The "Do Not Sell or Share My Personal Information" link is the front door. Building it correctly (the exact title, the icon, placement, no dark patterns) is covered in the do-not-sell link guide. This is the back office: what has to happen once someone clicks it. That is where the Todd Snyder case actually turned, a portal that silently failed for 40 days, and where Sephora and Healthline were penalised for links that recorded a preference while the tracking kept running. An opt-out that changes a database flag but not the data flow is the exact failure regulators fine.
Here is the operational playbook: the clock, who has to stop doing what, who you must notify downstream, and how to prove it happened. For the signal side, see Global Privacy Control explained and universal opt-out mechanisms.
The clock: 15 business days, and no verification
Two things make opt-out fulfilment different from access or deletion. First, the deadline is shorter. Under CCPA regulation section 7026, you must stop selling or sharing the consumer's personal information as soon as feasibly possible, and no later than 15 business days from receipt. Not 45 days. Business days, from receipt.
Second, you cannot make the consumer prove who they are. Opt-out of sale or sharing is not a verifiable request. You may collect only enough information to apply the opt-out to the correct record, and you cannot require an account or an identity check. A browser signal like GPC carries no identity at all and must still be honoured as a valid opt-out. See verifying a data subject's identity for why the opt-out sits outside the verification rules.
What "stop selling or sharing" means in your stack
An opt-out has to change what happens on the page and on your servers. A row in a preferences table is not enough. Concretely:
- Client-side: stop firing the advertising and analytics tags that share the consumer's data for cross-context behavioural advertising. In Google's ecosystem this maps to updating consent state so ad and analytics storage are denied. See Consent Mode.
- Server-side: stop the pipelines that forward data to ad partners. A server-side tagging setup or a conversions API that keeps sending events after an opt-out is still "sharing." See server-side consent enforcement.
- Batch and CRM: suppress the consumer from audience uploads, lookalike seeds, and data-enrichment exports that would disclose their data to third parties.
The test a regulator applies is simple: after the opt-out, does the consumer's data still reach a third party for advertising? If yes, the link did not work, whatever your database says.
The part teams forget: notify downstream
Stopping your own tags is not the end of the obligation. Section 7026 requires you to notify the third parties to whom you sold or shared the consumer's personal information, direct them to comply with the opt-out, and have them forward it to anyone they in turn shared it with. This is what stops the data from continuing to circulate after you have technically stopped sending new copies.
The distinction that governs who you notify is the CCPA's contractual roles:
- Service providers and contractors process data for you under a CCPA-compliant written contract. Disclosing to them is not a "sale" or "share," so an opt-out does not require you to sever those relationships. You still cannot let them use the data for their own purposes.
- Third parties are everyone else you sold or shared data with. These are the recipients you must notify and direct to comply.
Getting this right depends on knowing which of your vendors is which, which is a data-mapping exercise. A record of processing activities and solid data processing agreements are what make the notification chain possible.
An opt-out fulfilment workflow
Receive from every channel, including GPC
Accept opt-outs from the link, any form, and the Global Privacy Control signal. Stamp the receipt time; the 15-business-day clock starts now.
Match to the record, do not verify identity
Use just enough information to apply the opt-out to the right consumer. Do not demand proof of identity or an account.
Suppress the data flows
Deny ad and analytics sharing client-side and server-side, and suppress the consumer from audience uploads and enrichment exports.
Notify third parties to comply and forward
Tell the third parties you sold or shared the data with to honour the opt-out and pass it down their own chain.
Log that it happened
Record the opt-out, the timestamp, and that suppression took effect, so you can demonstrate compliance if asked.
Do not re-solicit for 12 months
You generally cannot ask an opted-out consumer to opt back into sale or sharing for at least 12 months.
GPC is an incoming opt-out, not an alternative to one
California requires you to treat a Global Privacy Control signal as a valid request to opt out of sale and sharing. It is not optional, and it is not a substitute for the visible link, it runs alongside it for the many visitors whose browsers do not send GPC. Operationally, an incoming GPC signal should hit the same suppression logic as a link click: deny the sharing tags, suppress the audience uploads, and, where you can identify a known consumer behind the signal, apply the opt-out to their stored record too. Ignoring GPC while honouring the link was a specific failure cited against both Sephora and Healthline. See implementing GPC for the technical detection.
The 15 days is the ceiling, not the target
Section 7026 says "as soon as feasibly possible" and sets 15 business days as the outer limit. A modern setup applies the client-side suppression immediately on the click or signal, then works the server-side and downstream-notification steps within the window. Treating 15 business days as a comfortable buffer is how you end up with the Todd Snyder problem: a portal that recorded the request but did not actually stop the sharing, discovered only when a regulator tested it end to end.
One mechanism, many states
California uses the "Do Not Sell or Share" and "Your Privacy Choices" framing. Virginia, Colorado, Connecticut, and the other state laws phrase the same idea as opting out of the "sale" of personal data and of "targeted advertising," and most require you to honour a universal opt-out signal like GPC. The good news for operations: one well-built suppression mechanism that responds to GPC and to an explicit opt-out can satisfy most of these states at once. You do not need a separate pipeline per state; you need one that reliably stops the data flow and can prove it did. For the state-by-state detail, see the US state privacy laws guide.
Where CookieBeam fits
CookieBeam sits at the enforcement point of this workflow. It detects an incoming GPC signal and can treat it as an opt-out, gates the advertising and analytics tags client-side so denied sharing stops firing, and extends that enforcement to server-side tagging so the pipelines that forward data to ad partners respect the same decision. Its privacy portal also offers an explicit do-not-sell or opt-out request type for regions that grant it, logged with a timestamp so the 15-business-day clock is visible. What CookieBeam does not do for you is the downstream part: notifying your specific third parties and confirming they complied is a vendor-relationship step that depends on your contracts and data map. Keep that on your side of the line and treat the tooling as the part that reliably stops the flow.
Opt-out fulfilment checklist
Start the 15-business-day clock at receipt
Opt-out of sale or sharing has a shorter deadline than access or deletion.
Do not require identity verification or an account
Collect only enough to apply the opt-out to the right record.
Suppress sharing client-side and server-side
Denied advertising and analytics must stop in the browser and in server pipelines.
Notify third parties to comply and forward
Service providers and contractors under contract are treated differently from third parties.
Honour GPC as a valid opt-out
Treat the signal the same as a link click; it runs alongside the visible link.
Log the opt-out and that suppression took effect
Be able to demonstrate the data flow actually stopped, with evidence beyond a database flag.
Do not re-solicit opt-in for at least 12 months
You cannot ask an opted-out consumer to opt back in inside that window.
Authoritative sources
The database flag is the easy 10 percent
Recording that someone opted out is trivial. Making sure their data actually stops reaching third parties, across the browser, your servers, and your vendor chain, is the 90 percent regulators test. Wire the suppression into your tags before you worry about the UI, and log that it took effect. See server-side consent enforcement for the pipeline side.