Consumers can opt out of sale or sharing of personal information

CCPA § 1798.120 and § 1798.135 require businesses that sell or share personal information to provide a conspicuous opt-out mechanism. Under CPRA, "sharing" now includes disclosing identifiers to advertising platforms for cross-context behavioral advertising — which means Facebook Pixel, Google Ads remarketing, and TikTok Pixel qualify even when no money changes hands. A footer link that only describes the right without providing an actual opt-out button is non-compliant. An opt-out preference that resets on next visit is non-compliant. Both violations expose the business to the same enforcement actions as having no opt-out at all, and class-action plaintiffs specifically look for this pattern.

Add the required footer link and implement a persistent opt-out page at /do-not-sell. Gate every advertising pixel on the stored opt-out preference — client-side before pixels load, and server-side before any API calls to ad platforms.

// components/layout/footer.tsx — required link
<a href="/do-not-sell">Do Not Sell or Share My Personal Information</a>

// lib/analytics.ts — gate all pixels on preference
function isCCPAOptedOut(): boolean {
  if (typeof document === 'undefined') return false
  return document.cookie.includes('ccpa_opt_out=1') ||
    (typeof navigator !== 'undefined' && navigator.globalPrivacyControl === true)
}

export function loadThirdPartyPixels() {
  if (isCCPAOptedOut()) return
  loadFacebookPixel()
  loadGoogleAdsRemarketing()
}

Store the preference in a one-year cookie (max-age=31536000) and, for authenticated users, persist it server-side so the opt-out survives device changes. Confirm the page works without login.

• ID: right-to-opt-out

• Severity: high

• What to look for: Check for an opt-out mechanism that stops the sale or sharing of personal information with third parties. Under CCPA/CPRA, "sharing" includes disclosing PI for cross-context behavioral advertising — which means analytics pixels (Facebook Pixel, Google Ads remarketing, TikTok Pixel) may constitute sharing even if no money changes hands. Look for a "Do Not Sell or Share My Personal Information" link in the website footer (required by CCPA if any selling or sharing occurs). Check whether clicking that link leads to an opt-out mechanism that works without account creation. Verify the opt-out preference is stored (cookie, server-side flag, or both) and that third-party sharing is actually gated on that preference. Check whether the opt-out is honored across sessions (persistent, not reset on next visit). Count all instances found and enumerate each.

• Pass criteria: A "Do Not Sell or Share My Personal Information" link is present in the footer. The link leads to a functional opt-out mechanism that does not require account creation. Opt-out preference is stored persistently. Third-party advertising pixels and cross-context behavioral advertising sharing stops when the consumer opts out. At least 1 implementation must be confirmed.

• Fail criteria: No "Do Not Sell or Share" link in the footer. The link exists but leads to a page that only describes the right without providing an opt-out mechanism. Opt-out preference is stored but third-party sharing is not actually gated on it. Opt-out preference resets on next visit.

• Skip (N/A) when: The application does not sell or share personal information with third parties for any purpose (including cross-context behavioral advertising). Document specifically which third-party integrations were reviewed and why none constitute selling or sharing.

• Cross-reference: The global-privacy-control check in Opt-Out Mechanisms verifies the automated signal that supplements this manual opt-out.

• Detail on fail: Example: "No 'Do Not Sell or Share' link found in footer. Facebook Pixel and Google Ads remarketing tags present in layout.tsx — these constitute sharing under CPRA." or "'Do Not Sell' link present but leads to a static page describing the right with no opt-out form or button." or "Opt-out preference stored in cookie but Facebook Pixel fires unconditionally regardless of opt-out state.".

• Remediation: Add the footer link and implement opt-out preference gating:

  // components/layout/footer.tsx — add required link
  <nav>
    <a href="/privacy">Privacy Policy</a>
    <a href="/do-not-sell">Do Not Sell or Share My Personal Information</a>
    <a href="/terms">Terms of Service</a>
  </nav>
  
  // app/do-not-sell/page.tsx — opt-out page
  'use client'
  import { useState, useEffect } from 'react'
  
  export default function DoNotSellPage() {
    const [optedOut, setOptedOut] = useState(false)
  
    useEffect(() => {
      setOptedOut(document.cookie.includes('ccpa_opt_out=1'))
    }, [])
  
    function handleOptOut() {
      // Set persistent cookie (1 year)
      document.cookie = 'ccpa_opt_out=1; max-age=31536000; path=/; SameSite=Lax'
      // Also persist server-side if user is authenticated
      fetch('/api/privacy/opt-out', { method: 'POST' })
      setOptedOut(true)
    }
  
    return (
      <div>
        <h1>Do Not Sell or Share My Personal Information</h1>
        <p>Under California law (CCPA/CPRA), you have the right to opt out of the
        sale or sharing of your personal information with third parties.</p>
        {optedOut ? (
          <p>You have opted out. We will not sell or share your personal information.</p>
        ) : (
          <button onClick={handleOptOut}>Opt Out of Sale/Sharing</button>
        )}
      </div>
    )
  }
  
  // Gate third-party pixels on opt-out preference
  // lib/analytics.ts
  function isCCPAOptedOut(): boolean {
    if (typeof document === 'undefined') return false
    return document.cookie.includes('ccpa_opt_out=1')
  }
  
  export function loadThirdPartyPixels() {
    if (isCCPAOptedOut()) return // Respect opt-out
    // Load Facebook Pixel, Google Ads, etc. only when not opted out
    loadFacebookPixel()
    loadGoogleAdsRemarketing()
  }