CCPA "Do Not Sell" Opt-Out Link Missing or Broken

TL;DR: California law requires a clear "Do Not Sell My Personal Information" link, but yours is missing, hidden, or non-functional.

The California Privacy Protection Agency fined Tractor Supply $1.35M in September 2025 — the largest CCPA fine to date — because their "Do Not Sell" link routed to a form that didn't actually stop data selling (CPPA Final Order). Disney paid $2.75M for similar non-compliance. CCPA fines are $2,663 per negligent violation and $7,988 per intentional violation (adjusted 2024 rates).

What Scavo checks (plain English)

Scavo evaluates two controls:

• LC-T6: when sale/share indicators exist, is there a visible California opt-out surface (for example "Do Not Sell or Share My Personal Information")?
• LC-T7: if California rights surface exists, is there text evidence that browser privacy signals (such as GPC) are recognized?

Signals Scavo uses include:

• detected non-essential provider families (especially ads/analytics)
• pre-consent non-essential host evidence
• opt-out/privacy link counts
• on-page text markers for GPC/privacy signal handling

How outcomes are assigned:

• Fail: sale/share indicators are present but no opt-out surface, or California rights surface exists with no clear browser-signal handling text where expected
• Info/Inconclusive: signals are partial and requirement cannot be concluded confidently from page scope
• Pass: opt-out surface and browser-signal handling evidence are both present when applicable

How Scavo scores this check

Scavo assigns one result state for this check on the tested page:

• Pass: baseline signals for this check were found.
• Warning: partial coverage or risk signals were found and should be reviewed.
• Fail: required signals were missing or risky behavior was confirmed.
• Info: Scavo could not gather enough reliable evidence on this run to score pass/fail confidently.

In your scan report, this appears under What failed / What needs attention / What is working for legal_california_opt_out, followed by Recommended next steps and Technical evidence (for developers) when needed.

• Scan key: legal_california_opt_out
• Category: LEGAL_COMPLIANCE

Why fixing this matters

If people cannot quickly find opt-out controls, rights exist on paper but not in practice. That creates trust damage and escalates support/compliance friction.

Operationally, this is often a routing/content ownership issue: legal text, footer links, and runtime behavior drift apart over time.

If you are not technical

1. Open your live footer and confirm a clear California rights path exists when applicable.
2. Ask for a screenshot/video showing the full opt-out path from first click to saved preference.
3. Ask whether your team intentionally handles Global Privacy Control and where that is documented.
4. Re-run Scavo on the same URL and confirm this check improves.

Scavo flagged California opt-out surface (legal_california_opt_out). Please verify opt-out link visibility where sale/share indicators exist, confirm browser privacy signal (GPC) handling text is present where required, and provide before/after evidence.

If you are technical

1. Ensure opt-out links are globally visible where your data practices require them.
2. Keep rights-path routing stable (no dead-end links or locale-only gaps).
3. Add explicit, plain-language text describing browser privacy signal handling where applicable.
4. Keep consent, privacy, and California-rights surfaces aligned across templates.
5. Add release checks for footer/legal link regressions.

How to verify

• Confirm opt-out link discoverability on desktop and mobile.
• Confirm destination route is reachable and actionable.
• Confirm GPC/privacy-signal handling statement is visible where appropriate.
• Re-run Scavo and check control outcomes for LC-T6 and LC-T7.

What this scan cannot confirm

• It does not replace legal advice or jurisdiction-specific counsel.
• It is page-scope automation; full multi-route legal review still matters.
• It cannot infer off-site data-sharing agreements not visible in runtime/page content.

Owner checklist

• [ ] Assign one owner for California rights UX and link integrity.
• [ ] Keep rights text and runtime behavior reviewed together.
• [ ] Revalidate after CMP, footer, or policy-page changes.
• [ ] Keep a short internal note on GPC handling intent.

FAQ

Does every site need a "Do Not Sell or Share" link?

It depends on your actual data practices and applicability. This check focuses on observable risk signals and user-surface readiness, not legal determinations.

Why does Scavo care about GPC text?

Because browser-level privacy signals are a practical part of modern California rights operations, and missing handling language can indicate implementation gaps.

Can this fail even if we have a privacy policy?

Yes. A generic privacy policy is not the same as a clear, actionable California opt-out path.

Should product and legal teams both own this?

Yes. This is a cross-functional control: UX, policy language, and technical enforcement all need alignment.

Sources

• California AG: CCPA overview
• California AG: Global Privacy Control
• California Privacy Protection Agency
• California Penal Code §631 (CIPA)

This guide is operational guidance, not legal advice.