CCPA §1798.135(a)(1), as strengthened by the 2023 CPRA amendment, requires a literal-text "Do Not Sell or Share My Personal Information" link (or the state-approved alternate "Your Privacy Choices" link with the official blue-white icon) in the footer of any site that "sells or shares" personal data — and under CPRA, routing any identifier (IP, device ID, cookie ID) to ads, analytics, or retargeting counts as "sharing." Sephora paid $1.2M to the California AG in 2022 for missing exactly this link, and the Connecticut, Colorado, Virginia, and Utah parallel statutes each layer additional $7,500-per-violation exposure on top. AI coding tools reliably bolt Google Analytics, PostHog, Meta Pixel, or TikTok Pixel into a Next.js layout — because "add analytics" is a two-line copy-paste — but almost never scaffold the matching opt-out link, because the obligation only triggers once the pixel is present. The quiet failure mode is a site that successfully tracks California visitors while silently accruing per-visitor violations.
High because California AG enforcement has shown a clear willingness to settle for seven figures on the missing-link vector alone, the exposure scales linearly with California visitor volume, and parallel CPA / CTDPA / CDPA regimes compound it.
Add a /privacy/opt-out (or /do-not-sell) route that handles opt-out requests (cookie drop + downstream pixel disabling), then link to it from the site footer with the exact California-approved text:
// components/Footer.tsx
<Link href="/privacy/opt-out">Do Not Sell or Share My Personal Information</Link>
The alternate compliant text is "Your Privacy Choices" paired with the California blue-white opt-out icon (see oag.ca.gov/privacy/ccpa/icons-download). Deeper coverage of the full CPRA opt-out flow (global privacy control signals, sensitive PI limits, authorized agent handling) lives in the ccpa-readiness Pro audit.
project-snapshot.legal.do-not-sell-or-opt-out-linkhighpackage.json for: posthog-js, @vercel/analytics, @vercel/speed-insights, react-ga, react-ga4, @segment/analytics-next, mixpanel-browser, @hotjar/browser, @amplitude/*, @microsoft/clarity, next-plausible, @intercom/messenger-js-sdk, react-facebook-pixel, react-tiktok-pixel, react-linkedin-insight-tag. Also grep <script>, <Script>, and string literals for googletagmanager.com, google-analytics.com, gtag(, fbevents.js, fbq(, tiktok.com/i18n/pixel, snap.licdn.com, analytics.tiktok.com. If any match, the site is in-scope. Then look for the opt-out link: grep the codebase for text matching /Do Not Sell( or Share)?( My Personal Information)?/i OR /Your Privacy Choices/i. Evidence locations: app/layout.tsx, app/_layout.tsx, any component file whose name matches /footer/i, or components/Footer.tsx / components/site-footer.tsx. The match must be inside a rendered link / button, not just a comment."No analytics or ad pixel detected — CPRA §1798.135 does not apply.""No match for Do-Not-Sell / Privacy-Choices text in any footer or layout file.""Tracking detected: <libraries>; opt-out link text '<exact text>' at <file>:<line>.""Google Analytics 4 loaded via app/layout.tsx (@vercel/analytics in package.json; gtag call in app/_components/Analytics.tsx) but no 'Do Not Sell' or 'Your Privacy Choices' link found in components/Footer.tsx or app/layout.tsx."/privacy/opt-out (or /do-not-sell) route that handles opt-out requests, then link to it from the site footer with the exact California-approved text (see remediation_prose above). Deeper coverage lives in the ccpa-readiness Pro audit.