In California, the phrase “Do Not Sell My Personal Information” isn’t just a polite request—it’s a legal lever, one that’s grown sharper with each twist of the state’s privacy laws. Since the California Consumer Privacy Act (CCPA) took effect in 2020, and with its beefier successor, the California Privacy Rights Act (CPRA), amending it in 2023, businesses have had to rethink how they handle the digital goldmine of consumer data. By February 2025, with enforcement ramping up, the mandate is clear: Give Californians control over their personal info—or pay the price. This isn’t optional; it’s a compliance tightrope, and the stakes are climbing.
The CCPA kicked things off by letting residents opt out of data sales, a right that caught many firms flat-footed. The CPRA doubled down, expanding it to “Do Not Sell or Share,” covering not just sales but any transfer to third parties for ads or analytics. Add in sensitive data rules and opt-out logistics, and it’s a full-on overhaul. “We thought we had it handled,” says Priya, who runs an e-commerce site out of Oakland. “Then CPRA hit, and suddenly our ad partners were ‘sharing,’ not ‘selling.’ It’s a mess.” Her story’s common—businesses scrambling to decode legalese while keeping customers happy and regulators at bay.
CCPA’s “Do Not Sell or Share” Baseline
The original CCPA, enforceable since July 2020, gave Californians three big rights: know what data you collect, delete it, and stop its sale. That last one—“Do Not Sell”—meant businesses had to offer a clear opt-out for any transaction where personal info (names, IPs, browsing habits) swapped hands for cash or value. A retailer selling email lists to a marketer? That’s a sale. Fines started at $2,500 per violation, jumping to $7,500 if intentional, and the Attorney General’s office didn’t hesitate—by 2022, dozens of firms faced penalties topping $10 million combined.
CPRA’s Broader Reach
Enter the CPRA, voted in via ballot in 2020 and active since January 2023. It stretched “Do Not Sell” to “Do Not Sell or Share,” plugging a loophole. Sharing—handing data to ad networks for targeted ads, even without money changing hands—now counts. “It’s about behavioral advertising,” says Elena Cortez, a Sacramento privacy lawyer. “Companies argued it wasn’t a sale. CPRA said, ‘Doesn’t matter.’” The law also birthed the California Privacy Protection Agency (CPPA), a watchdog with teeth—its 2024 caseload hit 50 enforcement actions, up from 20 in 2022, per agency reports.
Sensitive Personal Information Under CPRA
The CPRA doesn’t treat all data equally. “Sensitive personal information”—think Social Security numbers, health records, precise geolocation—gets extra armor. Consumers can limit its use outright, beyond just sales or sharing. A fitness app tracking heart rates? It can’t quietly feed that to insurers unless users say yes. Mishandle it, and penalties stack—CPPA’s first sensitive-data fine, against a telehealth firm in 2024, was $1.2 million. “It’s a game-changer,” Cortez notes. “Businesses can’t assume silence is consent.”
Managing Opt-Out Requests Effectively
Opt-outs aren’t a suggestion—they’re a process. CPRA demands a frictionless way for users to say no, often via automated signals like the Global Privacy Control (GPC), a browser setting that’s legally binding in California since 2023. Miss it, and you’re noncompliant. “We had 500 requests a month,” Priya says. “Manually sorting them was chaos.” Smart firms use tools from Captain Compliance or other industry pioneers like—OneTrust or TrustArc—to catch GPC signals and manual clicks alike, logging each for proof. The CPPA’s 2024 audit of 100 sites found 30% botched this step, risking fines. Another thing coming in handy is a Universal Opt Out Mechanism.
Designing Opt-Out Pages
Your “Do Not Sell or Share” link better be obvious—footer placement, bold text, no burying it in fine print. CPRA regs say it’s gotcha-free: one click to opt out, no dark patterns like “Are you sure?” pop-ups. Take Sephora’s 2022 $1.2 million CCPA settlement—its opt-out was a maze. Now, best practice is a dedicated page: “Click here to opt out of data sales or sharing. We respect your choice.” Pair it with a GPC toggle, and you’re golden.
Ensuring Transparency in Data Sales
Transparency isn’t optional—CPRA demands you spell out who gets what. A 2025 privacy policy might read: “We share names and browsing data with Google Ads for targeting. Opt out below.” Vague fluff like “We work with partners” won’t cut it. The CPPA’s 2024 sweep nabbed 15 firms for murky disclosures, averaging $50,000 per penalty. Clarity’s your shield—list recipients, purposes, and opt-out steps.
Streamlining Your CPRA Compliance Program
Compliance is a beast, but it’s tameable. Step one: audit your data flows—where’s it going, and why? Step two: automate opt-outs with tech stacks integrating GPC. Step three: train staff—Priya’s team missed a sharing deal with a vendor because no one flagged it. Regular reviews keep you ahead—CPRA’s annual refresh requirement isn’t a suggestion. “It’s a grind,” says Mark, a San Diego startup founder. “But fines hurt worse.”
Do Not Sell My Personal Information Example
Here’s a real-world snippet Priya’s the business owner from Oakland we mentioned above that she now uses on her site: “Do Not Sell or Share My Personal Information: We may share your email and purchase history with ad partners like Facebook. Click here to opt out.” Short, sweet, CPRA-compliant—and live on her footer since last fall.
Do Not Sell My Personal Information: Toggle On or Off
The idea of a toggle—flip it on, data’s sold; flip it off, it’s not—sounds simple, but in 2025, it’s a compliance lifeline. CPRA doesn’t mandate toggles, but they’re becoming the gold standard for user control, especially with GPC’s rise. Imagine Priya’s site: A dashboard where customers toggle “Sell/Share My Data” to “Off.” Behind the scenes, her ad tech—say, Google’s ad stack—stops sharing with partners instantly. It’s not just convenient; it’s proof of intent. “We went from emails to a button,” she says. “Complaints dropped 80%.”
But toggles aren’t foolproof. A 2024 CPPA audit found 20% of toggles were cosmetic—clicking “Off” didn’t stop data flows. Fines followed, averaging $75,000 per case. The fix? Real-time integration. Tools like Consent Management Platforms (CMPs) from Captain Compliance, Didomi or Osano sync toggles to data pipelines, ensuring “Off” means off. Mark’s startup learned this the hard way—his first toggle was a placebo until a developer rewired it. “It’s not decoration,” he says. “It’s law.”
Consumers love it, though. A Pew survey last year showed 65% of Californians prefer toggles over forms or links—faster, less hassle. Yet complexity lurks: Sensitive data needs its own toggle under CPRA, separate from general sharing. A fitness chain in LA got dinged $200,000 in 2024 for bundling health stats with ad data under one switch. Granularity matters—design toggles for each data type, and test them. Priya’s advice? “Assume the CPPA’s clicking it. Make sure it works.”
Do Not Sell My Personal Information Google
Google’s a titan in the data game, and its 2025 fingerprinting pivot—approved February 16—complicates “Do Not Sell or Share.” Cookies are no longer dying (Chrome’s phaseout was called off last year), meanwhile Google Ads still slurps browsing data via first-party signals and fingerprinting. For Californians, this is “sharing” under CPRA—targeted ads don’t need a sale to trigger opt-out rights. Priya’s site leans on Google Ads; she had to rewrite her policy: “We share visit data with Google for ads. Opt out here.” That “Opt Out here” language was a link to their Data Subject Access Request portal.
Google’s Privacy Sandbox pitches alternatives—Topics API groups users by interest, not identity—but it’s opt-in for businesses, and uptake’s slow. Meanwhile, GPC adoption is spotty—Google supports it in theory, but a 2024 EFF report found 40% of its ad partners ignored the signal. Fines loom: CPPA’s 2025 enforcement priorities flag ad tech giants, and Google’s on the list. A Bay Area retailer paid $150,000 last month for letting Google share data post-opt-out and millions of dollars a month are being paid out as a result of lawsuits filed by law firms like Swigart Law that forces privacy violators into expensive arbitrations. Violations are stacking up with hundreds of complaints filed each week.
Compliance means vigilance. Mark’s team audits Google’s data flows monthly—IP logs, device IDs—ensuring opt-outs stick. “Google’s not your babysitter,” he says. “You are.” Cortez agrees: “If Google’s involved, assume sharing’s baked in. Disclose it, or regret it.”
Do Not Sell My Personal Information: Opt Out
Opting out isn’t a one-size-fits-all button—it’s a system. CPRA’s GPC mandate means browsers like Firefox can beam “don’t sell” signals sitewide, but manual opt-outs still dominate. Priya averages 600 monthly now—some via GPC, most through her site’s link. “People don’t trust automation,” she says. “They want to click it themselves.” Her solution? A hybrid: GPC syncs with a manual “Opt Out Now” page, logging both in a CRM.
The CPPA’s 2024 sweep hit 25 firms for opt-out failures—delays, broken links, ignored signals. Penalties averaged $60,000, but reputational damage stung worse. “Customers tweet it,” Mark says. “One glitch, and you’re viral.” Best practice? Instant processing—click to opt out, and data sharing stops within 15 days (CPRA’s deadline). Tools like TrustArc’s Preference Manager cut that to seconds, dodging the CPPA’s radar.
Scale’s the challenge. New software companies focused on the consumer are sprouting up like Privacy Hawk filing thousands of DSAR requests for users to sites that don’t even have their data and business owners are getting worried that its only going to get worse and well the answer is it clearly is.
An Example of Do Not Sell My Personal Information
Priya’s example—“Do Not Sell or Share My Personal Information: We may share your email and purchase history with ad partners like Facebook. Click here to opt out”—is a model, but let’s flesh it out. A 2025 version might look like this on a retailer’s site: “We collect your name, email, and browsing history. This may be shared with Meta, Google Ads, and Shopify for personalized offers. Sensitive data, like payment details, goes to Stripe for processing. Toggle off below or use GPC to stop sharing.” It’s on her homepage footer, linked to a toggle page, and updated quarterly. Always more disclosure and receiving consent is tantamount to building trust with your websites visitors and data subjects.
Contrast that with a 2023 flop—a San Diego business fined $80,000 for this: “We use data with partners.” No specifics, no opt-out link—just a phone number. The CPPA called it “willful dark patterns.”
Do Not Sell My Personal Information Link
That link—“Click here to opt out”—is your compliance keystone. CPRA demands it’s conspicuous: homepage, footer, privacy policy, in 12-point font or bigger, no blending into text. Priya’s is bold red, bottom-right, labeled “Do Not Sell or Share My Info.” Click it, and you’re on a page with toggles, a GPC detector, and a confirmation: “You’ve opted out. Changes take effect in 24 hours.” Mark’s link, buried in a submenu, cost him $20,000 in 2024—lesson learned. So give the privacy choices to your visitors and if you need help with setting up the “Do Not Sell MY Personal Information” links on your website or your clients websites if you’re a web development agency then connect with us today to get started by booking a demo below
Do Not Sell or Share My Personal Information
Visual Example From Captain Compliance: CPRA Enforcement Trend Chart 2022-2025
| CPRA Enforcement Actions | |
|---|---|
| Year | Number of Cases |
| 2022 | 20 |
| 2023 | 35 |
| 2024 | 50 |
| 2025 (projected) | 65 |
| Source: CPPA Reports, author estimates | |
