Subscribe to the Non-Human & AI Identity Journal

Do Not Sell Or Share

A California consumer right that lets individuals opt out of the sale of their personal information and, under the amended law, certain sharing for cross-context behavioural advertising. Practically, it requires businesses to expose a clear choice and ensure the decision is honoured across connected systems and third parties.

Expanded Definition

“Do Not Sell Or Share” is a consumer privacy choice under California law that gives individuals a way to stop certain disclosures of personal information, including some forms of cross-context behavioural advertising. In practice, the term is broader than a simple marketing preference because it affects how data moves through consent banners, tag managers, adtech integrations, analytics tools, data brokers, and downstream service providers.

Usage in the industry is still evolving because many organisations treat sale, sharing, disclosure, and service-provider processing as interchangeable when they are not. The operational question is not just whether data is transferred, but whether the transfer fits a legal exception and whether the consumer’s choice is preserved across systems. For that reason, privacy engineering teams often need to align legal logic, identity resolution, and enforcement workflows so the opt-out is honoured consistently. Guidance from the NIST Cybersecurity Framework 2.0 is useful here because it emphasises governance, asset visibility, and control enforcement across connected environments.

The most common misapplication is treating a homepage preference link as sufficient, which occurs when organisations fail to propagate the opt-out to adtech partners, shared databases, and event-stream pipelines.

Examples and Use Cases

Implementing Do Not Sell Or Share rigorously often introduces consent-resolution complexity, requiring organisations to balance user choice against attribution, advertising measurement, and data minimisation goals.

  • A consumer clicks a “Do Not Sell Or Share My Personal Information” link, and the site must suppress adtech tags that would otherwise transmit identifiers for behavioural advertising.
  • A business receives the opt-out through a preference centre and must synchronise that choice to CRM, CDP, analytics, and downstream enrichment services so the same record is not re-used elsewhere.
  • A publisher uses vendor scripts for audience targeting and must distinguish between first-party operational use and third-party sharing that may trigger the consumer right.
  • A company relies on a service provider exception and must contractually and technically ensure the recipient does not repurpose the data outside the permitted scope, consistent with privacy guidance from the NIST Cybersecurity Framework 2.0.
  • An organisation enables browser-based opt-out signals and must confirm the signal is recognised across web properties, mobile apps, and connected identity systems.

These use cases show that the term is not just a notice requirement. It is an enforcement requirement that depends on technical controls, vendor coordination, and durable preference storage.

Why It Matters for Security Teams

Security and privacy teams need to understand Do Not Sell Or Share because failures often surface as compliance gaps, weak data governance, and uncontrolled third-party exposure. The risk is not limited to regulatory penalties. A missed opt-out can reveal where data flows are undocumented, where vendor controls are weak, and where identity-linked tracking is more extensive than the organisation can justify. In modern environments, this overlaps with NHI governance because tracking pixels, API tokens, and automation accounts may move consumer data without clear ownership or review. Teams working under the NIST Cybersecurity Framework 2.0 can map this right to governance, protection, and third-party risk practices rather than treating it as a standalone legal checkbox.

When organisations ignore the operational side of the right, they usually discover the problem only after a complaint, audit, or incident review, at which point suppression, correction, and vendor remediation become operationally unavoidable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, and GDPR define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV-01 Governs privacy-related oversight and accountability for data handling.
NIST SP 800-53 Rev 5 PT-4 Addresses privacy notice and consent handling for personal information processing.
NIST SP 800-63 Identity assurance matters when consumer preferences must map to the right person.
GDPR Provides a regulatory contrast for lawful processing and objection rights.
OWASP Non-Human Identity Top 10 NHI governance is relevant where automation and tokens move consumer data to third parties.

Limit automation accounts and shared secrets so opt-out data is not leaked through uncontrolled integrations.