Introduction

If you've ever clicked a "Do Not Sell My Personal Information" link at the bottom of a website, you've exercised an opt-out right. But here's what many people don't realize: there are multiple distinct types of opt-out under U.S. privacy law, and knowing the difference matters enormously.

Opting out of "sale" is not the same as opting out of "sharing." Opting out of "targeted advertising" is not the same as opting out of "profiling." Companies exploit this confusion β€” intentionally or not β€” to continue using your data in ways you probably don't want, even after you've clicked an opt-out button.

This guide breaks down every major opt-out right in U.S. data privacy law so you know exactly what you're doing β€” and what you're not β€” every time you click that button.

1. Opt Out of Sale of Personal Data

Definition: The right to prevent a business from selling your personal information to third parties in exchange for monetary or other valuable consideration.

This was the original opt-out right created by California's CCPA in 2020. The "Do Not Sell My Personal Information" link you see on California-compliant websites invokes this right. When you opt out of sale, the business cannot transfer your personal data to another company in a commercial transaction.

What it covers: Direct financial transactions involving your data. A company selling your email list to an advertiser. A data broker selling your profile to a lender.

What it may NOT cover: Sharing your data with service providers who help run their website, disclosures required by law, and β€” under some interpretations β€” behavioral advertising through advertising networks (this led to the creation of a separate opt-out right).

States with this right: California, Virginia, Colorado, Connecticut, Texas, Florida, Montana, Oregon, Delaware, Iowa, New Hampshire, Nebraska, New Jersey, and most other states with comprehensive privacy laws.

2. Opt Out of Sharing for Cross-Context Behavioral Advertising

Definition: The right (added by California's CPRA in 2023) to prevent a business from sharing your data with third parties for the purpose of targeting you with ads based on your activity across different websites and apps.

This right was created because many privacy advocates (and the California AG) argued that targeted advertising through platforms like Google and Meta technically wasn't a "sale" under the original CCPA β€” because no money directly changed hands between the website and the ad platform in a data-for-dollars transaction. The CPRA closed this loophole by creating a separate right to opt out of "sharing."

Why it matters: When you visit a news site and then see ads for something you searched on a different site, that's cross-context behavioral advertising. This opt-out prevents that tracking and targeting.

States with this right: California (CPRA), Colorado (CPA), Connecticut (CTDPA), and others. Virginia's CDPA covers this under opt-out of "targeted advertising."

3. Opt Out of Targeted Advertising

Definition: The right to prevent a business from processing your personal data to show you advertisements selected based on your predicted preferences or behavior β€” particularly across different websites and services.

Many state privacy laws outside California use the term "targeted advertising" instead of "sharing." Under Virginia's CDPA, Colorado's CPA, and most other state laws, consumers can opt out of having their data processed for targeted advertising purposes.

What this means practically: Opting out of targeted advertising should stop a company from using your browsing history, purchase history, or inferred interests to serve you personalized ads. You'd still see ads β€” just not ads targeted specifically to you based on your data.

Important nuance: "Targeted advertising" under many state laws is defined as cross-context behavioral advertising β€” ads based on your activity across different, non-affiliated sites and services. This is distinct from "contextual advertising" (ads based on the content of the page you're currently reading), which is typically not covered by opt-out rights.

4. Opt Out of Profiling in Automated Decision-Making

Definition: The right to opt out of having your data processed by automated systems to make β€” or contribute to β€” significant decisions about you, such as creditworthiness, employment eligibility, housing, insurance, or access to services.

This is one of the newer and most powerful opt-out rights, established by California's CPRA and similar provisions in Colorado, Connecticut, and other states. It's modeled on GDPR Article 22, which gives Europeans the right not to be subject to purely automated decisions.

What decisions this covers: Credit scoring, job screening algorithms, insurance pricing models, loan applications, and other "significant decisions" made by algorithms about your life. The exact definition varies by state.

What it does NOT typically cover: Fraud detection, security systems, decisions where a human makes the final call after reviewing AI output, or decisions that benefit you.

5. Right to Limit Use of Sensitive Personal Information

Definition (California-specific): California's CPRA created a separate "right to limit" (distinct from opt-out) that lets consumers restrict how businesses use their sensitive personal information (SPI) to only what's necessary to provide the requested service.

Sensitive personal information includes: Social Security numbers, precise geolocation, racial/ethnic origin, religious beliefs, health data, sexual orientation, and biometric data. Unlike the opt-out rights above, this right doesn't let you completely prohibit use β€” it lets you restrict use to a narrower set of legitimate purposes.

Other states handle sensitive data differently β€” most require explicit opt-in consent before processing sensitive data at all, rather than giving a right to limit after the fact.

How to Know Which Rights Apply to You

Your rights depend on which state you live in. Here's a quick summary:

California residents have the most comprehensive opt-out rights: opt-out of sale, opt-out of sharing, opt-out of targeted advertising, opt-out of automated profiling, and the right to limit use of sensitive data.

Virginia, Colorado, Connecticut, Texas, Montana, Oregon, Delaware, Iowa, New Hampshire, Nebraska, New Jersey, and most other states with active privacy laws provide: opt-out of sale, opt-out of targeted advertising, and opt-out of profiling in consequential decisions.

States without comprehensive privacy laws (Alabama, Georgia, Ohio, Pennsylvania, etc.) generally have no state-level opt-out rights, though some federal laws (like HIPAA for health data and COPPA for children's data) still apply.

Use our Opt-Out Guide to get a personalized summary of the rights that apply to you based on your state of residence.

In This Article

Related Articles

πŸ” What Is Opt-Out? πŸ“œ CCPA vs CPRA πŸ•΅οΈ Data Brokers 🌐 GPC Guide

Your State's Law

🌴 California πŸ›οΈ Virginia πŸ—ΊοΈ All States β†’