Implementing CCPA Compliance / Implementing Opt-Out Mechanisms

Implementing Opt-Out Mechanisms

The CCPA requires businesses to provide consumers with accessible methods to exercise their privacy rights, including opting out of the sale or sharing of personal information and limiting the use of sensitive personal information. This guide walks through the technical and procedural requirements for implementing compliant opt-out mechanisms.

Step 1: Determine Your Opt-Out Implementation Approach

Businesses must choose between two primary implementation methods under Section 1798.135:

Option A: Website Links (Subdivision a)

  • Provide clear and conspicuous links on your homepage
  • Implement dedicated web pages for consumer opt-out requests
  • Manage opt-out requests through your own infrastructure

Option B: Opt-Out Preference Signals (Subdivision b)

  • Respond to automated opt-out signals sent by browsers or platforms
  • Follow technical specifications adopted by the CPPA under Section 1798.185(a)(19)
  • Optionally provide a consent web page for consumers to override the signal

Important: A business may elect whether to comply with subdivision (a) or subdivision (b), but is not required to comply with both. However, businesses complying with subdivision (a) are not required to comply with subdivision (b).

Step 2: Implement Required Homepage Links (If Using Option A)

If you choose Option A, your business must provide accessible links on your internet homepage:

Required Links

  1. "Do Not Sell or Share My Personal Information"

    • Must link to a web page enabling consumers to opt out of sales/sharing
    • Required if your business sells or shares personal information

  2. "Limit the Use of My Sensitive Personal Information"

    • Must link to a web page for limiting sensitive PI use
    • Required if you use/disclose sensitive PI beyond Section 1798.121(a) purposes

  3. Combined Link Option

    • You may use a single, clearly labeled link instead of separate links
    • Must easily allow both opt-out and limitation actions

Link Requirements

  • Links must be clear and conspicuous on your homepage
  • Cannot require account creation or additional unnecessary information
  • Must be reasonably accessible to consumers

California-Specific Homepage Option: You may maintain a separate homepage dedicated to California consumers that includes the required links, provided you take reasonable steps to ensure California consumers are directed to this page rather than your general public homepage (Section 1798.135(d)).

Step 3: Configure Opt-Out Preference Signal Support (If Using Option B)

If you choose Option B, implement technical capabilities to:

  1. Detect Opt-Out Preference Signals

    • Recognize signals sent by platforms, technologies, or mechanisms
    • Follow technical specifications in CPPA regulations (Section 1798.185(a)(19))
    • Process signals indicating consumer intent to opt out of sale/sharing or limit sensitive PI use

  2. Honor Consumer Signals

    • Apply opt-out preferences automatically upon signal receipt
    • Process with consumer consent sent through the signal

  3. Optional Consent Web Page

    • You may provide a link allowing consumers to consent to ignoring the signal
    • If implemented, the consent page must:
      • Allow consumers to revoke consent as easily as it's provided
      • Not degrade the consumer experience on the intended destination page
      • Maintain similar look, feel, and size relative to other links
      • Comply with technical specifications in CPPA regulations

Step 4: Build Request Submission Infrastructure

Under Section 1798.130, you must provide two or more designated methods for consumers to submit requests:

Minimum Required Methods

  1. Toll-free telephone number (all businesses)
  2. Additional method(s) of your choice (email, web form, mail, etc.)

Online-Only Business Exception: If you operate exclusively online and have a direct relationship with consumers, you may provide only an email address for requests.

Website Requirement

If you maintain an internet website, you must make it available for submitting:

  • Information access requests (Sections 1798.110, 1798.115)
  • Deletion requests (Section 1798.105)
  • Correction requests (Section 1798.106)

Request Processing Requirements

Do not:

  • Require consumers to create an account to submit requests
  • Request additional information beyond what is necessary
  • Use consumer information from opt-out requests for unrelated purposes

Do:

  • Allow consumers with existing accounts to use those accounts for requests
  • Require reasonable authentication based on the nature of personal information requested
  • Direct consumers to exercise rights through appropriate channels

Step 5: Process Opt-Out Requests

Once you receive an opt-out request:

Immediate Actions

  1. Stop Sale/Sharing or Sensitive PI Use

    • Refrain from selling or sharing the consumer's personal information
    • Stop using or disclosing sensitive PI beyond authorized purposes
    • Apply restrictions immediately upon receiving the request

  2. Communicate to Authorized Persons

    • If you've authorized others to collect personal information, communicate the opt-out request to them
    • Those persons must thereafter only use the consumer's PI for:
      • Specific business purposes you've specified
      • Purposes otherwise permitted by the CCPA
    • They are prohibited from selling/sharing or using the PI outside the direct business relationship

Data Use Restrictions

Personal information collected in connection with opt-out requests must be used solely for the purposes of complying with the opt-out request (Section 1798.135(c)(6)).

12-Month Reask Restriction

After processing an opt-out request:

  • Wait at least 12 months before requesting the consumer to authorize sale/sharing again
  • Wait at least 12 months before requesting authorization for additional sensitive PI uses
  • Follow any extended timelines prescribed by CPPA regulations

Special Rule for Minors Under 16: If a consumer under 16 does not consent to sale/sharing, wait at least 12 months before requesting consent again, as authorized by regulations, or until the consumer turns 16 (Section 1798.135(c)(5)).

Step 6: Support Authorized Agent Opt-Outs

Consumers may authorize another person to submit opt-out requests on their behalf.

Authorized Agent Requirements

  • Accept opt-out requests from authorized agents
  • Comply with requests received from persons authorized to act on the consumer's behalf
  • Recognize opt-out preference signals as a form of authorized representation
  • Follow regulations adopted by the Attorney General regarding authorized agents

Applies Regardless of Implementation Method: You must comply with authorized agent requests whether you've elected Option A or Option B (Section 1798.135(e)).

Step 7: Update Privacy Policy Disclosures

Your online privacy policy (or California-specific privacy description) must include:

Required Disclosures

  1. Consumer Rights Description

    • Describe rights under Sections 1798.120 and 1798.121
    • Explain opt-out and limitation rights

  2. Links or Statements

    • Separate link to "Do Not Sell or Share My Personal Information" page
    • Separate link to "Limit the Use of My Sensitive Personal Information" page
    • OR a single link to both choices
    • OR a statement that you respond to opt-out preference signals per subdivision (b)

  3. Categories Disclosed (if applicable)

    • List categories of PI sold or shared in the preceding 12 months
    • Use enumerated categories from Section 1798.140(c)
    • If none sold/shared, prominently disclose that fact

Update Frequency

Update privacy policy information at least once every 12 months (Section 1798.130(a)(5)).

Step 8: Train Responsible Personnel

All individuals responsible for handling consumer inquiries about privacy practices or CCPA compliance must be informed of:

  • All requirements in Sections 1798.120, 1798.121, and 1798.135
  • How to direct consumers to exercise their rights under these sections
  • Procedures for processing opt-out and limitation requests

This training requirement applies to both customer service representatives and privacy compliance staff (Sections 1798.130(a)(6) and 1798.135(c)(3)).

Step 9: Implement Verification Procedures

For requests requiring verification (access, deletion, correction):

Response Timeline

  1. Initial 45-Day Period

    • Disclose/deliver information, correct inaccurate PI, or delete PI free of charge
    • Promptly determine whether request is verifiable
    • Verification process does not extend the 45-day response duty

  2. 45-Day Extension (If Necessary)

    • May extend once by an additional 45 days when reasonably necessary
    • Must provide notice of extension within the first 45-day period
    • Total maximum response time: 90 days

Verification Standards

  • Require authentication that is reasonable in light of the nature of personal information requested
  • Do not require account creation to make a verifiable request
  • May require consumers with existing accounts to use those accounts
  • Use verification information solely for verification purposes
  • Do not further disclose, retain longer than necessary, or use for unrelated purposes

Delivery Methods

Deliver disclosed information:

  • Through consumer's account (if they maintain one with your business)
  • By mail or electronically at consumer's option (if no account)
  • In a readily useable format allowing transmission to another entity without hindrance
  • In a structured, commonly used, machine-readable format (to the extent technically feasible)

Step 10: Prepare for Browser Opt-Out Requirements (Effective January 1, 2027)

Note: Section 1798.136 becomes operative on January 1, 2027.

If your business develops or maintains a browser, you must:

Browser Functionality Requirements

  1. Include Configurable Opt-Out Functionality

    • Enable the browser to send opt-out preference signals to businesses
    • Make functionality easy for a reasonable person to locate and configure

  2. Public Disclosures

    • Explain how the opt-out preference signal works
    • Describe the intended effect of the signal
    • Make disclosures clear to consumers

Definitions (Section 1798.136(e))

  • Browser: An interactive software application used by consumers to locate, access, and navigate internet websites
  • Opt-out preference signal: A signal complying with the CCPA that communicates the consumer's choice to opt out of sale and sharing of personal information

Non-Liability Protection

Businesses that develop/maintain compliant browsers are not liable for violations by businesses that receive the opt-out preference signal.

The CPPA may adopt regulations to implement and administer these browser requirements (Section 1798.136(c)).

Next Steps

After implementing opt-out mechanisms, ensure your business complies with:

For information on consequences of non-compliance, see Penalties and Damages.

← Personal Information Categories Penalties and Damages →