The liability in your privacy program: incomplete opt-out compliance

An enforcement risk you can’t afford to ignore

Modern privacy laws share a fundamental principle: businesses must respect consumer choices about how their personal data is used and shared. CCPA's "Do Not Sell" requirement is perhaps the most well known example of this principle in action. Any business operating in California must be able to respect a consumer’s preference to opt-out of data sharing and selling. 

Unfortunately, I’ve observed that in practice, many companies are only partially enforcing consumer opt-outs. While a “Do Not Sell” button and webform is a good start, it fails when the consumer submission doesn’t connect to every system and place where their data is being used for advertising and sales purposes. 

Recent regulatory enforcement activity, especially in the United States, shows us that privacy regulators are hyper-focused on opt-out compliance. It’s a target of every investigation, most recently obvious in the California Attorney General’s order against Honda. 

It’s never been more important for privacy program owners to ensure comprehensive compliance with consumer opt-out requests. Keep reading to understand: 

• What "Do Not Sell" means in practical terms
• The common mistake—disconnected consent management and data subject rights tools 
• How to get a comprehensive solution in place, quickly 

What “opt out of sale” means in practice 

Modern privacy regulations include provisions that give consumers control over how businesses use their personal data. California's "Do Not Sell" was the first and most well-known. Similarly, states including Colorado, Virginia, Texas, and Montana have all followed with similar "opt out of sale" rights for data sales, targeted advertising, and profiling.

When a consumer exercises these opt-out rights, businesses must take two specific actions:

1. Record and store the consumer's choice to opt-out. You need to maintain a record of their choice with sufficient identifying information to enforce it across all your systems and data flows.
2. Implement this choice across your entire data ecosystem. This means stopping all advertising and marketing activities that involve the consumer's data—period. This includes:
   
   • Website cookies, pixels, trackers, and all client-side advertising technologies
   • Backend database operations that generate segments for marketing campaigns based on email identifiers
   • Data transfers to ad networks, data brokers, and marketing partners
   • Personalized advertising across all channels (web, mobile, email)
   • Customer loyalty program data used for targeted promotions

Most companies attempt to address these requirements by creating an opt-out webform on their privacy page. A consumer fills it out, submits their email address, and expects their opt-out to be in effect. But here's the problem: if you're like most companies, that webform operates in isolation from your CMP.

‍

‍

Your privacy tools aren't talking to each other

Here's where things break down. Most companies use separate products, or even separate vendors, for two distinct, consumer-facing privacy functions: 

1. Consent and Preference Management. Also known as a consent management platform (CMP) or cookie banner. You likely know this as the pop-up banner that surfaces to your website visitors, asking them to opt-in or reject data sharing permissions. These are permissions related to the cookies, tags, and trackers that fire on your website, for purposes of data use like advertising and analytics. (Keep reading: Three Requirements for Effective Consent Management)
   
   
2. Data Subject Rights Requests. A Data Subject Rights (DSR) product processes consumer requests for data access, deletion, or correction. Many businesses use their DSR product to create a webform for consumers to submit Do Not Sell requests. Depending on the product (and business) sophistication, DSR product implementations range from a simple webform and queue of requests to be completed, to integration with backend systems so requests can be automatically processed with minimal stakeholder involvement. 

CMP and DSR products manage different aspects of your consumers’ data. In most businesses, they don't communicate with each other. This creates critical gaps in Do Not Sell and opt out of sale compliance: 

• When someone opts out via your CMP's consent banner, their website tracking might stop, but their data in your CRM or email marketing system remains unaffected. CMPs typically control client-side technologies (cookies, pixels, tags) but don't reach server-side data processing or backend systems where much personal data resides.
• When a consumer opts out via your DSR form, their email-identified data in backend systems might be properly flagged, but their browser-based tracking continues without impact. Most DSR systems have no direct connection to the cookies, pixels, and trackers that power advertising on your website. When someone opts out via your DSR form, those advertising technologies—your Facebook pixels, Google remarketing tags, and other tracking scripts—continue operating unless manually disabled.

Either way, you're only partially honoring their Do Not Sell request. 

‍

‍

Regulatory requirements, now and in the future

Not only does a partial approach fail to respect the consumer’s request, it creates significant regulatory compliance risks:

• Regulators expect symmetry of choice. Privacy regulators have made it clear they expect the opt-out process to be just as simple as opting in. If consumers have to complete actions in multiple places (like submitting a form AND adjusting cookie preferences), you're creating an asymmetric burden that violates regulatory expectations.
• "Too many steps" is a common enforcement trigger. Recent enforcement actions have specifically targeted companies that require consumers to take multiple steps to effectuate their opt-out choices. Regulators view this as an unnecessary obstacle to exercising privacy rights.
• The Honda order indicates regulators won’t tolerate disjointed opt-outs. The March 2025 Honda case made one thing clear: regulators expect opt-out processes to be frictionless. In that case, the CPPA took issue with how easy it was to opt in compared to opting out—and they specifically called out businesses that require consumers to take extra steps, like visiting multiple pages, just to fully opt out. 
• Disconnected privacy tools are a technical failure, not an inevitability. We know it’s possible to sync a consumer’s opt-out choice across systems automatically—it’s just that many privacy tech vendors haven’t solved the problem yet. It’s only a matter of time until regulators catch on. If your implementation forces someone to manually adjust their settings in multiple places just to fully opt out of data sales, you’re allowing an asymmetrical, non-compliant process.

Neither tool can do the job alone

You might be wondering: "I have a CMP. Is it possible to just use my CMP for everything?" This seems logical on the surface, but it fails to address a fundamental challenge: identity resolution.

The identity problem

When people interact with CMPs, they’re almost always in an anonymous context. Your CMP recognizes them via browser cookies or device identifiers—not by their email address or customer ID. This creates a major gap: the data you have in backend systems (CRM, email lists, loyalty programs) isn’t connected to their website interactions. Now, some businesses try to patch this by modifying their CMP to collect email addresses—but this creates bigger problems:

• An open text field on a cookie banner means anyone could enter anyone else's email address, potentially changing settings for other users (as seen in the CCPA Honda enforcement, identity verification is not required for processing a Do Not Sell request).
• It adds unnecessary complexity. CMPs aren’t designed to manage backend identity data—forcing them to do so creates a high-friction process that bloats your tech stack.

Many companies try to work around this by putting a "Your Privacy Choices" link in their website footer, triggering the cookie banner to manage opt-outs. This makes sense—it allows the CMP to control which advertising services can load and collect data. But the problem? It only works for cookie-based identifiers.

If your business operates like most, your consumer data footprint extends far beyond cookies. You have subscribers, registered users, and customers with data tied to real-world identities. When someone toggles off tracking in a CMP, that CMP has no knowledge of their email address, account ID, or other persistent identifiers—meaning the opt-out is incomplete.

At Ketch, we solve this problem more effectively than any other CMP through our identity management framework. But that’s not the point here. Even in the most ideal circumstances, there are cases where a customer would NEED to provide their email address directly to the platform to comprehensively opt the individual out of sales. 

The key takeaway? No single tool can handle everything. A CMP alone won’t suffice, and a DSR system alone won’t either. The only way to ensure compliance is a well-integrated approach that connects the two.

Observed best practices

At Ketch, we've walked this journey with hundreds of customers. In fact, at various points in our own development, we thought the solution could be entirely managed on either CMP or DSR alone. 

After supporting numerous customer implementations with substantial outside counsel budgets, it became clear that offering two interconnected approaches for Do Not Sell support with tight integration between them made the best impression on regulators with whom our customers were engaging.

That insight shaped how we built our solution. Our standard approach is as follows:

1. CMP "cookie banners" that clearly offer Do Not Sell options, with links to applicable forms for consumers who want more comprehensive coverage. This covers all "anonymous" users who want a quick and frictionless opt-out experience. Your opt-out flow should make it clear that some forms of tracking (like cookies) can be controlled instantly, while others (like email-based marketing) require additional steps.
2. DSR intake forms that automatically communicate with CMP toggles to control applicable advertising behavior (tags, pixels, etc.) through the CMP product. This ensures complete coverage across both anonymous and identified contexts. Consumers can provide an email address or other relevant identifier, so their choice applies across both anonymous web tracking and backend marketing databases.

This integrated approach satisfies both the letter and spirit of the law: providing the frictionless, immediate opt-out experience and the comprehensive data protection that consumers and regulators expect.

Don't leave Do Not Sell half-implemented

The "Do Not Sell My Personal Information" requirement represents one of the most visible aspects of modern privacy compliance—and one where implementation gaps create both consumer frustration and regulatory risk.

The bottom line: If your opt-out experiences across banners and webforms aren't talking to each other, you're only half-compliant with Do Not Sell requirements. A truly integrated approach connecting your CMP and DSR systems delivers immediate enforcement, comprehensive compliance, and a seamless consumer experience—three critical components that regulators increasingly demand.

In today's heightened privacy enforcement landscape, that's a risk no business should take.

Need help building an integrated Do Not Sell compliance solution? Talk with our team today to learn how we can help connect your privacy tools for comprehensive compliance.

‍