Do Not Sell My Info

What is Do Not Sell My Info?

Do Not Sell My Info is a consumer privacy right established by the California Consumer Privacy Act (CCPA) that allows California residents to opt out of the sale of their personal information by businesses. This right requires companies to provide a clear mechanism—typically a prominent link on their website—that enables users to submit requests prohibiting the business from selling their personal data to third parties.

The CCPA defines "sale" broadly as disclosing, transferring, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration. This definition extends beyond traditional data broker transactions to include scenarios common in digital marketing: sharing data with advertising networks for targeted ads, providing customer lists to marketing partners, or transferring user data to analytics platforms that use it for their own purposes. The law requires businesses to honor these opt-out requests within 15 days and refrain from discriminating against consumers who exercise this right.

For B2B SaaS companies and marketing technology platforms, Do Not Sell My Info compliance has become a critical operational requirement since CCPA took effect in January 2020. The California Privacy Rights Act (CPRA), which expanded CCPA provisions starting in 2023, strengthened these requirements and influenced similar legislation in other states including Virginia, Colorado, and Connecticut. Companies now implement sophisticated consent management, data mapping, and preference tracking systems to ensure compliance across increasingly complex privacy regulations. According to the International Association of Privacy Professionals (IAPP), over 78% of U.S. companies have implemented CCPA compliance programs, with Do Not Sell mechanisms being a foundational requirement.

Key Takeaways

• Legal Requirement: CCPA mandates that businesses provide a clear "Do Not Sell My Personal Information" link on their homepage and honor opt-out requests within 15 days of receipt

• Broad Definition: "Sale" under CCPA includes sharing data with ad networks, marketing partners, and analytics platforms—not just traditional monetary transactions

• Multi-State Impact: While CCPA is California law, similar requirements now exist in Virginia, Colorado, Connecticut, and other states, requiring scalable compliance frameworks

• Marketing Technology Impact: Ad tech, marketing automation, and data enrichment workflows must respect opt-out preferences to avoid violations and penalties up to $7,500 per intentional violation

• Competitive Advantage: Transparent privacy practices and easy opt-out mechanisms build consumer trust and can differentiate brands in privacy-conscious markets

How It Works

The Do Not Sell My Info mechanism operates through several integrated components across legal, technical, and operational domains:

Stage 1: Consumer Notice and Link Placement
Businesses subject to CCPA must prominently display a "Do Not Sell My Personal Information" or "Do Not Sell or Share My Personal Information" link (under CPRA) on their website homepage and privacy policy. This link must be clearly labeled—CCPA regulations specify that alternative phrasing like "opt out of data sharing" may not satisfy the requirement. Many companies place this link in website footers alongside "Privacy Policy" and "Terms of Service" links to ensure visibility.

Stage 2: Opt-Out Request Submission
When a consumer clicks the Do Not Sell link, they are directed to a request submission interface. This can be a simple web form collecting name and email, a more sophisticated preference center allowing granular choices, or an integration with a consent management platform (CMP) like OneTrust or Osano. The CCPA prohibits requiring account creation as a prerequisite for submitting opt-out requests, ensuring accessibility even for website visitors who aren't registered users.

Stage 3: Identity Verification and Processing
Upon receiving an opt-out request, the business must verify the requestor's identity (especially for email address-based requests to prevent abuse) and process the request within 15 business days. This involves updating internal databases, CRM systems, data warehouses, and any integrated platforms that process personal information. Modern implementations use unique identifiers or cookies to track opt-out preferences across sessions and devices.

Stage 4: Third-Party Communication
Critically, businesses must communicate opt-out preferences to third parties with whom they share data. This includes advertising networks, data enrichment vendors, marketing automation platforms, and analytics tools. Technologies like the IAB's CCPA Compliance Framework enable automated signaling of opt-out preferences through technical specifications. Companies using platforms like Saber for company and contact discovery must ensure that opt-out signals are properly transmitted through API integrations and data pipelines.

Stage 5: Ongoing Compliance and Recordkeeping
Businesses must maintain records of opt-out requests for at least 24 months and ensure that opt-out preferences persist across systems. This requires integration between consent management platforms, customer data platforms (CDPs), CRMs, marketing automation tools, and data warehouses. Any data transfer, sharing arrangement, or new marketing technology integration must incorporate opt-out preference checking to maintain compliance.

According to Gartner's research on privacy technology, implementing effective Do Not Sell mechanisms requires coordination across legal, privacy, engineering, marketing, and sales teams, with average implementation costs ranging from $100K to $2M depending on organizational complexity.

Key Features

• Legally Mandated Language: Must use specific "Do Not Sell" phrasing prescribed by CCPA rather than generic opt-out language

• Prominent Placement: Required on homepage and privacy policy, typically in footer navigation for consistent accessibility

• No Discrimination: Cannot charge different prices, provide different service levels, or deny services to consumers who opt out

• Persistent Preference: Opt-out choices must persist across sessions, devices, and be honored for at least 12 months without re-confirmation

• Third-Party Propagation: Opt-out signals must flow to all downstream data recipients, vendors, and partners

Use Cases

Use Case 1: E-Commerce Advertising Opt-Out

A direct-to-consumer e-commerce company uses Facebook Pixel, Google Ads remarketing tags, and various ad tech partners to drive customer acquisition. Under CCPA, sharing customer email addresses and browsing behavior with these platforms for targeted advertising constitutes a "sale" of personal information. The company implements OneTrust as their consent management platform, adding a "Do Not Sell My Personal Information" link in the website footer. When California visitors click this link, they're presented with a toggle-based preference center showing all data sharing partners. Opting out triggers technical signals: the Facebook Pixel stops firing for that user (via CCPA signal), email address hashing for ad matching is disabled, and customer email is added to a suppression list for third-party data sharing. This implementation prevents CCPA violations while maintaining advertising capabilities for users who don't opt out.

Use Case 2: B2B SaaS Data Enrichment Compliance

A B2B marketing automation company uses data enrichment services to append firmographic and technographic information to lead records. This data sharing arrangement qualifies as a "sale" under CCPA's broad definition. The company adds Do Not Sell functionality to their platform, allowing customers' end users (marketing contacts) to opt out. When an opt-out request is received, the system: marks the contact record with an opt-out flag in HubSpot, excludes that email from batch enrichment jobs sent to Clearbit or ZoomInfo, and implements API-level filtering so enrichment services never receive opted-out contact information. This protects both the SaaS company and their customers from CCPA violations. For platforms using Saber for company signals and contact discovery, similar filtering ensures that opted-out individuals' data isn't requested via API calls.

Use Case 3: Marketing List Rentals and Co-Marketing

A software company participates in co-marketing partnerships where customer lists are shared with complementary technology vendors for joint webinars and content distribution. CCPA classifies this list sharing as a data sale. The company implements a preference center accessible via the Do Not Sell link, allowing customers to specify which types of data sharing they consent to: advertising networks, co-marketing partners, analytics providers, or data enrichment services. Customers who opt out of co-marketing partnerships are automatically excluded from list exports and account-based marketing campaigns that involve third-party partners. This granular approach maintains valuable partnership activities while respecting consumer privacy rights and ensuring CCPA compliance.

Implementation Example

Here's a comprehensive Do Not Sell implementation framework for B2B SaaS platforms:

Website Link Placement

Website Footer Structure
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
<p>Company              Legal               Resources</p>

HTML Implementation:

<footer>
  <div class="footer-section">
    <h3>Legal</h3>
    <ul>
      <li><a href="/privacy">Privacy Policy</a></li>
      <li><a href="/terms">Terms of Service</a></li>
      <li><a href="/ccpa-opt-out">Do Not Sell My Personal Information</a></li>
    </ul>
  </div>
</footer>

Opt-Out Request Form Structure

Request Type Options:
- [ ] Do not sell my information to advertising networks
- [ ] Do not share my information with marketing partners
- [ ] Do not share my information with analytics providers
- [ ] Do not use my information for data enrichment
- [ ] Opt out of all data sales and sharing

Technical Implementation Workflow

Opt-Out Request Processing Flow
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Database Schema

Customer Table Updates:

ALTER TABLE customers ADD COLUMN ccpa_opt_out BOOLEAN DEFAULT FALSE;
ALTER TABLE customers ADD COLUMN opt_out_date TIMESTAMP;
ALTER TABLE customers ADD COLUMN opt_out_categories TEXT[];
ALTER TABLE customers ADD COLUMN opt_out_verification_code VARCHAR(50);

Opt-Out Request Log:

CREATE TABLE ccpa_opt_out_requests (
  request_id UUID PRIMARY KEY,
  email VARCHAR(255),
  first_name VARCHAR(100),
  last_name VARCHAR(100),
  state VARCHAR(2),
  request_date TIMESTAMP,
  verification_date TIMESTAMP,
  processing_date TIMESTAMP,
  opt_out_categories TEXT[],
  ip_address VARCHAR(45),
  user_agent TEXT,
  status VARCHAR(50) -- pending, verified, processed, failed
);

Third-Party Integration Checklist

Advertising Platforms:
- [ ] Google Ads: Implement Customer Match suppression list for opted-out emails
- [ ] Facebook: Add opted-out users to Custom Audience exclusion list
- [ ] LinkedIn: Remove opted-out contacts from Matched Audiences
- [ ] Ad Tech Pixels: Set CCPA opt-out signals via IAB framework

Marketing Technology:
- [ ] HubSpot: Create CCPA opt-out property, exclude from workflows
- [ ] Salesforce: Add CCPA_Opt_Out__c field, validation rules on data sharing
- [ ] Segment: Implement Opt-Out API to suppress tracking events
- [ ] Email Service Providers: Add to suppression list for third-party list rentals

Data Enrichment:
- [ ] Clearbit: Exclude opted-out emails from Enrichment API requests
- [ ] ZoomInfo: Add to suppression list for batch enrichment
- [ ] Saber: Filter opted-out contacts from API queries and data responses
- [ ] LinkedIn Sales Navigator: Manual suppression list management

Compliance Monitoring Dashboard

Key Metrics to Track:
- Total opt-out requests received (monthly trend)
- Opt-out rate by traffic source (organic: 0.8%, paid: 2.1%, email: 0.3%)
- Average processing time (target: < 5 days, requirement: 15 days)
- Third-party sync failures (should be 0%)
- Opt-out categories selected (advertising: 78%, marketing partners: 45%, analytics: 32%)
- Geographic distribution (California: 89%, other states: 11%)

Privacy Policy Language

Required Disclosure:

"California residents have the right to opt out of the sale of their personal information. To exercise this right, please visit our Do Not Sell My Personal Information page. We will process your request within 15 business days and will not discriminate against you for exercising your privacy rights.

We may share personal information with the following categories of third parties: advertising networks, marketing technology platforms, data analytics providers, and data enrichment services. This sharing may constitute a 'sale' under California law."

Related Terms

• CCPA: The California Consumer Privacy Act that established the Do Not Sell right and other consumer privacy protections

• GDPR: European privacy regulation with similar but distinct opt-out and consent requirements

• Data Privacy: Broader category of policies and practices governing personal information collection and use

• Consent Management: Systems and processes for capturing, storing, and respecting user privacy preferences

• Privacy Compliance: Organizational practices ensuring adherence to privacy laws including CCPA, GDPR, and state-level regulations

• Data Subject Rights: Legal rights that individuals have regarding their personal data, including access, deletion, and opt-out rights

• Customer Data Platform (CDP): Technology that consolidates customer data and must respect opt-out preferences across all data uses

• Data Warehouse: Central repository where opt-out preferences must be enforced across analytical and operational use cases

Frequently Asked Questions

What does "Do Not Sell My Info" mean?

Quick Answer: Do Not Sell My Info is a consumer right under California's CCPA that allows individuals to prevent businesses from selling or sharing their personal information with third parties, including for advertising, marketing partnerships, or data enrichment purposes.

The CCPA defines "sale" broadly to include any disclosure of personal information to third parties for monetary or other valuable consideration. This extends beyond traditional data broker sales to include common marketing practices like sharing customer lists with advertising platforms, providing emails to co-marketing partners, or sending user data to analytics vendors. The Do Not Sell right requires businesses to provide an easy mechanism for consumers to opt out of these data sharing activities.

Who must comply with Do Not Sell requirements?

Quick Answer: Businesses must comply with CCPA's Do Not Sell requirements if they meet any of these thresholds: annual revenue over $25 million, buy/sell personal information of 100,000+ California consumers, or derive 50%+ of revenue from selling personal information.

Even if your company is based outside California, CCPA applies if you do business in California and meet the thresholds. B2B SaaS companies that serve California customers, marketing technology platforms processing California resident data, and e-commerce sites shipping to California all potentially fall under CCPA jurisdiction. When in doubt, consult privacy counsel—penalties for non-compliance can reach $7,500 per intentional violation. Additionally, several states have enacted similar laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA), requiring multi-state compliance frameworks.

How is "sale" defined under CCPA?

Quick Answer: CCPA defines "sale" as selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating personal information to another business or third party for monetary or other valuable consideration.

This broad definition captures scenarios many businesses don't consider traditional sales. Sharing email addresses with Facebook for Custom Audience targeting constitutes a sale. Providing customer lists to co-marketing partners is a sale. Even allowing third-party analytics tags that use data for their own purposes may qualify. The key test is whether personal information leaves your control and provides value—monetary or otherwise—in return. Exceptions exist for service providers acting on your behalf under contract, but these require specific contractual language and restrictions on data use.

What happens if someone opts out of data sales?

When a consumer submits a Do Not Sell request, the business must stop selling their personal information within 15 business days. Practically, this means: removing them from advertising platform audience syncs, excluding them from co-marketing list shares, suppressing their data in enrichment service requests, and flagging their records in internal databases. The business must also instruct third parties who received the data to honor the opt-out. The consumer's opt-out preference must persist for at least 12 months, and the business cannot ask them to re-authorize data sales during that period. Importantly, businesses cannot discriminate—they must provide the same prices and service quality to consumers who opt out.

How do you implement Do Not Sell for B2B SaaS products?

B2B SaaS implementation requires several components: a prominent "Do Not Sell My Personal Information" link on your website and platform, a request submission form that collects and verifies user information, database fields to store opt-out preferences, integration with all third-party tools (marketing automation, advertising platforms, data enrichment services) to propagate opt-out signals, and monitoring systems to ensure compliance. Use consent management platforms like OneTrust or Osano to streamline implementation. For data-intensive platforms using services like Saber for company discovery or enrichment, implement API-level filtering that excludes opted-out contacts from data requests. Document your data flows to identify all places where "sales" occur and ensure opt-out preferences are enforced at each point.

Conclusion

Do Not Sell My Info represents a fundamental shift in how businesses must approach personal data sharing in B2B SaaS and marketing technology ecosystems. What began as California-specific legislation has evolved into a multi-state requirement that affects how companies implement advertising technology, marketing partnerships, data enrichment services, and analytics platforms. For organizations building modern go-to-market infrastructure, Do Not Sell compliance is no longer optional—it's a baseline requirement that influences technology selection, vendor management, and operational processes.

Marketing teams must rethink how they leverage third-party data and advertising platforms, ensuring that every data sharing relationship includes mechanisms to respect opt-out preferences. Sales teams working with contact-level data and enrichment services need visibility into which contacts have opted out. Revenue operations teams bear responsibility for implementing the technical infrastructure—database flags, API filters, third-party integrations—that makes compliance possible. Engineering teams must build preference propagation into every data pipeline and integration.

As privacy regulations continue expanding across states and internationally, Do Not Sell mechanisms will evolve alongside related requirements like GDPR consent and data subject rights fulfillment. Companies that approach privacy proactively—implementing clear opt-out mechanisms, respecting consumer preferences consistently, and building trust through transparency—will differentiate themselves in increasingly privacy-conscious markets. The intersection of privacy compliance and effective go-to-market execution will define competitive advantage in the next era of B2B SaaS growth.

Last Updated: January 18, 2026