TL;DR: California’s CCPA as amended now extends the “Do Not Sell or Share My Personal Information” right to sharing for cross-context behavioural advertising, requires clear opt-out links and downstream honouring of consumer choices, according to OneTrust. The practical challenge is governance, not just page design: privacy teams must operationalise preference capture, vendor enforcement, and auditable records across data flows.
NHIMG editorial — based on content published by OneTrust: Navigating the CCPA As Amended “Do Not Sell or Share” Requirement
Questions worth separating out
Q: How should organisations operationalise CCPA Do Not Sell or Share requests across systems?
A: Organisations should map every place personal information is sold or shared, then connect the opt-out workflow to downstream systems that consume that data.
Q: Why do CCPA opt-out programmes fail in practice?
A: They usually fail because the preference is captured in one interface but not propagated through the rest of the data stack.
Q: How do security and privacy teams know if opt-out enforcement is actually working?
A: They should test whether the opt-out state is visible in every system that can activate, enrich, or share the data.
Practitioner guidance
- Map sale and sharing pathways end to end Identify every system that receives, enriches, or redistributes personal information, then mark where CCPA opt-out or sharing restrictions must apply.
- Treat opt-out links as enforced control points Validate that homepage and data collection page links do more than collect requests by testing how the opt-out state propagates into connected platforms, preference stores, and downstream exports.
- Separate sensitive data rules from general consent rules Create distinct policy handling for sensitive personal information, including geolocation, biometrics, health-related data, and protected identifiers.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- The specific wording and placement patterns for homepage and data-collection-page opt-out links.
- The article’s practical guidance on handling browser-based signals such as GPC in a privacy workflow.
- The vendor’s recommended way to align notices, vendor management, and recordkeeping for CPRA compliance.
- The detailed privacy automation functions OneTrust maps to consent and preference management.
👉 Read OneTrust’s guidance on California’s Do Not Sell or Share requirement →
CCPA Do Not Sell or Share changes: what privacy teams need to know?
Explore further
Preference enforcement is a governance control, not a privacy formality. The article shows that modern opt-out handling depends on the same discipline as identity lifecycle management: capture state, propagate it, enforce it, and prove it later. When consumer choice is not reflected across connected systems, compliance fails at the point of use rather than at the point of notice. Practitioners should treat preference state as a governed control, not a static record.
A question worth separating out:
Q: Who is accountable when a consumer opt-out is not honoured?
A: Accountability sits with the business that collects and shares the data, even when third-party platforms help process it. Teams should assign ownership across privacy, legal, marketing, and data operations, then document which systems must enforce the choice so gaps do not become ambiguous during audit or enforcement.
👉 Read our full editorial: CCPA Do Not Sell or Share rules sharpen privacy governance