
Modern privacy laws share a fundamental principle: businesses must respect consumer choices about how their personal data is used and shared. CCPA's "Do Not Sell" requirement is perhaps the most well known example of this principle in action. Any business operating in California must be able to respect a consumer’s preference to opt-out of data sharing and selling.Â
Unfortunately, I’ve observed that in practice, many companies are only partially enforcing consumer opt-outs. While a “Do Not Sell” button and webform is a good start, it fails when the consumer submission doesn’t connect to every system and place where their data is being used for advertising and sales purposes.Â
Recent regulatory enforcement activity, especially in the United States, shows us that privacy regulators are hyper-focused on opt-out compliance. It’s a target of every investigation, most recently obvious in the California Attorney General’s order against Honda.Â
It’s never been more important for privacy program owners to ensure comprehensive compliance with consumer opt-out requests. Keep reading to understand:Â
Modern privacy regulations include provisions that give consumers control over how businesses use their personal data. California's "Do Not Sell" was the first and most well-known. Similarly, states including Colorado, Virginia, Texas, and Montana have all followed with similar "opt out of sale" rights for data sales, targeted advertising, and profiling.
When a consumer exercises these opt-out rights, businesses must take two specific actions:
Most companies attempt to address these requirements by creating an opt-out webform on their privacy page. A consumer fills it out, submits their email address, and expects their opt-out to be in effect. But here's the problem: if you're like most companies, that webform operates in isolation from your CMP.
‍
‍
Here's where things break down. Most companies use separate products, or even separate vendors, for two distinct, consumer-facing privacy functions:Â
CMP and DSR products manage different aspects of your consumers’ data. In most businesses, they don't communicate with each other. This creates critical gaps in Do Not Sell and opt out of sale compliance:Â
Either way, you're only partially honoring their Do Not Sell request.Â
‍
‍
Not only does a partial approach fail to respect the consumer’s request, it creates significant regulatory compliance risks:
You might be wondering: "I have a CMP. Is it possible to just use my CMP for everything?" This seems logical on the surface, but it fails to address a fundamental challenge: identity resolution.
When people interact with CMPs, they’re almost always in an anonymous context. Your CMP recognizes them via browser cookies or device identifiers—not by their email address or customer ID. This creates a major gap: the data you have in backend systems (CRM, email lists, loyalty programs) isn’t connected to their website interactions. Now, some businesses try to patch this by modifying their CMP to collect email addresses—but this creates bigger problems:
Many companies try to work around this by putting a "Your Privacy Choices" link in their website footer, triggering the cookie banner to manage opt-outs. This makes sense—it allows the CMP to control which advertising services can load and collect data. But the problem? It only works for cookie-based identifiers.
If your business operates like most, your consumer data footprint extends far beyond cookies. You have subscribers, registered users, and customers with data tied to real-world identities. When someone toggles off tracking in a CMP, that CMP has no knowledge of their email address, account ID, or other persistent identifiers—meaning the opt-out is incomplete.
At Ketch, we solve this problem more effectively than any other CMP through our identity management framework. But that’s not the point here. Even in the most ideal circumstances, there are cases where a customer would NEED to provide their email address directly to the platform to comprehensively opt the individual out of sales.Â
The key takeaway? No single tool can handle everything. A CMP alone won’t suffice, and a DSR system alone won’t either. The only way to ensure compliance is a well-integrated approach that connects the two.
At Ketch, we've walked this journey with hundreds of customers. In fact, at various points in our own development, we thought the solution could be entirely managed on either CMP or DSR alone.Â
After supporting numerous customer implementations with substantial outside counsel budgets, it became clear that offering two interconnected approaches for Do Not Sell support with tight integration between them made the best impression on regulators with whom our customers were engaging.
That insight shaped how we built our solution. Our standard approach is as follows:
This integrated approach satisfies both the letter and spirit of the law: providing the frictionless, immediate opt-out experience and the comprehensive data protection that consumers and regulators expect.
The "Do Not Sell My Personal Information" requirement represents one of the most visible aspects of modern privacy compliance—and one where implementation gaps create both consumer frustration and regulatory risk.
The bottom line: If your opt-out experiences across banners and webforms aren't talking to each other, you're only half-compliant with Do Not Sell requirements. A truly integrated approach connecting your CMP and DSR systems delivers immediate enforcement, comprehensive compliance, and a seamless consumer experience—three critical components that regulators increasingly demand.
In today's heightened privacy enforcement landscape, that's a risk no business should take.
Need help building an integrated Do Not Sell compliance solution? Talk with our team today to learn how we can help connect your privacy tools for comprehensive compliance.
‍