CCPA 'Do Not Sell or Share' for SaaS that uses ad-tech retargeting — when it applies to indie apps

CCPA (now amended by CPRA) gives California residents the right to opt out of the sale or sharing of their personal information. The “Do Not Sell or Share My Personal Information” link — most often shown in the footer — is the mechanism. The question for indie SaaS is when the link is actually required.

The primary source is California Civil Code §§ 1798.100 et seq. (accessed 2026-05-25) and the California Privacy Protection Agency’s regulations (accessed 2026-05-25).

Confidence: low. California’s regulator has been actively interpreting what counts as “selling” and “sharing” of personal information, especially the cross-context behavioral advertising definition added by CPRA. The details below are a starting point. Verify against current CPPA guidance and counsel before publishing.

TLDR

You typically need a “Do Not Sell or Share My Personal Information” link if any of the following is true:

• Your app shows ads served by third-party ad networks (e.g., a Meta or Google Ads pixel that fires for non-ad-blocking visitors).
• Your app loads a cross-site tracking script (retargeting pixels, affiliate trackers) that builds a profile across other sites.
• You transfer personal data to a third party that uses it for their own purposes — including, in many readings, providing the data to a marketing partner.

You typically don’t need the link if all of the following are true:

• You use processors only (Stripe, Supabase, PostHog without cross-context ads), each acting on your instructions under a DPA.
• You don’t run advertising pixels or retargeting scripts.
• You don’t share data with third parties for their own purposes.

Even when the link isn’t strictly required, many indie apps include the link plus a CCPA notice block in the footer — it’s a low-cost signal that the policy was reviewed.

”Sale” vs “Sharing”

CPRA introduced “sharing” as a distinct concept. The definition is roughly:

• Sale — disclosing personal information for monetary or other valuable consideration. Includes data brokers but also, in some readings, ad networks paid per click.
• Sharing — disclosing personal information for cross-context behavioral advertising, even when no money changes hands.

Most indie SaaS doesn’t sell data in the colloquial sense — but if the app runs a Meta pixel or a Google Ads tag, the sharing definition is the one that bites.

Step-by-step: do I need the link?

1. List every third-party script that fires on your pages. Look for ad tags, retargeting pixels, affiliate trackers.
2. For each script, ask: does this third party use the data for its own advertising? A Meta pixel: yes. A Google Ads tag: yes. Stripe.js fraud prevention: no. PostHog product analytics: not by default.
3. If yes to any: the “Do Not Sell or Share” link is typically required for California traffic.
4. If no to all: the link isn’t strictly required, but many policies still include a CCPA notice block.

What the link should do

Per the CPPA regulations (accessed 2026-05-25):

• Clear and conspicuous footer link titled “Do Not Sell or Share My Personal Information” or similar.
• Linked to a page that lets the user submit the opt-out without creating an account.
• Honor Global Privacy Control (GPC) signals automatically — if the browser sends GPC, you treat the user as opted out without requiring the click.
• Don’t re-share data with ad networks for that user once opted out.

The most common implementation is a settings page that toggles a consent flag in your back end and ensures the relevant ad scripts don’t fire.

Common mistakes

• Adding the link but not actually honoring it. California has begun enforcement actions against companies whose link doesn’t change behavior.
• Ignoring GPC. Browser GPC signals are explicitly recognized by CCPA’s regulations. If you accept the click-through opt-out but ignore GPC, you’re likely not compliant.
• Mistaking “necessary processors” for “third-party sharing”. Stripe processing your payments is not “sharing” for cross-context advertising; Google Ads is.

A minimal CCPA block (example wording)

California residents — Notice at Collection

We collect the following categories of personal information from you when you
use [app name]:
- Identifiers (email, user ID)
- Customer records (account profile, billing address)
- Commercial information (purchase history)
- Internet activity (app usage events)
- Geolocation (approximate, derived from IP)

We use this information for [list purposes]. We do not sell personal
information for money. We may share personal information with the following
third parties for cross-context behavioral advertising, if you have not opted
out: [list each]. To opt out, click "Do Not Sell or Share My Personal
Information" in the footer. We also honor the Global Privacy Control browser
signal.

This is example wording — adapt to the categories your app actually collects, and confirm against the current regulations.

FAQ

Does CCPA apply to my small app? CCPA’s thresholds apply to businesses meeting any of: $25M+ annual revenue, processing data on 100,000+ California residents, or deriving 50%+ of revenue from selling/sharing personal information. Many indie apps don’t meet those thresholds — but if you operate primarily online and have California users, many counsel recommendations are to comply by default. The thresholds and their interpretation are part of the current CPPA regulations (accessed 2026-05-25).

Do I need a separate California-only page? A “Notice at Collection” block in the main privacy policy is typically enough, alongside the footer link. Some larger apps publish a separate California Privacy Notice; for indie scale, an integrated section is usually fine.

Does GDPR coverage cover CCPA? GDPR and CCPA overlap but are not identical. A GDPR-tuned policy needs CCPA sections added — disclosure of sale/sharing, opt-out link, GPC honoring, and the consumer-rights workflow.

Related reading

• GDPR processor list for tiny apps: who you have to name, where, and why
• Cookie banner vs no cookie banner: when an indie app actually needs one
• Check your stack’s disclosure matrix