CCPA § 1798.120 and § 1798.135 require businesses that sell or share personal information to provide a conspicuous opt-out mechanism. Under CPRA, "sharing" now includes disclosing identifiers to advertising platforms for cross-context behavioral advertising — which means Facebook Pixel, Google Ads remarketing, and TikTok Pixel qualify even when no money changes hands. A footer link that only describes the right without providing an actual opt-out button is non-compliant. An opt-out preference that resets on next visit is non-compliant. Both violations expose the business to the same enforcement actions as having no opt-out at all, and class-action plaintiffs specifically look for this pattern.
High because sharing PI with advertising platforms without an operative opt-out mechanism violates CCPA § 1798.120 and subjects the business to CPPA enforcement and consumer statutory damages.
Add the required footer link and implement a persistent opt-out page at /do-not-sell. Gate every advertising pixel on the stored opt-out preference — client-side before pixels load, and server-side before any API calls to ad platforms.
// components/layout/footer.tsx — required link
<a href="/do-not-sell">Do Not Sell or Share My Personal Information</a>
// lib/analytics.ts — gate all pixels on preference
function isCCPAOptedOut(): boolean {
if (typeof document === 'undefined') return false
return document.cookie.includes('ccpa_opt_out=1') ||
(typeof navigator !== 'undefined' && navigator.globalPrivacyControl === true)
}
export function loadThirdPartyPixels() {
if (isCCPAOptedOut()) return
loadFacebookPixel()
loadGoogleAdsRemarketing()
}
Store the preference in a one-year cookie (max-age=31536000) and, for authenticated users, persist it server-side so the opt-out survives device changes. Confirm the page works without login.
ID: ccpa-readiness.consumer-rights.right-to-opt-out
Severity: high
What to look for: Check for an opt-out mechanism that stops the sale or sharing of personal information with third parties. Under CCPA/CPRA, "sharing" includes disclosing PI for cross-context behavioral advertising — which means analytics pixels (Facebook Pixel, Google Ads remarketing, TikTok Pixel) may constitute sharing even if no money changes hands. Look for a "Do Not Sell or Share My Personal Information" link in the website footer (required by CCPA if any selling or sharing occurs). Check whether clicking that link leads to an opt-out mechanism that works without account creation. Verify the opt-out preference is stored (cookie, server-side flag, or both) and that third-party sharing is actually gated on that preference. Check whether the opt-out is honored across sessions (persistent, not reset on next visit). Count all instances found and enumerate each.
Pass criteria: A "Do Not Sell or Share My Personal Information" link is present in the footer. The link leads to a functional opt-out mechanism that does not require account creation. Opt-out preference is stored persistently. Third-party advertising pixels and cross-context behavioral advertising sharing stops when the consumer opts out. At least 1 implementation must be confirmed.
Fail criteria: No "Do Not Sell or Share" link in the footer. The link exists but leads to a page that only describes the right without providing an opt-out mechanism. Opt-out preference is stored but third-party sharing is not actually gated on it. Opt-out preference resets on next visit.
Skip (N/A) when: The application does not sell or share personal information with third parties for any purpose (including cross-context behavioral advertising). Document specifically which third-party integrations were reviewed and why none constitute selling or sharing.
Cross-reference: The global-privacy-control check in Opt-Out Mechanisms verifies the automated signal that supplements this manual opt-out.
Detail on fail: Example: "No 'Do Not Sell or Share' link found in footer. Facebook Pixel and Google Ads remarketing tags present in layout.tsx — these constitute sharing under CPRA." or "'Do Not Sell' link present but leads to a static page describing the right with no opt-out form or button." or "Opt-out preference stored in cookie but Facebook Pixel fires unconditionally regardless of opt-out state.".
Remediation: Add the footer link and implement opt-out preference gating:
// components/layout/footer.tsx — add required link
<nav>
<a href="/privacy">Privacy Policy</a>
<a href="/do-not-sell">Do Not Sell or Share My Personal Information</a>
<a href="/terms">Terms of Service</a>
</nav>
// app/do-not-sell/page.tsx — opt-out page
'use client'
import { useState, useEffect } from 'react'
export default function DoNotSellPage() {
const [optedOut, setOptedOut] = useState(false)
useEffect(() => {
setOptedOut(document.cookie.includes('ccpa_opt_out=1'))
}, [])
function handleOptOut() {
// Set persistent cookie (1 year)
document.cookie = 'ccpa_opt_out=1; max-age=31536000; path=/; SameSite=Lax'
// Also persist server-side if user is authenticated
fetch('/api/privacy/opt-out', { method: 'POST' })
setOptedOut(true)
}
return (
<div>
<h1>Do Not Sell or Share My Personal Information</h1>
<p>Under California law (CCPA/CPRA), you have the right to opt out of the
sale or sharing of your personal information with third parties.</p>
{optedOut ? (
<p>You have opted out. We will not sell or share your personal information.</p>
) : (
<button onClick={handleOptOut}>Opt Out of Sale/Sharing</button>
)}
</div>
)
}
// Gate third-party pixels on opt-out preference
// lib/analytics.ts
function isCCPAOptedOut(): boolean {
if (typeof document === 'undefined') return false
return document.cookie.includes('ccpa_opt_out=1')
}
export function loadThirdPartyPixels() {
if (isCCPAOptedOut()) return // Respect opt-out
// Load Facebook Pixel, Google Ads, etc. only when not opted out
loadFacebookPixel()
loadGoogleAdsRemarketing()
}