personal data is collected, used, and sold by companies. This awareness has led to the rise of regulations like the California Consumer Privacy Act (CCPA), which empowers individuals with rights over their information. At the heart of these protections is the “Do Not Sell My Information” (DNSMI) provision, a critical tool for consumers to opt out of data sales. But for businesses, complying with DNSMI requests isn’t just a legal obligation—it’s a complex process that often requires specialized software to manage effectively.

DNSMI software refers to tools and platforms designed to help organizations handle consumer requests to prevent the sale or sharing of personal information. These solutions automate the detection, processing, and fulfillment of opt-out requests, ensuring compliance with laws like the CCPA. Without robust DNSMI software, companies risk hefty fines, reputational damage, and legal battles. For instance, recent enforcement actions by the California Privacy Protection Agency (CPPA) highlight the consequences of non-compliance, such as the landmark settlement with Honda.

This comprehensive guide explores DNSMI software in depth, covering its role under the CCPA, integration with data subject access requests (DSARs), and real-world examples of violations. We’ll also discuss why off-the-shelf solutions may fall short and provide practical advice through bullet points and numbered lists. By the end, you’ll understand how to implement effective DNSMI strategies to safeguard your business and respect consumer privacy.

Whether you’re a small e-commerce site or a large corporation, investing in reliable DNSMI software is essential. Resources like Captain Compliance’s guide on Do Not Sell My Personal Information can provide further insights into getting started.

What is DNSMI?

DNSMI, short for “Do Not Sell My Information,” is a consumer right enshrined in privacy laws, allowing individuals to prohibit businesses from selling their personal data to third parties. This concept gained prominence with the CCPA in 2020, but it has influenced similar laws across the U.S. and beyond. At its core, DNSMI empowers users to control their data flow, preventing unwanted commercialization.

The Evolution of DNSMI

The idea of opting out of data sales isn’t new, but DNSMI formalized it. Before CCPA, consumers had limited recourse against data brokers and advertisers. Now, businesses must provide clear mechanisms for opt-outs, such as prominent links on websites labeled “Do Not Sell or Share My Personal Information.” Failure to do so can lead to violations, as seen in various enforcement cases.

DNSMI software streamlines this by scanning websites for compliance issues, managing consent preferences, and integrating with cookie banners. For example, tools like Captain Compliance’s Cookie Scanner help identify trackers that might inadvertently sell data, ensuring your site aligns with DNSMI requirements.

As you can see above there are also subject rights requests where users can click on a footer link and exercise their abilities to remove or correct their information. Every website and webmaster will have different verbiage and to get symmetry between all websites just isn’t possible but there are suggested words you can use to convey the location on your website where a user can request their information to not be sold.

Why DNSMI Matters for Businesses

In an era where data is currency, DNSMI forces companies to rethink their monetization strategies. Selling user data without consent isn’t just unethical—it’s illegal in jurisdictions like California. Businesses handling personal information from Californians must respond to DNSMI requests within 45 days, verifying the requester and updating systems accordingly.

Moreover, DNSMI intersects with broader privacy trends, including the meaning of opt-out, which extends beyond sales to sharing for targeted ads. As explained in this detailed overview on opt-out meanings, understanding these nuances is crucial to avoid pitfalls.

The Role of CCPA in DNSMI

The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA) in 2023, is the cornerstone of DNSMI enforcement in the U.S. It applies to for-profit businesses meeting certain thresholds, such as annual revenue over $25 million or handling data of 100,000+ consumers.

Key Provisions of CCPA Related to DNSMI

Under CCPA, consumers have the right to opt out of the sale or sharing of their personal information. This includes data like IP addresses, browsing history, and geolocation. Businesses must:

• Provide a clear, conspicuous link on their homepage for DNSMI requests.
• Honor global privacy controls (GPC) signals automatically.
• Not discriminate against consumers who exercise their rights, such as by charging higher prices.

Violations can stem from inadequate processes, like requiring excessive verification for opt-outs or using “dark patterns” to discourage requests. The CPPA, established under CPRA, oversees enforcement and can impose fines.

Integrating DNSMI with Other CCPA Rights

DNSMI doesn’t exist in isolation; it’s part of a suite of rights including access, deletion, and correction. For instance, a consumer might submit a DSAR alongside a DNSMI request, requiring coordinated handling. Software that manages both is invaluable here.

Recent lawsuits, such as those involving trap-and-trace devices under privacy laws, underscore the risks. Learn more about the Tauler Smith trap-and-trace privacy lawsuit and its implications for data collection. Similarly, the Pen Register and Trap and Trace Devices Act provides federal context for monitoring practices that could violate DNSMI.

Data Subject Access Requests (DSARs)

Data Subject Access Requests, often called DSARs, allow individuals to access, correct, delete, or port their personal data held by a company. In the CCPA context, these are known as requests to know, delete, or opt out. DSARs are closely tied to DNSMI, as both involve consumer control over data.

Handling DSARs Under CCPA

Businesses must verify DSARs without collecting unnecessary information and respond within 45 days (extendable to 90). For DNSMI-specific DSARs, this means immediately ceasing data sales upon request.

Challenges include high volumes of requests, especially for large firms. Manual processing is error-prone, leading to delays or incomplete fulfillments. This is where dedicated portals shine, automating intake and fulfillment.

Consider using the Captain Compliance DSR Portal to streamline these processes, ensuring compliance and efficiency.

Common Pitfalls in DSAR Management

Many companies struggle with verification, often demanding too much data, which itself can violate privacy. Others fail to train staff, resulting in inconsistent handling. Integrating DSAR with DNSMI software mitigates these by centralizing requests.

The Importance of DNSMI Compliance Software

While basic tools exist, relying on off-the-shelf privacy compliance software often isn’t enough. As highlighted by Bloomberg Law analyses, generic solutions lack customization for specific business needs, leading to gaps in coverage.

For detailed reasons, check why off-the-shelf privacy compliance software isn’t enough.

Custom DNSMI software offers tailored workflows, real-time monitoring, and integration with existing systems, reducing violation risks.

Benefits of Robust DNSMI Software

Here are key advantages in bullet points:

• Automation of Requests: Handles opt-outs instantly, minimizing manual errors and ensuring timely responses.
• Compliance Auditing: Regularly scans for trackers and cookies that could sell data, flagging issues early.
• User-Friendly Interfaces: Provides symmetrical choices for consent, avoiding dark patterns that regulators target.
• Integration with DSARs: Links DNSMI with access and deletion requests for holistic management.
• Reporting and Analytics: Generates compliance reports to demonstrate adherence during audits.
• Scalability: Grows with your business, handling increased request volumes without added staff.
• Cost Savings: Prevents fines by proactive enforcement, outweighing initial investment.

Fines and Violations: Lessons from Recent Cases

Non-compliance with DNSMI under CCPA can result in significant penalties. The CPPA can fine up to $2,500 per unintentional violation and $7,500 per intentional one. These can multiply quickly, as each affected consumer counts as a separate violation.

The Honda Fine by the CPPA

In a notable 2025 case, American Honda Motor Co. settled with the CPPA for $632,500 over CCPA violations related to DNSMI. The allegations included requiring excessive personal information for opt-out requests, using asymmetrical privacy tools, complicating authorized agent submissions, and sharing data without proper contracts.

As part of the settlement, Honda agreed to simplify processes, train employees, and consult UX designers for better request methods. This case emphasizes the need for easy, verifiable opt-outs and highlights how even large companies can falter without proper software.

Other Notable Violations

Another key example is the 2022 Sephora settlement, where the company paid $1.2 million for failing to honor Global Privacy Control signals as DNSMI requests and not disclosing data sales. Sephora had to clarify policies and implement GPC recognition.

From earlier AG enforcements, cases like online retailers ignoring GPC or medical device firms lacking opt-out links resulted in cures without fines, but set precedents. These illustrate that proactive DNSMI software can prevent escalation to penalties.

Steps to Implement DNSMI Compliance

To avoid fines like Honda’s, follow this numbered list for effective implementation:

1. Assess Your Data Practices: Audit what personal information you collect and if it’s sold or shared. Use tools to map data flows.
2. Choose Suitable Software: Select DNSMI solutions that integrate with your site, like cookie scanners and DSR portals.
3. Add Required Links and Notices: Place “Do Not Sell” links prominently and update privacy policies.
4. Train Your Team: Educate staff on CCPA rights, verification, and request handling.
5. Test for Compliance: Simulate requests and monitor for issues, including GPC support.
6. Monitor and Update: Regularly review for new regulations and software updates.
7. Document Everything: Keep records of requests and responses for audits.

By following these steps, businesses can achieve robust compliance.

Our DNSMI software is indispensable for navigating CCPA and DSARs. With rising enforcement, as seen in the Honda and Sephora cases, investing in tailored solutions protects against fines and builds trust.

Book a demo to see our DNSMI software in action and automate your data privacy compliance today.