$ cat blog/do-i-need-do-not-sell-my-info-link.md

Do I Need a 'Do Not Sell My Info' Link? CCPA for Indie Founders

If you have California users and run ad or analytics tools that share data, you probably need a 'Your Privacy Choices' link, even if you do not think you 'sell' anything. Here is the plain version.

saasreview·June 16, 2026·5 min read

If you have California users and your site runs advertising pixels or analytics that pass data to third parties, you probably need a 'Your Privacy Choices' link, even though you do not think of yourself as selling anything. The catch is the definition. Under California's privacy law (CCPA, as amended by CPRA), 'sale' and 'sharing' are written broadly enough that handing visitor data to an ad network or some analytics tools can count, with no money involved.

Does this actually apply to me?

It applies if you have California users and you 'sell' or 'share' personal information as the law defines it. For a small SaaS, the trigger is usually the trackers you added without thinking about it.

  • Meta Pixel, TikTok, Google Ads remarketing, and similar pass identifiers to ad platforms. That is typically 'sharing' for cross-context advertising.
  • Some analytics setups that feed third parties can count too, depending on configuration.
  • Just an email signup and privacy-respecting, first-party analytics? You may not trigger the 'sale/share' rules, though you still need a privacy policy and to honor data requests.

What do I have to do?

  1. 1.Add a clear opt-out link titled 'Your Privacy Choices' or 'Do Not Sell or Share My Personal Information', usually in the footer, and wire it to actually stop the sharing for that visitor.
  2. 2.Honor Global Privacy Control. GPC is a browser signal that says 'opt me out'. California requires you to treat it as a valid opt-out, automatically. Most consent platforms can do this once enabled.
  3. 3.Have a privacy policy that lists what you collect, the categories you share, and the rights Californians have (to know, delete, correct, and opt out), with a way to use them.

//It is not just California anymore

Virginia, Colorado, Connecticut, Texas, Oregon and a growing list of states have their own privacy laws with overlapping rights. The good news: the externally visible essentials are similar, a real privacy policy, a way to exercise rights, and respecting opt-out signals, so fixing for California covers most of the others.

How do I check my site?

Look in your footer for a 'Your Privacy Choices' or 'Do Not Sell or Share' link. If you run ad or analytics trackers and there is none, that is the gap. Then check whether your privacy policy spells out consumer rights and how to use them. The Compliance check detects ad and analytics tracking on your site, checks for the opt-out link, tests whether the GPC signal is honored, and reviews your policy for the required rights, all in one private report with the rule behind each finding.

Selling to people in the US? Run a Compliance check to see if your 'Your Privacy Choices' link and opt-out handling are in place.

Run a Compliance check
// faq

Frequently asked questions

Do I need a 'Do Not Sell' link if I don't sell data?

Possibly yes. California defines 'sale' and 'sharing' broadly enough that passing data to ad or analytics partners can count, even for free. If you run ad pixels or cross-context tracking and have California users, you likely need a 'Your Privacy Choices' opt-out link even though no money changes hands.

What is the Global Privacy Control and do I have to honor it?

GPC is a browser setting that automatically signals a user's choice to opt out of the sale or sharing of their data. California requires businesses subject to its opt-out rules to treat GPC as a valid request and act on it. Many consent tools can honor it automatically once enabled.

Does CCPA apply to small businesses?

CCPA has thresholds (revenue and data-volume), so the smallest sites may fall under them, but the bar is lower than many founders think, especially the threshold tied to handling data about large numbers of consumers. Other state laws have their own thresholds. The safe move is to add the basics, since they are cheap and overlap across states.

Is CCPA different from GDPR?

Yes. GDPR is the EU and UK regime built around consent and a broad set of rights. CCPA and other US state laws focus more on transparency and the right to opt out of sale or sharing. If you have both EU and US users, you need to satisfy both, which a region-scoped compliance scan can check at once.

Check your US privacy basics

A Compliance check detects your trackers, looks for the opt-out link, tests GPC, and reviews your policy for the required rights, privately, with the rule behind each issue.

Run a Compliance check
$ ls related/

Keep reading

Compliance for people who built with AIguide

Does My SaaS Need to Be GDPR Compliant?

If anyone in the EU or UK can sign up for your app, the short answer is yes. Here is what that actually means for a small, AI-built SaaS, in plain English, and how to find the gaps before a regulator or a demand letter does.

June 16, 2026·8 min readread →
Compliance for people who built with AI

Do I Need a Cookie Consent Banner?

If you have EU or UK visitors and you run analytics or ads, yes, and it has to ask before anything tracks. Here is what a correct banner does, and the version that quietly breaks the rules.

June 16, 2026·5 min readread →
Compliance for people who built with AI

What the EU AI Act Means for Your AI App or Chatbot

Most indie AI apps are not 'high-risk', so the heavy rules will not hit you. But one rule almost certainly does: if users talk to an AI, you have to tell them. Here is the plain version.

June 16, 2026·5 min readread →

We put every SaaS through the same honest scorecard, then publish the result.

Browse independent reviewsHow we score →
Published on saasreview.ai · last updated June 16, 2026