The "Do Not Sell or Share My Personal Information" link is the single most enforced control in US privacy law. It was central to the Sephora settlement, the Todd Snyder action, and the Healthline case. Yet the rules for it are more specific than most teams realize, from the exact wording of the link title to whether you're allowed to make people log in first. Get the details wrong and you've got a link that looks compliant but isn't.
Here's exactly what California requires, the options for combining links, and the dark-pattern rules regulators actively check.
When you need the link at all
You need an opt-out of sale/sharing if your site "sells" or "shares" personal information as those terms are defined under the CCPA. The definitions are broad. Letting third-party advertising or analytics cookies read visitor data can count as a "sale," and enabling cross-context behavioral advertising counts as "sharing," even if no money changes hands. If you run ad tech, retargeting pixels, or most analytics-plus-advertising integrations, assume you're in scope.
The three ways to present the opt-out
California's regulations give you three valid structures. Pick one:
- Two separate links. A link titled exactly "Do Not Sell or Share My Personal Information" for the sale/sharing opt-out, plus a second link titled "Limit the Use of My Sensitive Personal Information" if you use sensitive data beyond what's necessary. These exact titles are specified in the regulations (sections 7013 and 7014).
- The Alternative Opt-Out Link. Instead of two links, you may use a single link titled "Your Privacy Choices" or "Your California Privacy Choices" that covers both the right to opt out of sale/sharing and the right to limit sensitive data. This option is set out in section 7015.
- Rely on an opt-out preference signal. A business that processes Global Privacy Control signals and doesn't sell/share outside of that can, in some cases, avoid posting a link at all. Most sites still post one, because it's clearer and covers visitors without GPC.
The opt-out icon
If you use the "Your Privacy Choices" Alternative Opt-Out Link, you must display the official opt-out icon next to it, the small blue-and-white toggle mark. It should be roughly the same size as other icons in your header or footer. The icon is optional decoration on the standalone "Do Not Sell or Share" link but required as part of the combined "Your Privacy Choices" approach. Use the official artwork rather than recreating it.
The rules regulators actually check
Beyond the title and icon, the mechanics behind the link are where enforcement happens:
- Clear and conspicuous placement. The link belongs in the header or footer of every page, easy to find. Burying it fails.
- No login required. You can't force people to create or sign into an account before they opt out. Todd Snyder was penalized partly for requiring identity verification to opt out.
- Minimal information. Only ask for what you genuinely need to process the request. Honda's action cited collecting excess information.
- Symmetry in choices. Opting out can't take more steps or clicks than opting in. Equal-weight buttons, no pre-checked traps, no confusing double negatives. Our guide on dark pattern laws covers this in depth.
- Act promptly. Process opt-out requests as soon as feasible, and no later than 15 business days.
- Actually stop the data flow. The link must work end to end. The Todd Snyder portal silently failed for 40 days, and that broken plumbing drove the fine.
What "processing" the opt-out actually means
Clicking the link has to change what happens on the page. Once someone opts out, you must stop the tags and cookies that share their data for advertising, both in the browser and in any server-side pipelines that forward data to ad partners. A link that records a preference but keeps firing the pixels is the exact failure pattern regulators cite.
Three further rules are easy to miss. You must post a Notice of Right to Opt-Out explaining the right; the bare link on its own isn't enough. You generally can't turn around and ask an opted-out consumer to opt back in for at least twelve months. And if you offer a discount or reward in exchange for data (a "financial incentive"), you have to disclose it and let people opt in knowingly, rather than penalizing those who exercise their rights. Build the opt-out so it genuinely suppresses downstream sharing, log that it did, and the link stops being decoration and becomes compliance.
Honor GPC alongside the link
The link and Global Privacy Control are complementary, not alternatives. California requires you to honor GPC signals regardless of whether someone also uses your link, and both Sephora and Healthline were penalized in part for ignoring GPC. Treat an incoming GPC signal as an automatic opt-out of sale and sharing, and keep the visible link for people whose browsers don't send one. Our GPC explainer and universal opt-out mechanisms guide cover the signal side.
Beyond California
Other states frame the same right differently. Many use "opt out of the sale of personal data" and "opt out of targeted advertising" rather than the California link titles, and they don't mandate the specific "Do Not Sell or Share" wording. The good news is that one well-built opt-out mechanism, honoring GPC and offering a clear choice, can satisfy most states at once. Where California's exact link title and icon are required, use them; elsewhere, a plainly labeled "Your Privacy Choices" control generally does the job. For the full picture, see the complete US state privacy laws guide and, for what happens when you get it wrong, the California enforcement guide.